MCV: Enhance CI/CD pipeline with security scanning, coverage, and multi-arch builds #151
Description
Background
MCV already has a good CI/CD foundation with:
- ✅ PR validation (mcv-build.yml) - lint, build, test
- ✅ Container image builds (mcv-build-image.yml) - with cosign signing
- ✅ Release tagging (mcv-tag.yml) - semantic versioning
- ✅ Push to quay.io for main branch
However, there are opportunities to enhance the pipeline with security scanning, coverage reporting, multi-architecture builds, and performance tracking.
Current State
Existing workflows:
.github/workflows/
├── mcv-build.yml # PR validation: lint + build + test
├── mcv-build-image.yml # Container image build + sign + push
├── mcv-tag.yml # Release tagging (manual)
└── mcv-build-example-images.ymlWhat works well:
- Automated testing on PRs
- golangci-lint integration
- Image signing with cosign (OIDC)
- Protected main branch pushes
Proposed Enhancements
- Security Scanning Workflow
Add .github/workflows/mcv-security.yml:
name: MCV Security Scanning
on:
push:
branches: [main]
paths: [mcv/**]
pull_request:
paths: [mcv/**]
schedule:
- cron: '0 0 * * 0' # Weekly on Sunday
jobs:
gosec:
name: Go Security Scanner
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- uses: actions/setup-go@v6
with:
go-version: '1.24'
- name: Run gosec
uses: securego/gosec@master
with:
args: '-fmt sarif -out gosec.sarif ./mcv/...'
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: gosec.sarif
trivy-scan:
name: Trivy Vulnerability Scanner
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- name: Run Trivy
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
scan-ref: './mcv'
format: 'sarif'
output: 'trivy-results.sarif'
- name: Upload to Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: trivy-results.sarif
dependency-review:
name: Dependency Review
runs-on: ubuntu-latest
if: github.event_name == 'pull_request'
steps:
- uses: actions/checkout@v5
- uses: actions/dependency-review-action@v4- Coverage Reporting
Enhance mcv-build.yml with coverage:
# Add to mcv-build.yml
- name: Run tests with coverage
working-directory: mcv
run: |
go test -v -coverprofile=coverage.out -covermode=atomic ./...
go tool cover -html=coverage.out -o coverage.html
- name: Upload coverage to Codecov
uses: codecov/codecov-action@v4
with:
files: ./mcv/coverage.out
flags: unittests
name: mcv-coverage
token: ${{ secrets.CODECOV_TOKEN }}
- name: Upload coverage artifact
uses: actions/upload-artifact@v4
with:
name: coverage-report
path: mcv/coverage.html- Multi-Architecture Builds
Update mcv-build-image.yml to build for amd64 and arm64:
# Modify build-and-push-images job in mcv-build-image.yml
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
with:
platforms: linux/amd64,linux/arm64
- name: Build and push
uses: docker/build-push-action@v6
with:
platforms: linux/amd64,linux/arm64 # Multi-arch
push: ${{ github.event_name == 'push' && fromJSON(steps.set-push.outputs.push_flag) }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
file: ${{ matrix.image.dockerfile }}
context: ${{ matrix.image.context }}
cache-from: type=gha
cache-to: type=gha,mode=maxImplementation Checklist
Security & Quality
- Add mcv-security.yml workflow
- gosec security scanner
- trivy vulnerability scanner
- Dependency review on PRs
- Upload SARIF to GitHub Security tab
- Enhance mcv-build.yml with coverage
- Generate coverage reports
- Upload to Codecov
- Set coverage threshold (e.g., 80%)
Future Enhancements
- Nightly build workflow
- SBOM generation and attestation
- Static analysis with CodeQL
Benefits
- Security: Automated vulnerability and security scanning
- Quality: Coverage tracking and enforcement
- Portability: Multi-architecture container images
- Visibility: Security alerts in GitHub Security tab
Acceptance Criteria
- Security workflow runs weekly and on PRs
- Coverage reports uploaded and visible
- Multi-arch images (amd64, arm64) published to quay.io
- All workflows documented in README
- GitHub Security tab shows scan results