kubeflow-sdk/.github/workflows/trivy-cve-scan.yaml at a6645ade026059989d489500a1731bd79de709ba · Fiona-Waters/kubeflow-sdk · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
name: Trivy Vulnerability Scan

on:
  schedule:
    - cron: '0 2 * * *'
  workflow_dispatch:

jobs:
  trivy-remediate:
    runs-on: ubuntu-latest
    permissions:
      contents: write
      pull-requests: write
      security-events: write

    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Install uv
        uses: astral-sh/setup-uv@v5
        with:
          enable-cache: true

      - name: Run Trivy Scan (JSON for Auto-Fix - Fixable only)
        uses: aquasecurity/trivy-action@0.33.1
        with:
          scan-type: 'fs'
          format: 'json'
          output: 'trivy-results.json'
          severity: 'HIGH,CRITICAL'
          ignore-unfixed: true

      - name: Run Trivy Scan (SARIF for Security Tab - Includes UNFIXED)
        uses: aquasecurity/trivy-action@0.33.1
        with:
          scan-type: 'fs'
          format: 'sarif'
          output: 'trivy-results.sarif'
          severity: 'HIGH,CRITICAL'
          ignore-unfixed: false

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v4
        with:
          sarif_file: 'trivy-results.sarif'
          category: kubeflow-sdk-trivy-scanner
      - name: Process CVEs and Apply Fixes
        id: fixer
        run: |
          # Parse JSON for packages with CVSS >= 7.0 (NVD or RedHat)
          FIX_DATA=$(jq -r '.Results[].Vulnerabilities[]? |
            select(
              ((.CVSS.nvd.V3Score // 0) >= 7.0 or (.CVSS.redhat.V3Score // 0) >= 7.0)
              and .FixedVersion != null
            ) |
            "\(.PkgName)==\(.FixedVersion) | \(.PrimaryURL)"' trivy-results.json | sort -u)

          if [ -z "$FIX_DATA" ]; then
            echo "No high-risk fixable vulnerabilities found tonight."
            echo "updates_found=false" >> $GITHUB_OUTPUT
            exit 0
          fi

          echo "updates_found=true" >> $GITHUB_OUTPUT

          echo "fix_details<<EOF" >> $GITHUB_OUTPUT
          echo "$FIX_DATA" >> $GITHUB_OUTPUT
          echo "EOF" >> $GITHUB_OUTPUT

          # Apply fixes via uv
          echo "$FIX_DATA" | while read -r line; do
            TARGET=$(echo "$line" | cut -d'|' -f1 | xargs)
            echo "Applying fix: uv lock --upgrade-package $TARGET"
            uv lock --upgrade-package "$TARGET"
          done

      - name: Create Pull Request
        if: steps.fixer.outputs.updates_found == 'true'
        uses: peter-evans/create-pull-request@v6
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          commit-message: "fix: nightly automated dependency update (CVSS 7.0+)"
          title: "fix: nightly security dependency updates"
          body: |
            ## Security Update
            This is an automated PR triggered by the nightly Trivy security scan.

            The following dependencies were updated to resolve vulnerabilities with a **CVSS score of 7.0 or higher**:

            | Package & Version | Advisory Link |
            | :--- | :--- |
            ${{ steps.fixer.outputs.fix_details }}

            **Verification:** Updated via `uv lock --upgrade-package`.
          branch: security-nightly-updates-${{ github.run_id }}
          delete-branch: true
          labels: |
            "area/security"