Skip to content

Create trivy workflow#74

Open
kevinfiol wants to merge 6 commits into
mainfrom
kf/trivy-workflow
Open

Create trivy workflow#74
kevinfiol wants to merge 6 commits into
mainfrom
kf/trivy-workflow

Conversation

@kevinfiol

@kevinfiol kevinfiol commented Jul 13, 2026

Copy link
Copy Markdown
Collaborator

Related Issue

#70

Adapted from refiner's workflow: https://github.com/CDCgov/dibbs-ecr-refiner/blob/main/.github/workflows/pr-security-scan.yml

Changes Proposed

  • Add .github/workflows/pr-security-scan.yml
  • Add .github/scripts/security-summary.js
  • Add .dockerignore for docker image builds
  • Workflow should only be run manually for now

Additional Information

Testing

  • You can see a test run here: https://github.com/CDCgov/dibbs-ecr-diff/actions/runs/29278499288

  • You can run locally with nektos/act as well with some caveats:

    • It may take a while the first run to clone all of the third-party actions
    • You'll need a Github Personal Access Token (scoped to read-only public repos).
    • The workflow does not upload any artifacts when running locally
    • Because the scan-summary depends on uploaded artifacts, and we cannot test uploading the JSON artifact locally yet, running this locally won't do anything

To run with act, you can use:

act pull_request -W .github/workflows/pr-security-scan.yml -j build-and-scan -s $GITHUB_TOKEN

Checklist for Primary Reviewer

  • Any large-scale changes have been deployed and smoke tested
  • Any content updates (user-facing error messages, etc) have been approved by content team
  • Any dependencies introduced have been vetted and discussed

@github-advanced-security

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@github-actions

github-actions Bot commented Jul 13, 2026

Copy link
Copy Markdown

🔒 Security Scan Results

✅ No vulnerabilities found!

📦 did-lambda

No vulnerabilities found


View detailed results: Security tab
Last updated: 2026-07-13 19:28:30 UTC

@@ -0,0 +1,220 @@
const fs = require("fs");

@kevinfiol kevinfiol Jul 13, 2026

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is mostly copied from refiner's security-summary.js, but with only functions relevant to the scope of this ticket of work (trivy workflow).

Comment on lines +96 to +100
const errors = imageResults.filter((result) => result.error);

if (errors.length) {
message += `### ⚠ Scan incomplete: failed to parse ${errors.length} Trivy result(s).\n\n`
}

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added this small change. If parseScanResults throws while trying to parse the trivy JSON, add this snippet to the PR comment so that JSON parsing failures are not silently ignored.

Comment on lines +201 to +205
if (isLocalActRun) {
// log the message
core.info(message);
return;
}

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If this script is run locally, only log the message, as local act runs won't be making comments to any PRs.

- name: Build image locally (no push)
uses: docker/build-push-action@53b7df96c91f9c12dcc8a07bcb9ccacbed38856a # v7.3.0
env:
DOCKER_BUILD_RECORD_UPLOAD: ${{ !env.ACT }}

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Disable uploading the build record when running locally with act.

Comment on lines +80 to +87
if: ${{ always() && !env.ACT }}
with:
sarif_file: "trivy-${{ matrix.image.name }}-results.sarif"
category: "pr-scan-${{ matrix.image.name }}"

- name: Upload JSON results as artifact
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
if: ${{ always() && !env.ACT }}

@kevinfiol kevinfiol Jul 13, 2026

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Trivy uploads also disabled when running the workflow locally with act (for now).

Once nektos/act is updated to support new fields set by actions/upload-artifact (nektos/act#6039), we should be able to remove the && !env.ACT for the Upload JSON step and run the scan-summary job using the --artifact-server-path flag to test this locally .

Comment on lines +134 to +139
// parse `SCAN_IMAGES_CSV` to array
// ex: 'did-lambda,did-api' -> ['did-lambda', 'did-api']
const images = (process.env.SCAN_IMAGES_CSV ?? '')
.split(',')
.map((x) => x.trim())
.filter(Boolean);

@kevinfiol kevinfiol Jul 13, 2026

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Parses the SCAN_IMAGES_CSV env variable set above for what images to build PR summaries for.

This was changed from the original refiner script because the refiner image names were hard-coded in security-summary.js.

@kevinfiol kevinfiol marked this pull request as ready for review July 13, 2026 19:43
@kevinfiol kevinfiol requested a review from a team as a code owner July 13, 2026 19:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants