Skip to content

chores: Add Trivy Scanner GH Workflow #187

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ykaiboussiSO merged 5 commits into from
Nov 14, 2025
Merged

chores: Add Trivy Scanner GH Workflow #187

ykaiboussiSO merged 5 commits into from
Nov 14, 2025

Conversation

@ykaiboussiSO
Copy link
Contributor

@ykaiboussiSO ykaiboussiSO commented Nov 13, 2025
edited by coderabbitai bot
Loading

Closes: BED-6789

Description

Run vulnerability analysis using Trivy scanner

Motivation and Context

How Has This Been Tested?

Verification via pipeline

Screenshots (if appropriate):

Types of changes

  • Chore (a change that does not modify the application functionality)
  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

  • Documentation updates are needed, and have been made accordingly.
  • I have added and/or updated tests to cover my changes.
  • All new and existing tests passed.
  • My changes include a database migration.

Summary by CodeRabbit

  • Chores
    • Added automated vulnerability scanning to CI for pull requests on versioned branches. Scans focus on CRITICAL and HIGH issues, surface findings, and fail the check to block risky changes. Environment settings support standard and language-specific vulnerability databases.

@coderabbitai
Copy link

coderabbitai bot commented Nov 13, 2025
edited
Loading

Walkthrough

Adds a new GitHub Actions workflow vuln-scan.yml that triggers on pull requests with branches matching the pattern *.* for opened and synchronize events, runs Trivy in repo mode at the repository root, and filters findings to CRITICAL and HIGH severities.

Changes

Cohort / File(s) Summary
Vulnerability Scanning Workflow
/.github/workflows/vuln-scan.yml		 New workflow file. Trigger: pull_request events opened and synchronize for branches matching *.*. Job runs on ubuntu-latest, checks out repository, runs aquasecurity/trivy-action in repo mode at ./, filters CRITICAL and HIGH severities, uses exit-code: 1, ignores unfixed vulnerabilities, and sets Trivy DB environment variables (standard and Java DB).

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant Dev as Developer
  participant GH as GitHub
  participant Runner as Actions Runner
  participant Repo as Repository
  participant Trivy as Trivy Action

  Dev->>GH: Open or synchronize PR to branch matching "*.*"
  GH->>Runner: Trigger "Vulnerability Scan" workflow
  Runner->>Repo: actions/checkout
  Runner->>Trivy: Run aquasecurity/trivy-action (mode: repo, path: ./)
  Trivy->>Trivy: Scan repository (filter: CRITICAL, HIGH)
  alt Vulnerabilities found (CRITICAL/HIGH)
    Trivy-->>Runner: exit-code 1 (fail)
    Runner-->>GH: Report failed check
  else No matching vulnerabilities
    Trivy-->>Runner: exit-code 0 (pass)
    Runner-->>GH: Report successful check
  end
  Note over Trivy: Env vars set for Trivy DB and Java DB repositories
Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

  • Check trigger branch pattern *.* and PR event types.
  • Confirm Trivy action inputs (mode, path, severities, exit-code, ignore-unfixed).
  • Verify Trivy DB environment variable names and values.

Poem

🐇 I hop through PRs with a careful glance,
Trivy and I begin the vuln-scan dance,
High and Critical I gently flag,
A carrot for safety, a tiny victory wag. 🥕🔎

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title 'chores: Add Trivy Scanner GH Workflow' directly and concisely describes the main change—adding a GitHub Actions workflow for vulnerability scanning with Trivy.
Description check ✅ Passed The description includes key sections: issue reference (BED-6789), clear description, motivation context, testing verification, and proper type classification. However, the 'Motivation and Context' section is left with template comments and lacks substantive explanation of why this workflow is needed.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch BED-6789
📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 652a6a6 and 54fe4cf.

📒 Files selected for processing (1)
  • .github/workflows/vuln-scan.yml (1 hunks)
🚧 Files skipped from review as they are similar to previous changes (1)
  • .github/workflows/vuln-scan.yml

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@ykaiboussiSO ykaiboussiSO self-assigned this Nov 13, 2025
coderabbitai[bot]
coderabbitai bot reviewed Nov 13, 2025
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between dc420a6 and fa6ea8a.

📒 Files selected for processing (1)
  • .github/workflows/vuln-scan.yml (1 hunks)
🔇 Additional comments (1)
.github/workflows/vuln-scan.yml (1)

1-30: Well-structured vulnerability scanning workflow.

The workflow configuration is sound: it triggers on PRs to appropriate branches (main and stage/*) for opened/synchronized events, uses a modern checkout action, and configures Trivy with reasonable security gates (CRITICAL and HIGH severities, exit on findings, ignore unfixed vulnerabilities). The dual database repository setup provides good resilience.

kpowderly
kpowderly reviewed Nov 13, 2025
View reviewed changes
zinic
zinic approved these changes Nov 14, 2025
View reviewed changes
Copy link

@zinic zinic left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@ykaiboussiSO ykaiboussiSO merged commit 094ead7 into 2.X Nov 14, 2025
3 checks passed
@ykaiboussiSO ykaiboussiSO deleted the BED-6789 branch November 14, 2025 15:45
@github-actions github-actions bot locked and limited conversation to collaborators Nov 14, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@kpowderly kpowderly kpowderly left review comments

@zinic zinic zinic approved these changes

Assignees

@ykaiboussiSO ykaiboussiSO

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@ykaiboussiSO @zinic @kpowderly