Add Trivy vulnerability scanning workflow #56
Conversation
WalkthroughA new GitHub Actions workflow file is introduced to automate security scanning. The workflow, named "trivy," executes on pushes to the main branch, pull requests targeting main, and on a scheduled cron. It performs the following steps: checks out the repository code, builds a Docker image using the repository's Dockerfile, runs the Trivy vulnerability scanner on the built image with SARIF output formatted for GitHub, filters results to CRITICAL and HIGH severities, and uploads the SARIF report to GitHub's Security tab using the CodeQL upload action. Appropriate workflow permissions are configured for the job. Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes
Pre-merge checks and finishing touches✅ Passed checks (3 passed)
✨ Finishing touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
.github/workflows/trivy.yml (1)
46-46: Consider pinning the CodeQL action to a specific commit for consistency.The CodeQL upload action uses a floating
v3tag, while the Trivy action is pinned to a specific commit. For better supply-chain security and reproducibility, consider pinning the CodeQL action to a specific commit as well.- uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@4355270c2f9846dca18e85b5f6653c0a1cb02e5cTo find the latest commit SHA for a given version tag, you can check the GitHub repository or use the GitHub CLI.
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (1)
.github/workflows/trivy.yml(1 hunks)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
- GitHub Check: build
- GitHub Check: Build
🔇 Additional comments (1)
.github/workflows/trivy.yml (1)
37-37: Trivy action commit SHA is valid.The commit
7b7aa264d83dc58691451798b4d117d53d21edfeexists in the official aquasecurity/trivy-action repository. It was authored by simar7 on 2022-06-22 with the message "feat(SBOM): Support SBOM generation (#129)". The pinned commit is authentic and verified.
|
|
||
| - name: Build an image from Dockerfile | ||
| run: | | ||
| docker build -t docker.io/my-organization/my-app:${{ github.sha }} . |
There was a problem hiding this comment.
Replace placeholder values with actual Docker image references.
The workflow contains hardcoded placeholder values (docker.io/my-organization/my-app) that must be replaced with actual values or made configurable. This prevents the workflow from functioning correctly.
Apply one of these solutions:
Option 1: Replace with actual image reference
- docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
+ docker build -t ghcr.io/appwrite/docker-base:${{ github.sha }} .- image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
+ image-ref: 'ghcr.io/appwrite/docker-base:${{ github.sha }}'Option 2: Use environment variables or job parameters for flexibility
- docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
+ docker build -t ${{ env.REGISTRY_IMAGE }}:${{ github.sha }} .Then add to the workflow:
env:
REGISTRY_IMAGE: ghcr.io/appwrite/docker-baseAlso applies to: 39-39
🤖 Prompt for AI Agents
.github/workflows/trivy.yml around lines 34 and 39: the workflow currently
hardcodes a placeholder Docker image name (docker.io/my-organization/my-app)
which prevents correct publishing; replace the placeholder with a real image
reference or make it configurable by introducing an environment variable or job
input (for example add env: REGISTRY_IMAGE with a real image like
ghcr.io/your-org/your-repo or set it from a secret/parameter) and then use that
variable in the docker build/push steps so both occurrences (line 34 and line
39) reference the configurable REGISTRY_IMAGE instead of the hardcoded
placeholder.
There was a problem hiding this comment.
Seems like the humans are having a chat. I'll hop back into my burrow for now. If you need me again, just tag @coderabbitai in a new comment, and I'll come hopping out!
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
What does this PR do?
Install standard Trivy GitHub workflow template so that Trivy scans our docker image for vulns regularly.
Test Plan
None
Related PRs and Issues
None
Have you read the Contributing Guidelines on issues?
Yes
Summary by CodeRabbit
✏️ Tip: You can customize this high-level summary in your review settings.