Skip to content

Add Trivy image vulnerability scanning to CI pipeline#8

Merged
Mirz-Ka merged 2 commits into
mainfrom
feature/add-trivy-scan
May 7, 2026
Merged

Add Trivy image vulnerability scanning to CI pipeline#8
Mirz-Ka merged 2 commits into
mainfrom
feature/add-trivy-scan

Conversation

@Mirz-Ka

@Mirz-Ka Mirz-Ka commented May 7, 2026

Copy link
Copy Markdown
Contributor

What this does

Adds Trivy vulnerability scanning to both PR and build CI workflows.

Trivy scan mode — currently informational in all workflows

Both the PR scan and the post-build scan run with exit-code 0 (informational). Findings are reported in the job log but the pipeline is not blocked. This is intentional while the team works through any existing CVEs.

To make scans blocking: change exit-code from 0 to 1 in the relevant workflow file (pr_trivy.yaml, build_io.yaml, build_beta.yaml, or all three).

Changes

New: pr_trivy.yaml - runs on every PR to main or beta-*

  • Builds the image locally (no push, no registry login needed)
  • Scans with Trivy (informational, CRITICAL/HIGH fixable CVEs)
  • Gives developers visibility into CVEs before merging
  • Runs alongside existing pr_lint.yaml check

Updated: build_io.yaml and build_beta.yaml - runs after merge on push

  • Build and push step split into: Build image / Scan with Trivy / Push image
  • Slash sanitization added to tag generation for branch names containing slashes
  • Serves as a post-merge safety net

New: dependabot.yml - weekly Dependabot PRs for GitHub Actions version updates

All workflows: trivy-action pinned to v0.36.0 (not @master) with DB caching enabled

Merge steps

  1. Review and approve this PR
  2. Merge into main
  3. Beta deployments pick up the change on next push to any beta-* branch
  4. When ready to enforce as a gate: change exit-code from 0 to 1

Mickey Rourke added 2 commits May 5, 2026 22:31
- Add pr_trivy.yaml: triggers on PR to main/beta-*, informational scan (exit-code: 0)
- Pin trivy-action from @master to @v0.36.0 in all workflows
- Enable Trivy DB caching (cache: true) in all workflows
- Remove workflow_dispatch trigger added during testing
- Add dependabot.yml covering github-actions ecosystem weekly

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds Trivy container image vulnerability scanning to CI so developers and post-merge builds can surface HIGH/CRITICAL (fixable) CVEs without blocking pipelines yet.

Changes:

  • Added a new PR workflow to build the Docker image locally and run an informational Trivy scan.
  • Updated IO and beta build workflows to split build/push into build → Trivy scan → push, and sanitized branch names containing / for tag generation.
  • Added a Dependabot configuration to update GitHub Actions weekly.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

File Description
.github/workflows/pr_trivy.yaml New PR-time image build + informational Trivy scan for early CVE visibility.
.github/workflows/build_io.yaml Builds image, scans with Trivy, then pushes; also sanitizes / in branch-derived tags.
.github/workflows/build_beta.yaml Same as build_io for beta branches (build → scan → push) plus / tag sanitization.
.github/dependabot.yml Enables weekly Dependabot updates for GitHub Actions.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/build_io.yaml
Comment thread .github/workflows/build_beta.yaml

@rad-pat rad-pat left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't worry about the licence checker, something for us to fix

@Mirz-Ka Mirz-Ka merged commit 63fe2c2 into main May 7, 2026
5 of 6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants