Add Trivy image vulnerability scanning to CI pipeline#8
Merged
Conversation
added 2 commits
May 5, 2026 22:31
- Add pr_trivy.yaml: triggers on PR to main/beta-*, informational scan (exit-code: 0) - Pin trivy-action from @master to @v0.36.0 in all workflows - Enable Trivy DB caching (cache: true) in all workflows - Remove workflow_dispatch trigger added during testing - Add dependabot.yml covering github-actions ecosystem weekly
There was a problem hiding this comment.
Pull request overview
Adds Trivy container image vulnerability scanning to CI so developers and post-merge builds can surface HIGH/CRITICAL (fixable) CVEs without blocking pipelines yet.
Changes:
- Added a new PR workflow to build the Docker image locally and run an informational Trivy scan.
- Updated IO and beta build workflows to split build/push into build → Trivy scan → push, and sanitized branch names containing
/for tag generation. - Added a Dependabot configuration to update GitHub Actions weekly.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| .github/workflows/pr_trivy.yaml | New PR-time image build + informational Trivy scan for early CVE visibility. |
| .github/workflows/build_io.yaml | Builds image, scans with Trivy, then pushes; also sanitizes / in branch-derived tags. |
| .github/workflows/build_beta.yaml | Same as build_io for beta branches (build → scan → push) plus / tag sanitization. |
| .github/dependabot.yml | Enables weekly Dependabot updates for GitHub Actions. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
rad-pat
approved these changes
May 7, 2026
rad-pat
left a comment
Member
There was a problem hiding this comment.
Don't worry about the licence checker, something for us to fix
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this does
Adds Trivy vulnerability scanning to both PR and build CI workflows.
Trivy scan mode — currently informational in all workflows
Both the PR scan and the post-build scan run with exit-code 0 (informational). Findings are reported in the job log but the pipeline is not blocked. This is intentional while the team works through any existing CVEs.
To make scans blocking: change exit-code from 0 to 1 in the relevant workflow file (pr_trivy.yaml, build_io.yaml, build_beta.yaml, or all three).
Changes
New: pr_trivy.yaml - runs on every PR to main or beta-*
Updated: build_io.yaml and build_beta.yaml - runs after merge on push
New: dependabot.yml - weekly Dependabot PRs for GitHub Actions version updates
All workflows: trivy-action pinned to v0.36.0 (not @master) with DB caching enabled
Merge steps