Trivy Vulnerability Scan #71
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Trivy Vulnerability Scan | |
| on: | |
| schedule: | |
| - cron: '0 2 * * *' | |
| workflow_dispatch: | |
| jobs: | |
| trivy-remediate: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| security-events: write | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@v5 | |
| with: | |
| enable-cache: true | |
| - name: Run Trivy Scan (JSON for Auto-Fix - Fixable only) | |
| uses: aquasecurity/trivy-action@0.35.0 | |
| with: | |
| scan-type: 'fs' | |
| format: 'json' | |
| output: 'trivy-results.json' | |
| severity: 'HIGH,CRITICAL' | |
| ignore-unfixed: true | |
| github-pat: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Run Trivy Scan (SARIF for Security Tab - Includes UNFIXED) | |
| uses: aquasecurity/trivy-action@0.35.0 | |
| with: | |
| scan-type: 'fs' | |
| format: 'sarif' | |
| output: 'trivy-results.sarif' | |
| severity: 'HIGH,CRITICAL' | |
| ignore-unfixed: false | |
| github-pat: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v4 | |
| with: | |
| sarif_file: 'trivy-results.sarif' | |
| category: kubeflow-sdk-trivy-scanner | |
| - name: Process CVEs and Apply Fixes | |
| id: fixer | |
| run: | | |
| # Parse JSON for packages with CVSS >= 7.0 (NVD or RedHat) | |
| FIX_DATA=$(jq -r '.Results[].Vulnerabilities[]? | | |
| select( | |
| ((.CVSS.nvd.V3Score // 0) >= 7.0 or (.CVSS.redhat.V3Score // 0) >= 7.0) | |
| and .FixedVersion != null | |
| ) | | |
| "\(.PkgName)==\(.FixedVersion) | \(.PrimaryURL)"' trivy-results.json | sort -u) | |
| if [ -z "$FIX_DATA" ]; then | |
| echo "No high-risk fixable vulnerabilities found tonight." | |
| echo "updates_found=false" >> $GITHUB_OUTPUT | |
| exit 0 | |
| fi | |
| echo "updates_found=true" >> $GITHUB_OUTPUT | |
| echo "fix_details<<EOF" >> $GITHUB_OUTPUT | |
| echo "$FIX_DATA" >> $GITHUB_OUTPUT | |
| echo "EOF" >> $GITHUB_OUTPUT | |
| # Apply fixes via uv | |
| echo "$FIX_DATA" | while read -r line; do | |
| TARGET=$(echo "$line" | cut -d'|' -f1 | xargs) | |
| echo "Applying fix: uv lock --upgrade-package $TARGET" | |
| uv lock --upgrade-package "$TARGET" | |
| done | |
| - name: Create Pull Request | |
| if: steps.fixer.outputs.updates_found == 'true' | |
| uses: peter-evans/create-pull-request@v6 | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| commit-message: "fix: nightly automated dependency update (CVSS 7.0+)" | |
| title: "fix: nightly security dependency updates" | |
| body: | | |
| ## Security Update | |
| This is an automated PR triggered by the nightly Trivy security scan. | |
| The following dependencies were updated to resolve vulnerabilities with a **CVSS score of 7.0 or higher**: | |
| | Package & Version | Advisory Link | | |
| | :--- | :--- | | |
| ${{ steps.fixer.outputs.fix_details }} | |
| **Verification:** Updated via `uv lock --upgrade-package`. | |
| branch: security-nightly-updates-${{ github.run_id }} | |
| delete-branch: true | |
| labels: | | |
| "area/security" |