Skip to content

Add Trivy vulnerability scanning workflow #56

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
abnegate merged 2 commits into from
Dec 12, 2025
Merged

Add Trivy vulnerability scanning workflow #56

abnegate merged 2 commits into from
Dec 12, 2025

Conversation

@stnguyen90
Copy link
Contributor

@stnguyen90 stnguyen90 commented Dec 10, 2025
edited by coderabbitai bot
Loading

What does this PR do?

Install standard Trivy GitHub workflow template so that Trivy scans our docker image for vulns regularly.

Test Plan

None

Related PRs and Issues

None

Have you read the Contributing Guidelines on issues?

Yes

Summary by CodeRabbit

  • Chores
    • Added automated vulnerability scanning to CI: scans run on pushes, pull requests, and a scheduled cron; the pipeline builds the project image, runs a vulnerability scan focused on high/critical findings, and uploads results (SARIF) to the repository Security tab for centralized visibility and reporting.

✏️ Tip: You can customize this high-level summary in your review settings.

@coderabbitai
Copy link

coderabbitai bot commented Dec 10, 2025
edited
Loading

Walkthrough

A new GitHub Actions workflow was added at .github/workflows/trivy.yml named "trivy". It runs on pushes to main, pull requests targeting main, and a cron schedule. The job checks out the repository, builds a Docker image from the repository Dockerfile (tagged with the commit SHA), runs Trivy against that image producing a SARIF report filtered to HIGH and CRITICAL severities, and uploads the SARIF to GitHub Security using the CodeQL upload-sarif action. Workflow permissions for contents, security-events, and actions are set.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

  • Verify Trivy command flags, SARIF template, and severity filtering (HIGH/CRITICAL)
  • Confirm workflow triggers (push to main, PRs targeting main, cron) match intent
  • Validate workflow permissions: contents: read, security-events: write, actions: read
  • Check Docker build step and image tagging (uses commit SHA)
  • Confirm upload-sarif action usage and SARIF file path/name

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'Add Trivy vulnerability scanning workflow' directly and concisely summarizes the main change: adding a new GitHub Actions workflow for Trivy vulnerability scanning.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch chore-trivy-scanning
📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 43b5589 and b1d9982.

📒 Files selected for processing (1)
  • .github/workflows/trivy.yml (1 hunks)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
  • GitHub Check: build
  • GitHub Check: Build
🔇 Additional comments (2)
.github/workflows/trivy.yml (2)

34-34: Verify image registry alignment with publishing strategy.

The image reference appwrite/docker-base defaults to Docker Hub without an explicit registry prefix. Confirm this matches the repository's publishing strategy. For GitHub-hosted projects, using GHCR (ghcr.io/appwrite/docker-base) is often more appropriate and avoids external Docker Hub dependencies.

If the repository publishes to GHCR, update both occurrences:

- docker build -t appwrite/docker-base:${{ github.sha }} .
+ docker build -t ghcr.io/appwrite/docker-base:${{ github.sha }} .
- image-ref: 'appwrite/docker-base:${{ github.sha }}'
+ image-ref: 'ghcr.io/appwrite/docker-base:${{ github.sha }}'

Alternatively, make this configurable via environment variable:

env:
  REGISTRY_IMAGE: ghcr.io/appwrite/docker-base

Then use ${{ env.REGISTRY_IMAGE }} in both places.

Also applies to: 39-39

1-48: Verify that Dockerfile exists in repository root.

The workflow assumes a Dockerfile exists at the repository root (line 34: docker build -t appwrite/docker-base:${{ github.sha }} .). Ensure the Dockerfile is present and buildable without errors, as workflow will fail if the build step cannot locate or parse the Dockerfile.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai bot reviewed Dec 10, 2025
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
.github/workflows/trivy.yml (1)

46-46: Consider pinning the CodeQL action to a specific commit for consistency.

The CodeQL upload action uses a floating v3 tag, while the Trivy action is pinned to a specific commit. For better supply-chain security and reproducibility, consider pinning the CodeQL action to a specific commit as well.

-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@4355270c2f9846dca18e85b5f6653c0a1cb02e5c

To find the latest commit SHA for a given version tag, you can check the GitHub repository or use the GitHub CLI.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5e3f3b2 and 43b5589.

📒 Files selected for processing (1)
  • .github/workflows/trivy.yml (1 hunks)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
  • GitHub Check: build
  • GitHub Check: Build
🔇 Additional comments (1)
.github/workflows/trivy.yml (1)

37-37: Trivy action commit SHA is valid.

The commit 7b7aa264d83dc58691451798b4d117d53d21edfe exists in the official aquasecurity/trivy-action repository. It was authored by simar7 on 2022-06-22 with the message "feat(SBOM): Support SBOM generation (#129)". The pinned commit is authentic and verified.

@github-advanced-security
Copy link

github-advanced-security bot commented Dec 10, 2025

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

@stnguyen90 stnguyen90 requested a review from abnegate December 11, 2025 06:57
@abnegate abnegate merged commit b8933ae into main Dec 12, 2025
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@abnegate abnegate abnegate approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@stnguyen90 @abnegate