Skip to content

feat(security): replace Trivy with Google OSV Scanner#166

Merged
jdomeracki-coder merged 1 commit intomainfrom
sec/remove-trivy-action
May 7, 2026
Merged

feat(security): replace Trivy with Google OSV Scanner#166
jdomeracki-coder merged 1 commit intomainfrom
sec/remove-trivy-action

Conversation

@CommanderK5
Copy link
Copy Markdown
Contributor

@CommanderK5 CommanderK5 commented Mar 23, 2026
edited by jdomeracki-coder
Loading

Summary

Replaces Aqua Security Trivy with Google OSV Scanner for vulnerability scanning.

Why

Trivy is being replaced with Google OSV Scanner to align with the tooling direction across Coder repos. OSV Scanner provides both source dependency scanning and container image scanning, with reachability analysis (--call-analysis=all) to reduce false positives by checking if vulnerable functions are actually called.

Reference: https://github.com/coder/tallyman/commit/7ccfac0630bf873b2f5e9bc045a795e1ddfa7477

How

Replaced the Trivy steps in the build job with four new jobs:

Job Purpose Trigger
osv-scan-scheduled Full source dependency scan via official reusable workflow push, schedule, dispatch
osv-scan-pr Diff-only scan (only new vulns) via official reusable workflow pull_request
osv-scan-alert Slack notification for source scan failures schedule (on failure)
osv-scan-image Container image scan via osv-scanner scan image CLI all triggers

Key details:

  • Source scanning uses the reusable workflows as recommended by the OSV Scanner docs
  • Image scanning installs the CLI binary (v2.3.5) with SHA256 checksum verification
  • Exit code handling tolerates code 1 (vulns found) but fails on real errors
  • Added schedule trigger (weekdays) for recurring vulnerability scans
  • The build job is now a pure build verification; image scanning is a separate job

Note

Generated by Coder Agents

@johnstcn johnstcn requested review from jdomeracki-coder and sreya and removed request for sreya May 7, 2026 08:31
@johnstcn johnstcn self-assigned this May 7, 2026
@johnstcn
Copy link
Copy Markdown
Member

johnstcn commented May 7, 2026

Needs to be replaced with osv-scanner

@jdomeracki-coder jdomeracki-coder force-pushed the sec/remove-trivy-action branch from 6a32335 to 9212297 Compare May 7, 2026 08:45
@jdomeracki-coder jdomeracki-coder changed the title chore: remove Trivy action from CI workflow feat(security): replace Trivy with Google OSV Scanner May 7, 2026
@github-advanced-security
Copy link
Copy Markdown

github-advanced-security AI commented May 7, 2026

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@johnstcn johnstcn mentioned this pull request May 7, 2026
Open
@jdomeracki-coder jdomeracki-coder merged commit 88a62f4 into main May 7, 2026
13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@johnstcn johnstcn johnstcn approved these changes

@jdomeracki-coder jdomeracki-coder jdomeracki-coder approved these changes

Assignees

@johnstcn johnstcn

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@CommanderK5 @johnstcn @github-advanced-security @jdomeracki-coder