Skip to content

ci: add Trivy security scan workflow#369

Merged
jyao1 merged 1 commit intoccc-spdm-tools:mainfrom
sgrams:feat/trivy_scan
Apr 24, 2026
Merged

ci: add Trivy security scan workflow#369
jyao1 merged 1 commit intoccc-spdm-tools:mainfrom
sgrams:feat/trivy_scan

Conversation

@sgrams
Copy link
Copy Markdown
Contributor

@sgrams sgrams commented Apr 21, 2026
edited
Loading

Summary

Add a GitHub Actions workflow for Trivy security scanning with two parallel jobs:

  • Filesystem vulnerability scan — scans Cargo.lock and dependencies for known CVEs (CRITICAL, HIGH severity)
  • Config & IaC scan — checks GitHub Actions workflows and configuration files for misconfigurations (CRITICAL, HIGH, MEDIUM severity)

Refers to #368

Details

  • Results are uploaded as SARIF to the GitHub Security tab (Code scanning alerts), alongside existing CodeQL findings
  • External vendored code (external/) is excluded via skip-dirs
  • The pre-build.sh patch script runs before the fs scan so Cargo.lock is accurate
  • Triggers: push/PR to main + weekly cron (Monday 06:00 UTC)
  • All action references are pinned by SHA, consistent with the existing repo convention
  • Uses aquasecurity/trivy-action@v0.35.0 (latest, post-supply-chain-attack re-tag)

Complements existing security tooling

Tool Coverage
cargo-deny License, bans, advisories for Cargo deps
CodeQL Static analysis (Python)
Scorecard Supply-chain security posture
Dependabot Automated dependency updates
Trivy (new) CVE scanning + workflow/config misconfiguration detection

@sgrams sgrams requested review from jyao1, sameo and taprinz as code owners April 21, 2026 13:43
@github-advanced-security
Copy link
Copy Markdown

github-advanced-security AI commented Apr 21, 2026

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@sgrams @claude
ci: add Trivy security scan workflow
eba1f49 
Add GitHub Actions workflow for Trivy scanning with two jobs:
- Filesystem vulnerability scan (CRITICAL, HIGH) on Cargo dependencies
- Config/IaC misconfiguration scan (CRITICAL, HIGH, MEDIUM) on workflows

Results are uploaded as SARIF to GitHub Security tab. External vendored
code is excluded via skip-dirs. Runs on push/PR to main and weekly cron.

Co-authored-by: Claude Opus 4 (Anthropic) <noreply@anthropic.com>
Signed-off-by: Stanislaw Grams <stanislaw.grams@intel.com>
@jyao1 jyao1 closed this Apr 24, 2026
@jyao1 jyao1 reopened this Apr 24, 2026
@jyao1 jyao1 merged commit 5526f51 into ccc-spdm-tools:main Apr 24, 2026
108 of 109 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jyao1 jyao1 jyao1 approved these changes

@sameo sameo Awaiting requested review from sameo sameo is a code owner

@taprinz taprinz Awaiting requested review from taprinz taprinz is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@sgrams @github-advanced-security @jyao1