chore: add trivy cve scan and fix workflow (#266)

Fiona-Waters · web-flow · commit 1fd18b275da3 · 2026-02-05T16:54:21.000Z
* chore: add trivy cve scan workflow

Signed-off-by: Fiona-Waters &lt;fiwaters6@gmail.com&gt;

* fix: add security label and report non fixable cves to github

Signed-off-by: Fiona-Waters &lt;fiwaters6@gmail.com&gt;

* fix: add category and remove unnecessary label

Signed-off-by: Fiona-Waters &lt;fiwaters6@gmail.com&gt;

---------

Signed-off-by: Fiona-Waters &lt;fiwaters6@gmail.com&gt;
diff --git a/.github/workflows/trivy-cve-scan.yaml b/.github/workflows/trivy-cve-scan.yaml
@@ -0,0 +1,99 @@
+name: Trivy Vulnerability Scan
+
+on:
+  schedule:
+    - cron: '0 2 * * *'
+  workflow_dispatch:
+
+jobs:
+  trivy-remediate:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+      security-events: write
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v5
+        with:
+          enable-cache: true
+
+      - name: Run Trivy Scan (JSON for Auto-Fix - Fixable only)
+        uses: aquasecurity/trivy-action@0.33.1
+        with:
+          scan-type: 'fs'
+          format: 'json'
+          output: 'trivy-results.json'
+          severity: 'HIGH,CRITICAL'
+          ignore-unfixed: true
+
+      - name: Run Trivy Scan (SARIF for Security Tab - Includes UNFIXED)
+        uses: aquasecurity/trivy-action@0.33.1
+        with:
+          scan-type: 'fs'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'HIGH,CRITICAL'
+          ignore-unfixed: false
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v4
+        with:
+          sarif_file: 'trivy-results.sarif'
+          category: kubeflow-sdk-trivy-scanner
+      - name: Process CVEs and Apply Fixes
+        id: fixer
+        run: |
+          # Parse JSON for packages with CVSS >= 7.0 (NVD or RedHat)
+          FIX_DATA=$(jq -r '.Results[].Vulnerabilities[]? |
+            select(
+              ((.CVSS.nvd.V3Score // 0) >= 7.0 or (.CVSS.redhat.V3Score // 0) >= 7.0)
+              and .FixedVersion != null
+            ) |
+            "\(.PkgName)==\(.FixedVersion) | \(.PrimaryURL)"' trivy-results.json | sort -u)
+
+          if [ -z "$FIX_DATA" ]; then
+            echo "No high-risk fixable vulnerabilities found tonight."
+            echo "updates_found=false" >> $GITHUB_OUTPUT
+            exit 0
+          fi
+
+          echo "updates_found=true" >> $GITHUB_OUTPUT
+
+          echo "fix_details<<EOF" >> $GITHUB_OUTPUT
+          echo "$FIX_DATA" >> $GITHUB_OUTPUT
+          echo "EOF" >> $GITHUB_OUTPUT
+
+          # Apply fixes via uv
+          echo "$FIX_DATA" | while read -r line; do
+            TARGET=$(echo "$line" | cut -d'|' -f1 | xargs)
+            echo "Applying fix: uv lock --upgrade-package $TARGET"
+            uv lock --upgrade-package "$TARGET"
+          done
+
+      - name: Create Pull Request
+        if: steps.fixer.outputs.updates_found == 'true'
+        uses: peter-evans/create-pull-request@v6
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          commit-message: "fix: nightly automated dependency update (CVSS 7.0+)"
+          title: "fix: nightly security dependency updates"
+          body: |
+            ## Security Update
+            This is an automated PR triggered by the nightly Trivy security scan.
+
+            The following dependencies were updated to resolve vulnerabilities with a **CVSS score of 7.0 or higher**:
+
+            | Package & Version | Advisory Link |
+            | :--- | :--- |
+            ${{ steps.fixer.outputs.fix_details }}
+
+            **Verification:** Updated via `uv lock --upgrade-package`.
+          branch: security-nightly-updates-${{ github.run_id }}
+          delete-branch: true
+          labels: |
+            "area/security"
