Trivy Vulnerability Scan #26
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Trivy Vulnerability Scan | |
| on: | |
| schedule: | |
| - cron: '0 2 * * *' | |
| workflow_dispatch: | |
| jobs: | |
| trivy-remediate: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| security-events: write | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v6 | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@v7 | |
| with: | |
| enable-cache: true | |
| - name: Run Trivy Scan (JSON for Auto-Fix - Fixable only) | |
| uses: aquasecurity/trivy-action@0.34.0 | |
| with: | |
| scan-type: 'fs' | |
| format: 'json' | |
| output: 'trivy-results.json' | |
| severity: 'HIGH,CRITICAL' | |
| ignore-unfixed: true | |
| - name: Run Trivy Scan (SARIF for Security Tab - Includes UNFIXED) | |
| uses: aquasecurity/trivy-action@0.34.0 | |
| with: | |
| scan-type: 'fs' | |
| format: 'sarif' | |
| output: 'trivy-results.sarif' | |
| severity: 'HIGH,CRITICAL' | |
| ignore-unfixed: false | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v4 | |
| with: | |
| sarif_file: 'trivy-results.sarif' | |
| category: kubeflow-sdk-trivy-scanner | |
| - name: Process CVEs and Apply Fixes | |
| id: fixer | |
| run: | | |
| # Parse JSON for packages with CVSS >= 7.0 (NVD or RedHat) | |
| FIX_DATA=$(jq -r '.Results[].Vulnerabilities[]? | | |
| select( | |
| ((.CVSS.nvd.V3Score // 0) >= 7.0 or (.CVSS.redhat.V3Score // 0) >= 7.0) | |
| and .FixedVersion != null | |
| ) | | |
| "\(.PkgName)==\(.FixedVersion) | \(.PrimaryURL)"' trivy-results.json | sort -u) | |
| if [ -z "$FIX_DATA" ]; then | |
| echo "No high-risk fixable vulnerabilities found tonight." | |
| echo "updates_found=false" >> $GITHUB_OUTPUT | |
| exit 0 | |
| fi | |
| echo "updates_found=true" >> $GITHUB_OUTPUT | |
| echo "fix_details<<EOF" >> $GITHUB_OUTPUT | |
| echo "$FIX_DATA" >> $GITHUB_OUTPUT | |
| echo "EOF" >> $GITHUB_OUTPUT | |
| # Apply fixes with "Natural Upgrade then Hard Pin" logic | |
| echo "$FIX_DATA" | while read -r line; do | |
| PACKAGE=$(echo "$line" | cut -d'=' -f1 | xargs) | |
| VERSION=$(echo "$line" | cut -d'|' -f1 | sed 's/.*==//' | xargs) | |
| TARGET=$(echo "$line" | cut -d'|' -f1 | xargs) | |
| ADVISORY_URL=$(echo "$line" | cut -d'|' -f2 | xargs) | |
| CURRENT_DATE=$(date +%Y-%m-%d) | |
| echo "Attempting natural upgrade for: $TARGET" | |
| uv lock --upgrade-package "$TARGET" | |
| # Verify if the upgrade actually worked in the lockfile | |
| # Extract full version including pre-release, post-release, dev, etc. | |
| CURRENT_VER=$(uv tree --package "$PACKAGE" | uv run python3 .github/scripts/extract_version.py "$PACKAGE") | |
| if [ -z "$CURRENT_VER" ]; then | |
| echo "Warning: Could not determine current version for $PACKAGE. Skipping..." | |
| continue | |
| fi | |
| # Use Python packaging.version for proper PEP 440 version comparison | |
| if uv run python3 .github/scripts/compare_versions.py "$CURRENT_VER" "$VERSION"; then | |
| NEEDS_OVERRIDE="true" | |
| else | |
| NEEDS_OVERRIDE="false" | |
| fi | |
| if [ "$NEEDS_OVERRIDE" = "true" ]; then | |
| echo "Natural upgrade blocked by parents (current: $CURRENT_VER, target: $VERSION). Adding Hard Pin to pyproject.toml overrides..." | |
| # Extract existing override-dependencies, add/update package, rewrite entire section | |
| uv run python3 .github/scripts/update_overrides.py "$PACKAGE" "$TARGET" "$CURRENT_DATE" "$ADVISORY_URL" | |
| uv lock | |
| else | |
| echo "Natural upgrade successful for $PACKAGE. pyproject.toml remains clean." | |
| fi | |
| done | |
| - name: Create Pull Request | |
| if: steps.fixer.outputs.updates_found == 'true' | |
| uses: peter-evans/create-pull-request@v8 | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| commit-message: "fix: nightly automated dependency update (CVSS 7.0+)" | |
| title: "fix: nightly security dependency updates" | |
| add-paths: | | |
| uv.lock | |
| pyproject.toml | |
| body: | | |
| ## Security Update | |
| This is an automated PR triggered by the nightly Trivy security scan. | |
| The following dependencies were updated to resolve vulnerabilities with a **CVSS score of 7.0 or higher**: | |
| | Package & Version | Advisory Link | | |
| | :--- | :--- | | |
| ${{ steps.fixer.outputs.fix_details }} | |
| **Verification:** Updated via `uv lock --upgrade-package`. | |
| branch: security-nightly-updates | |
| delete-branch: true | |
| labels: | | |
| "area/security" |