Skip to content

ci: scan built Docker images with Trivy#624

Open
ThirdEyeSqueegee wants to merge 2 commits into
mainfrom
trivy
Open

ci: scan built Docker images with Trivy#624
ThirdEyeSqueegee wants to merge 2 commits into
mainfrom
trivy

Conversation

@ThirdEyeSqueegee

Copy link
Copy Markdown
Member

Description

Why is this change being made?

  1. To add Docker image CVE scanning

What is changing?

  1. Add a Trivy vulnerability scanner step to the Docker Image CI workflow. It scans the locally built test-build:latest- image (loaded by build-push-action) for CRITICAL/HIGH severity vulnerabilities. Runs in report-only mode (exit-code 0) so it surfaces findings in the logs without failing the build.

Related Links

  • Issue #, if available: N/A

Testing

How was this tested?

  1. N/A

When testing locally, provide testing artifact(s):

  1. N/A

Reviewee Checklist

Update the checklist after submitting the PR

  • I have reviewed, tested and understand all changes
    If not, why:
  • I have filled out the Description and Testing sections above
    If not, why:
  • Build and Unit tests are passing
    If not, why:
  • Unit test coverage check is passing
    If not, why:
  • Integration tests pass locally
    If not, why:
  • I have updated integration tests (if needed)
    If not, why:
  • I have ensured no sensitive information is leaking (i.e., no logging of sensitive fields, or otherwise)
    If not, why:
  • I have added explanatory comments for complex logic, new classes/methods and new tests
    If not, why:
  • I have updated README/documentation (if needed)
    If not, why:
  • I have clearly called out breaking changes (if any)
    If not, why:

Reviewer Checklist

All reviewers please ensure the following are true before reviewing:

  • Reviewee checklist has been accurately filled out
  • Code changes align with stated purpose in description
  • Test coverage adequately validates the changes

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Add a Trivy vulnerability scanner step to the Docker Image CI workflow.
It scans the locally built test-build:latest-<arch> image (loaded by
build-push-action) for CRITICAL/HIGH severity vulnerabilities. Runs in
report-only mode (exit-code 0) so it surfaces findings in the logs
without failing the build.
@ThirdEyeSqueegee ThirdEyeSqueegee requested a review from a team as a code owner June 1, 2026 01:35
@codecov

codecov Bot commented Jun 1, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 60.84%. Comparing base (a74182c) to head (cbac92e).

Additional details and impacted files
@@           Coverage Diff           @@
##             main     #624   +/-   ##
=======================================
  Coverage   60.84%   60.84%           
=======================================
  Files          11       11           
  Lines         710      710           
=======================================
  Hits          432      432           
  Misses        261      261           
  Partials       17       17           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@ThirdEyeSqueegee ThirdEyeSqueegee added the safe-to-test Pull Request has been manually reviewed and deemed to be safe to run integration tests on. label Jun 1, 2026

@ThirdEyeSqueegee ThirdEyeSqueegee left a comment

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note: the build workflow is stuck because the new trivy action isn't allowlisted

@github-actions github-actions Bot removed the safe-to-test Pull Request has been manually reviewed and deemed to be safe to run integration tests on. label Jun 11, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants