Skip to content

chore(ci): add scheduled trivy scan with Linear ticket creation#810

Merged
Aryamanz29 merged 2 commits intomainfrom
chore/add-scheduled-trivy-scan
Feb 17, 2026
Merged

chore(ci): add scheduled trivy scan with Linear ticket creation#810
Aryamanz29 merged 2 commits intomainfrom
chore/add-scheduled-trivy-scan

Conversation

@fyzanshaik-atlan
Copy link
Copy Markdown
Contributor

@fyzanshaik-atlan fyzanshaik-atlan commented Feb 13, 2026
edited
Loading

Summary

Adds a scheduled security scan for the PyAtlan Docker image and uv.lock dependencies, with automatic Linear ticket creation when vulnerabilities are found.

What it does

  • Schedule: Twice a week — Monday and Thursday at 09:00 UTC (also supports manual trigger via workflow_dispatch)
  • Image scan: Builds the Docker image and scans with Trivy for HIGH/CRITICAL vulnerabilities
  • Dependency scan: Scans uv.lock for known vulnerable packages
  • Linear integration: Automatically creates a Linear ticket with properly formatted markdown tables showing severity, package, installed/fixed versions, and CVE links
  • Workflow summary: Publishes full Trivy table output to the GitHub Actions step summary
  • Clean scans: No ticket created if 0 vulnerabilities (no noise)

Approach

Self-contained inline workflow (matches the approach used in atlanhq/application-sdk). No dependency on external reusable workflows — everything runs within this repo's workflow file.

Linear ticket format

When vulnerabilities are found, the ticket includes:

  • Summary table with image/dependency/total counts
  • Per-section markdown tables (Docker Image / Dependencies) with severity, package, installed version, fixed version, and CVE
  • Links to the repository and workflow run

Setup required

  1. LINEAR_API_KEY — repository or org secret
  2. LINEAR_TEAM_ID — repository secret
  3. CHAINGUARD_USERNAME / CHAINGUARD_PASSWORD — already configured for this repo

@fyzanshaik-atlan
chore(ci): add scheduled trivy scan with linear ticket creation
4f794cf 
Weekly security scan (Monday 09:00 UTC) that scans the PyAtlan
Docker image and uv.lock for HIGH/CRITICAL vulnerabilities and
automatically creates a Linear ticket if issues are found.

Uses the org's reusable workflow from atlanhq/.github.

Requires:
- LINEAR_API_KEY secret
- LINEAR_TEAM_ID variable (team UUID from Linear)
- CHAINGUARD_USERNAME/PASSWORD secrets (for registry auth)
@fyzanshaik-atlan
refactor(ci): replace reusable workflow with inline trivy scan
71da91d 
Replace the reusable workflow reference to atlanhq/.github with a
self-contained scheduled trivy scan workflow. Includes image + dependency
scanning, properly formatted markdown tables for Linear tickets, and
workflow step summary output.
@Aryamanz29 Aryamanz29 added the feature New feature or request label Feb 17, 2026
Aryamanz29
Aryamanz29 approved these changes Feb 17, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@Aryamanz29 Aryamanz29 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM - thanks! @fyzanshaik-atlan 🚀

@Aryamanz29 Aryamanz29 merged commit d52cc3d into main Feb 17, 2026
54 of 60 checks passed
@Aryamanz29 Aryamanz29 deleted the chore/add-scheduled-trivy-scan branch February 17, 2026 07:50
@greptile-apps greptile-apps Bot mentioned this pull request Feb 17, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Aryamanz29 Aryamanz29 Aryamanz29 approved these changes

Assignees

@fyzanshaik-atlan fyzanshaik-atlan

Labels

feature New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@fyzanshaik-atlan @Aryamanz29