Re-enable license scan using trivy CLI directly instead of trivy-action#849
Open
mendral-app[bot] wants to merge 3 commits intomainfrom
Open
Re-enable license scan using trivy CLI directly instead of trivy-action#849mendral-app[bot] wants to merge 3 commits intomainfrom
mendral-app[bot] wants to merge 3 commits intomainfrom
Conversation
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
1 issue found across 2 files
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name=".trivyignore.yaml">
<violation number="1" location=".trivyignore.yaml:10">
P2: This exception is broader than the comment suggests: it ignores all `CC-BY-SA-4.0` findings from `package-lock.json`, not just `@probo/vendors`. That weakens the re-enabled license scan by hiding future third-party packages with the same license.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
There was a problem hiding this comment.
1 issue found across 3 files (changes from recent commits).
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name=".github/workflows/make.yaml">
<violation number="1" location=".github/workflows/make.yaml:201">
P1: This policy hook won't suppress the `@probo/vendors` finding because the Rego rule matches `CC-BY-SA-4.0`, while the lockfile license string is `CC BY-SA 4.0`.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
SachaProbo
approved these changes
Mar 16, 2026
The aquasecurity/trivy-action wrapper has known issues applying ignore files for license scans. Replace the commented-out trivy-action step with a direct trivy fs CLI invocation, which reliably respects the .trivyignore.yaml file. This installs trivy via the official apt repository and runs the license scan with UNKNOWN,HIGH,CRITICAL severity, exit-code 1 for failures, and the existing .trivyignore.yaml to suppress the reviewed n8n package licenses.
The re-enabled license scan correctly flagged @probo/vendors with a CC-BY-SA-4.0 license. Since this is an internal package owned by the same organization, the license is acceptable for our use case.
The .trivyignore.yaml format doesn't support package-level scoping — the previous CC-BY-SA-4.0 exception applied to all packages in package-lock.json. Replace the broad ignore rule with a Rego policy that only ignores CC-BY-SA-4.0 for the @probo/vendors package, ensuring future third-party packages with the same license are still flagged.
SachaProbo
force-pushed
the
mendral/reenable-license-scan
branch
from
30eb032 to
9c9fab3
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
aquasecurity/trivy-actionnot correctly applying ignore files during license scanstrivy-actionstep with a directtrivy fsCLI invocation that reliably respects.trivyignore.yaml, ensuring the reviewed n8n package licenses (SEE LICENSE IN LICENSE.md) are properly suppressedtestjob since the runner (ubuntu-22.04) doesn't have it pre-installedWhat changed
In
.github/workflows/make.yaml(test job):aquasecurity/trivy-actionblock (lines 187-195)trivy fs . --scanners license --severity UNKNOWN,HIGH,CRITICAL --exit-code 1 --ignorefile .trivyignore.yamlWhy
The
trivy-actionGitHub Action wrapper has known issues with ignore file handling for license scanning. The direct CLI invocation correctly processes.trivyignore.yaml, which contains the approved exception for n8n packages withSEE LICENSE IN LICENSE.mdlicenses.Without this fix, no license scanning was running in CI at all — any new dependency with a problematic license would go undetected.
Note
Created by Mendral. Tag @mendral-app with feedback or questions.
Summary by cubic
Re-enables CI license scanning by replacing
aquasecurity/trivy-actionwith a directtrivy fsrun that honors.trivyignore.yaml. Adds a Rego policy to allowCC-BY-SA-4.0only for internal@probo/vendors, keeping failures for third‑party packages.trivyfrom the official apt repo in thetestjob onubuntu-22.04.trivy fswith--scanners license,--severity UNKNOWN,HIGH,CRITICAL,--exit-code 1,--ignorefile .trivyignore.yaml, and--ignore-policy .trivy-license-policy.rego.Written for commit 9c9fab3. Summary will update on new commits.