Skip to content

PLTF-24 Image scan on latest tags#230

Merged
raymyers merged 18 commits into
mainfrom
ray/image-scan-3
Jan 29, 2026
Merged

PLTF-24 Image scan on latest tags#230
raymyers merged 18 commits into
mainfrom
ray/image-scan-3

Conversation

@raymyers

@raymyers raymyers commented Oct 28, 2025

Copy link
Copy Markdown
Contributor

This runs a trivy scan on the current docker images, publishing results to the GitHub security tab.

This partially meets the requirement of vulnerability scanning for SOC 2. Example findings:

https://github.com/All-Hands-AI/OpenHands-Cloud/security/code-scanning?query=pr%3A230+is%3Aopen

The images scanned:

  • runtime (soon to become agent-server)
  • runtime-api
  • enterprise-server

Helm Chart Checklist

  • I have updated the version field in Chart.yaml for each modified chart
  • I have tested the chart upgrade path from the previous version
  • I have verified backwards compatibility with existing values.yaml configurations
  • I have updated the chart's README.md if there are any breaking changes or new required values

Additional Notes

@github-advanced-security

Copy link
Copy Markdown

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

@neubig

neubig commented Dec 28, 2025

Copy link
Copy Markdown
Member

Hi @raymyers , this is still open but the underlying issue was closed. Are you still intending to merge this or shall we close it?

aivong-openhands and others added 3 commits January 16, 2026 17:27
Instead of hardcoding image tags in the scan-docker-images workflow,
extract them from the chart values files using yq. This ensures the
scanned images stay in sync with the chart definitions.

- Add discover_images job to extract tags from values.yaml files
- Use dynamic matrix from discovered images for scan job

Co-authored-by: openhands <openhands@all-hands.dev>
@raymyers

Copy link
Copy Markdown
Contributor Author

OK this now takes images tags from the chart I think it's ready to merge.

Screenshot 2026-01-24 at 9 57 46 PM

@raymyers raymyers self-assigned this Jan 25, 2026
@raymyers raymyers changed the title Image scan on latest tags PLTF-24 Image scan on latest tags Jan 25, 2026
@raymyers

Copy link
Copy Markdown
Contributor Author

Recording this flavor hack for posterity, as I took the comment out of the code. This was for the case of ubuntu vs debian based images. There may be a better way.

# - name: Customize SARIF with image flavor
      #   shell: bash
      #   run: |
      #     IMAGE_WITH_TAG="all-hands-ai/enterprise-server:pr-11114"
      #     IMAGE_WITHOUT_TAG="${IMAGE_WITH_TAG%%:*}"
      #     # Modify the tool name to include the image flavor
      #     jq --arg flavor "${{ env.IMAGE_WITHOUT_TAG }}" \
      #       '.runs[0].tool.driver.name = "Trivy (" + $flavor + ")"' \
      #       trivy-results-raw.sarif > trivy-results.sarif
      #     echo "Modified tool name to: $(jq -r '.runs[0].tool.driver.name' trivy-results.sarif)"

@raymyers raymyers enabled auto-merge (squash) January 29, 2026 21:40
@aivong-openhands aivong-openhands self-requested a review January 29, 2026 21:53
@raymyers raymyers merged commit 33de4a6 into main Jan 29, 2026
5 checks passed
@raymyers raymyers deleted the ray/image-scan-3 branch January 29, 2026 21:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants