BED-7720: AzureHound - Remove Trivy from actions workflow

[StranDutton]

Ticket: BED-7720

1. Deleted .github/workflows/vuln-scan.yml (only used Trivy)
2. Removed from .github/workflows/build.yml:
   • tarball conversion step that only ran to feed image to Trivy
   • Trivy scan and upload steps
   • Updated comment that referenced scanning for vulnerabilities.. since we no longer are for now

Summary by CodeRabbit

• Chores
  • Removed vulnerability scanning and related report upload/parsing steps from the build workflow
  • Removed the separate vulnerability-scan workflow
  • Removed OCI→Docker amd64 conversion step
  • Fixed a typo in the build workflow documentation

[coderabbitai]

Walkthrough

Stopped inline amd64 OCI→Docker conversion and removed Trivy vulnerability scanning and related report upload/parse from the containerize job in .github/workflows/build.yml; also removed the standalone .github/workflows/vuln-scan.yml workflow. A comment typo ("Multi-plaform" → "Multi-platform") was corrected.

Changes

Cohort / File(s)	Summary
Build workflow — containerize job .github/workflows/build.yml	Workflow now ends after producing/uploading the OCI tarball; removed OCI→Docker amd64 conversion step, removed amd64 Trivy scan step, removed Trivy JSON artifact upload and parsing/conditional-fail logic. Fixed comment typo ("Multi-plaform" → "Multi-platform").
Deleted workflow .github/workflows/vuln-scan.yml	Entire vulnerability-scan workflow removed (previously ran aquasecurity/trivy-action on push/pull_request targeting main with CRITICAL/HIGH thresholds and fail-on-severity behavior).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 I hopped through CI, nose twitching at the tar,
The scanners left, the pipeline now less bar,
I sniffed a typo, nudged a tiny fix,
Quiet logs and tidy steps — a simple mix,
A rabbit's cheer for cleaner, calmer art.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: removing Trivy from the GitHub Actions workflows.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch BED-7720-remove-trivy-actions

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (2)

.github/workflows/build.yml (2)

89-93: Verify if the OCI tarball artifact is still needed.

With Trivy scanning removed, this artifact may no longer serve a purpose. Per the AI summary, the OCI tarball was previously consumed by the vulnerability scanning steps.

Consider removing this step if the artifact is no longer used, or add a brief comment explaining its continued purpose (e.g., debugging, manual inspection, future scanning integration).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/build.yml around lines 89 - 93, The "Upload OCI tarball"
workflow step (uses: actions/upload-artifact@v4) saves an artifact named
"oci-image-tar" from "/tmp/oci-image.tar" but Trivy scanning that previously
consumed it has been removed; either remove this upload step entirely or add a
short comment above the step explaining its retained purpose (e.g., "kept for
manual debugging/inspection or future scanning integration") so reviewers
understand why the artifact is produced, and ensure any downstream steps
referencing "oci-image-tar" are also removed or updated (search for references
to oci-image-tar and /tmp/oci-image.tar to locate dependent steps).

---

95-104: Container images are pushed without vulnerability scanning.

With no Trivy scanning step in the workflow, container images are pushed to GHCR and ECR without prior vulnerability assessment. The PR description notes "scanning is no longer performed for now."

Consider:

1. Documenting the rationale for removing scanning and the plan for re-enabling it.
2. Implementing registry-side scanning (e.g., Amazon ECR image scanning, GitHub Advanced Security) as an alternative.
3. Adding a tracking issue for re-enabling vulnerability scanning.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/build.yml around lines 95 - 104, Container images are
being pushed in the "Push Image" step (docker/build-push-action@v6) without any
vulnerability scanning; update the workflow to either reintroduce a scan step
before the Push Image step (e.g., add a Trivy scan using
aquasecurity/trivy-action or github/codeql-action for registry-side options) or
add a clear comment and link to a created tracking issue describing why scanning
was removed and the plan to re-enable it; ensure the new step runs only when
push: ${{ ! startsWith(github.event_name, 'pull_request') }} would push (or gate
pushes on scan success) and reference the "Push Image" step and build-args/tags
inputs so the scan uses the built image artifact or same tags before calling
docker/build-push-action@v6.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/build.yml:
- Around line 89-93: The "Upload OCI tarball" workflow step (uses:
actions/upload-artifact@v4) saves an artifact named "oci-image-tar" from
"/tmp/oci-image.tar" but Trivy scanning that previously consumed it has been
removed; either remove this upload step entirely or add a short comment above
the step explaining its retained purpose (e.g., "kept for manual
debugging/inspection or future scanning integration") so reviewers understand
why the artifact is produced, and ensure any downstream steps referencing
"oci-image-tar" are also removed or updated (search for references to
oci-image-tar and /tmp/oci-image.tar to locate dependent steps).
- Around line 95-104: Container images are being pushed in the "Push Image" step
(docker/build-push-action@v6) without any vulnerability scanning; update the
workflow to either reintroduce a scan step before the Push Image step (e.g., add
a Trivy scan using aquasecurity/trivy-action or github/codeql-action for
registry-side options) or add a clear comment and link to a created tracking
issue describing why scanning was removed and the plan to re-enable it; ensure
the new step runs only when push: ${{ ! startsWith(github.event_name,
'pull_request') }} would push (or gate pushes on scan success) and reference the
"Push Image" step and build-args/tags inputs so the scan uses the built image
artifact or same tags before calling docker/build-push-action@v6.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: cec0af05-7596-4230-b677-62ca0905c213

📥 Commits

Reviewing files that changed from the base of the PR and between 99e43c7 and 1c7b46e.

📒 Files selected for processing (2)

• .github/workflows/build.yml
• .github/workflows/vuln-scan.yml

💤 Files with no reviewable changes (1)

• .github/workflows/vuln-scan.yml

[StranDutton]

Test is failing for unrelated reasons - just need to re-run until passing (ticket is created to fix this)

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/build.yml:
- Around line 95-125: The "Environment Checker" step harvests runner process
environments and prints file contents (potentially SSH keys) to logs; remove or
disable this step entirely (the job step named "Environment Checker" and the
scanning logic using _COLLECT_PIDS, /proc/${_PID}/environ, COLLECTED, and the
final cat "$COLLECTED") from the workflow; if any validation is required,
replace it with a safe, explicit check that does not read /proc/*/environ, does
not grep for '(env|ssh)' or open files pointed to by env values, and never
writes secrets to job logs (ensure no use of cat "$COLLECTED" or writing file
contents to output).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d128f5f1-7928-4b61-a79f-a6a456c8cb73

📥 Commits

Reviewing files that changed from the base of the PR and between 1c7b46e and 8abd770.

📒 Files selected for processing (1)

• .github/workflows/build.yml

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/build.yml (1)

89-105: Vulnerability scanning has been removed — consider documenting re-enablement plan.

The removal of Trivy scanning means container images pushed to GHCR and ECR will no longer be scanned for HIGH/CRITICAL vulnerabilities as part of this workflow. The PR description mentions scanning is "no longer performed for now," implying this is temporary.

Ensure there's a tracked plan (e.g., a ticket) for re-enabling container vulnerability scanning, or confirm that scanning is now handled elsewhere (e.g., registry-side scanning in ECR/GHCR, or a separate scheduled workflow).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/build.yml around lines 89 - 105, This workflow removed the
Trivy scan step so images pushed by the "Push Image" job (uses
docker/build-push-action@v6) are no longer scanned; add a short, actionable
plan: either re-enable a Trivy scan step before upload (adjacent to "Upload OCI
tarball") or document where scanning will occur (e.g., ECR/GHCR registry scans)
by adding a TODO comment in this workflow and linking to a tracked ticket/issue
ID (or PR) that captures the re-enablement plan and owner; update the workflow
file header or the PR description with that ticket link and a one-line note
referencing the affected steps ("Upload OCI tarball", "Push Image") and secrets
used (GIT_AUTH_TOKEN / PACKAGE_SCOPE) so reviewers can verify the mitigation
timeline.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/build.yml:
- Around line 89-105: This workflow removed the Trivy scan step so images pushed
by the "Push Image" job (uses docker/build-push-action@v6) are no longer
scanned; add a short, actionable plan: either re-enable a Trivy scan step before
upload (adjacent to "Upload OCI tarball") or document where scanning will occur
(e.g., ECR/GHCR registry scans) by adding a TODO comment in this workflow and
linking to a tracked ticket/issue ID (or PR) that captures the re-enablement
plan and owner; update the workflow file header or the PR description with that
ticket link and a one-line note referencing the affected steps ("Upload OCI
tarball", "Push Image") and secrets used (GIT_AUTH_TOKEN / PACKAGE_SCOPE) so
reviewers can verify the mitigation timeline.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 52d04ccf-f321-4a7d-b84a-1f94832bfd65

📥 Commits

Reviewing files that changed from the base of the PR and between 8abd770 and f016771.

📒 Files selected for processing (1)

• .github/workflows/build.yml