Add trivy and codeql workflows#681
Open
uniemimu wants to merge 1 commit into
Open
Conversation
Co-authored-by: Markus Lehtonen <markus.lehtonen@intel.com> Signed-off-by: Ukri Niemimuukko <ukri.niemimuukko@intel.com>
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
There was a problem hiding this comment.
Pull request overview
This PR adds GitHub Actions workflows to run Trivy (license/vulnerability scanning) and CodeQL analysis as part of CI, plus scheduled/manual entrypoints, so findings can be surfaced in the GitHub “Security and quality” views and exported as artifacts.
Changes:
- Extend the existing
Verifyworkflow to invoke reusable Trivy and CodeQL workflows. - Add reusable workflows
common-trivy.yamlandcommon-codeql.yaml, plus scheduled/manual wrappers. - Add report export templates/artifacts (Trivy CSV export and CodeQL PDF report artifact).
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/verify.yaml | Adds Trivy + CodeQL jobs to the main verification pipeline via reusable workflows. |
| .github/workflows/common-trivy.yaml | New reusable Trivy workflow (license + vuln scan, SARIF upload, optional CSV artifact). |
| .github/workflows/trivy-csv.tpl | New Trivy template intended to export findings/dependencies as CSV. |
| .github/workflows/common-codeql.yaml | New reusable CodeQL workflow (scan + optional PDF report artifact). |
| .github/workflows/scan-periodic.yaml | New scheduled Trivy run to continuously populate security findings. |
| .github/workflows/codeql.yaml | New manual CodeQL workflow_dispatch entrypoint. |
| .github/workflows/release.yaml | New tag-triggered scan workflow that exports Trivy CSV and CodeQL PDF artifacts on releases. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+35
to
+37
| permissions: | ||
| security-events: write | ||
| steps: |
Comment on lines
+41
to
+48
| - name: Run Trivy in fs mode | ||
| continue-on-error: true | ||
| uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0 | ||
| with: | ||
| scan-type: fs | ||
| scan-ref: . | ||
| exit-code: 1 | ||
| list-all-pkgs: true |
Comment on lines
+16
to
+18
| permissions: | ||
| security-events: write | ||
| steps: |
Comment on lines
+2
to
+19
| Trivy Vulnerability Scan Results ({{- .Target -}}) | ||
| VulnerabilityID,Severity,CVSS Score,Title,Library,Vulnerable Version,Fixed Version,Information URL,Triage Information | ||
| {{ range .Vulnerabilities }} | ||
| {{- .VulnerabilityID }}, | ||
| {{- .Severity }}, | ||
| {{- range $key, $value := .CVSS }} | ||
| {{- if (eq $key "nvd") }} | ||
| {{- .V3Score -}} | ||
| {{- end }} | ||
| {{- end }}, | ||
| {{- quote .Title }}, | ||
| {{- quote .PkgName }}, | ||
| {{- quote .InstalledVersion }}, | ||
| {{- quote .FixedVersion }}, | ||
| {{- .PrimaryURL }} | ||
| {{ else -}} | ||
| No vulnerabilities found at this time. | ||
| {{ end }} |
Comment on lines
+20
to
+29
| Trivy Dependency Scan Results ({{ .Target }}) | ||
| ID,Name,Version,Notes | ||
| {{ range .Packages -}} | ||
| {{- quote .ID }}, | ||
| {{- quote .Name }}, | ||
| {{- quote .Version }} | ||
| {{ else -}} | ||
| No dependencies found at this time. | ||
| {{ end }} | ||
| {{ end }} |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
These workflow changes are originally for the most part from the goresctrl project, hence the co-authorship with marquiz.
Technically speaking, it is not absolutely necessary to have the possibility of running trivy and codeql inside the nri-plugins project itself. These tools can be also run in a fork, as I have been doing.
But for the longer term, it would perhaps be better for the project to keep an eye for security issues found by also these two tools. The issues are conveniently shown in the "Security and quality" tab for those with enough permissions in the project. A pdf-report will also be available.