kubeflow · google-oss-prow · Feb 5, 2026 · Feb 5, 2026 · Feb 5, 2026 · Feb 5, 2026
diff --git a/.github/workflows/trivy-cve-scan.yaml b/.github/workflows/trivy-cve-scan.yaml
@@ -0,0 +1,91 @@
+name: Trivy Vulnerability Scan
+
+on:
+  schedule:
+    - cron: '0 2 * * *'
+  workflow_dispatch:
+
+jobs:
+  trivy-remediate:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v5
+        with:
+          enable-cache: true
+
+      - name: Run Trivy FS Scan
+        uses: aquasecurity/trivy-action@0.33.1
+        with:
+          scan-type: 'fs'
+          format: 'json'
+          output: 'trivy-results.json'
+          severity: 'HIGH,CRITICAL'
+          ignore-unfixed: true
+
+      - name: Process CVEs and Apply Fixes
+        id: fixer
+        run: |
+          # 1. Parse JSON for packages with CVSS >= 7.0
+          # We extract PkgName, FixedVersion, and PrimaryURL
+          # We dedupe by PkgName+FixedVersion so uv only runs once per package
+          FIX_DATA=$(jq -r '.Results[].Vulnerabilities[]? |
+            select(
+              ((.CVSS.nvd.V3Score // 0) >= 7.0 or (.CVSS.redhat.V3Score >= 7.0 // 0))
+              and .FixedVersion != null
+            ) |
+            "\(.PkgName)==\(.FixedVersion) | \(.PrimaryURL)"' trivy-results.json | sort -u)
+
+          if [ -z "$FIX_DATA" ]; then
+            echo "No high-risk fixable vulnerabilities found tonight."
+            echo "updates_found=false" >> $GITHUB_OUTPUT
+            exit 0
+          fi
+
+          echo "updates_found=true" >> $GITHUB_OUTPUT
+
+          # Prepare the list for the PR body (Package + Link)
+          echo "fix_details<<EOF" >> $GITHUB_OUTPUT
+          echo "$FIX_DATA" >> $GITHUB_OUTPUT
+          echo "EOF" >> $GITHUB_OUTPUT
+
+          # 3. Use uv to update the lockfile
+          # We extract just the "Package==Version" part for the command
+          echo "$FIX_DATA" | while read -r line; do
+            TARGET=$(echo "$line" | cut -d'|' -f1 | xargs)
+            echo "Applying fix: uv lock --upgrade-package $TARGET"
+            uv lock --upgrade-package "$TARGET"
+          done
+
+      - name: Create Pull Request
+        if: steps.fixer.outputs.updates_found == 'true'
+        uses: peter-evans/create-pull-request@v6
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          commit-message: "fix: nightly automated dependency update (CVSS 7.0+)"
+          title: "fix: nightly security dependency updates"
+          body: |
+            ## Security Update
+            This is an automated PR triggered by the nightly Trivy security scan.
+
+            The following dependencies were updated to resolve vulnerabilities with a **CVSS score of 7.0 or higher**:
+
+            | Package & Version | Advisory Link |
+            | :--- | :--- |
+            ${{ steps.fixer.outputs.fix_details }}
+
+            *(Note: Items above are formatted as `Package==Version | URL`)*
+
+            **Verification:** Updated via `uv lock --upgrade-package`. Please review the diff and ensure PR checks pass before merging.
+          branch: security-nightly-updates-${{ github.run_id }}
+          delete-branch: true
+          labels: |
+            security
+            automated-fix