Add temporary workflow to clear legacy Trivy alerts

[lukeheath]

Summary by CodeRabbit

• Chores
  • Added automation to manage legacy security scan alerts, improving internal alert management processes.

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}

[sharon-fdm]

LGTM

[coderabbitai]

Walkthrough

This pull request adds a new GitHub Actions workflow file (.github/workflows/trivy-close-legacy.yml) designed to close legacy Trivy security alerts. The workflow is manually triggered via workflow_dispatch, runs on ubuntu-latest with security-events: write and contents: read permissions, and executes a single job named reset. The job generates a minimal SARIF 2.1.0 JSON file containing no security results, then uploads it using the CodeQL action to the Trivy category defined in .github/workflows/trivy-scan.yml. This effectively clears previously reported Trivy findings by replacing them with an empty scan result.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The pull request description is completely empty, with no information provided by the author to explain the change or its context.	Add a description explaining why this temporary workflow is needed, what problem it solves, and any relevant context about the legacy Trivy alerts being cleared.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: adding a temporary workflow to clear legacy Trivy alerts, which matches the added workflow file.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch update-trivy-workflows

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 Microsoft Presidio Analyzer (2.2.362)

.github/workflows/trivy-close-legacy.yml

Microsoft Presidio Analyzer failed to scan this file

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (3)

.github/workflows/trivy-close-legacy.yml (3)

1-2: Consider adding a follow-up issue to delete this workflow after use.

Since this is explicitly a "temporary" one-off cleanup, there's no built-in guard against it accumulating stale runs or being forgotten. A linked issue or a # TODO: delete after first successful run comment would make the intent and exit criteria explicit.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/trivy-close-legacy.yml around lines 1 - 2, This temporary
workflow "Close legacy trivy alerts" needs an explicit exit/action item: create
a short follow-up GitHub issue to delete this workflow after it's run
successfully (or add the new issue number/URL), and add a top-of-file TODO
comment in the workflow YAML such as "TODO: delete after first successful run —
see ISSUE `#123`" so reviewers can see the intended lifecycle; update the workflow
header to include that TODO and the created issue reference.

---

18-18: ⚡ Quick win

Upgrade upload-sarif from @v3 to @v4 — v3 is scheduled for deprecation in December 2026.

GitHub's official documentation and the CodeQL Action repository recommend v4. While v3 remains supported, it is being phased out in favor of v4, which includes new features and runs on Node.js 24.

⬆️ Proposed update

-      - uses: github/codeql-action/upload-sarif@v3
+      - uses: github/codeql-action/upload-sarif@v4

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/trivy-close-legacy.yml at line 18, Replace the CodeQL
SARIF upload step reference using the old tag "uses:
github/codeql-action/upload-sarif@v3" with the newer major version tag ("uses:
github/codeql-action/upload-sarif@v4"); locate the step that declares uses:
github/codeql-action/upload-sarif@v3 in the workflow and update the version tag
to `@v4`, then run a quick workflow lint or dry-run to ensure there are no
breaking changes or required input adjustments for upload-sarif@v4.

---

18-18: ⚡ Quick win

Pin codeql-action/upload-sarif to a commit SHA rather than the mutable @v3 tag.

Floating version tags can be force-pushed, which is a supply-chain risk — particularly relevant for a workflow with security-events: write. Find the pinned SHA for the current v3 release on the action's release page.

🔒 Example: pin to a specific SHA

-      - uses: github/codeql-action/upload-sarif@v3
+      - uses: github/codeql-action/upload-sarif@<full-commit-sha> # v3

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/trivy-close-legacy.yml at line 18, Replace the mutable
action reference "github/codeql-action/upload-sarif@v3" with a pinned commit SHA
for that action (e.g., "github/codeql-action/upload-sarif@<commit-sha>") to
avoid supply-chain risk; locate the step that uses the symbol "uses:
github/codeql-action/upload-sarif@v3" and update it to the specific release
commit SHA found on the action's releases page, ensuring the workflow continues
to function with the exact immutable version.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/trivy-close-legacy.yml:
- Around line 18-21: The hardcoded category value in the
github/codeql-action/upload-sarif step must be changed to match the dynamic
categories used by the Trivy scan workflow; update the upload step's with:
category to compute the same value as trivy-scan.yml (use the same conditional
logic that yields either "trivy-{branch}" when matrix.branch is set or "" when
not), e.g. derive the category from the same input/variable (matrix.branch or an
env/input) so the SARIF upload consolidates with the Trivy scan stream instead
of creating a separate legacy category; adjust the upload-sarif step (the
sarif_file + category parameters) to reference that computed category.
- Line 21: Update the hardcoded category value in trivy-close-legacy.yml (the
`category:` field currently set to `.github/workflows/trivy-scan.yml:trivy`) to
use the same dynamic expression used by trivy-scan.yml: replace the literal with
the matrix-aware expression `${{ matrix.branch && format('trivy-{0}',
matrix.branch) || '' }}` so the `category` matches `trivy-scan.yml` and SARIF
streams merge/overwrite rather than creating separate streams.

---

Nitpick comments:
In @.github/workflows/trivy-close-legacy.yml:
- Around line 1-2: This temporary workflow "Close legacy trivy alerts" needs an
explicit exit/action item: create a short follow-up GitHub issue to delete this
workflow after it's run successfully (or add the new issue number/URL), and add
a top-of-file TODO comment in the workflow YAML such as "TODO: delete after
first successful run — see ISSUE `#123`" so reviewers can see the intended
lifecycle; update the workflow header to include that TODO and the created issue
reference.
- Line 18: Replace the CodeQL SARIF upload step reference using the old tag
"uses: github/codeql-action/upload-sarif@v3" with the newer major version tag
("uses: github/codeql-action/upload-sarif@v4"); locate the step that declares
uses: github/codeql-action/upload-sarif@v3 in the workflow and update the
version tag to `@v4`, then run a quick workflow lint or dry-run to ensure there
are no breaking changes or required input adjustments for upload-sarif@v4.
- Line 18: Replace the mutable action reference
"github/codeql-action/upload-sarif@v3" with a pinned commit SHA for that action
(e.g., "github/codeql-action/upload-sarif@<commit-sha>") to avoid supply-chain
risk; locate the step that uses the symbol "uses:
github/codeql-action/upload-sarif@v3" and update it to the specific release
commit SHA found on the action's releases page, ensuring the workflow continues
to function with the exact immutable version.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: e065d68a-9137-4462-99b9-206fec533fa5

📥 Commits

Reviewing files that changed from the base of the PR and between f4bae86 and 5d3dad1.

📒 Files selected for processing (1)

• .github/workflows/trivy-close-legacy.yml

[Copilot]

Pull request overview

Adds a manually-triggered GitHub Actions workflow intended to clear out (close) legacy Trivy code-scanning alerts by uploading an empty SARIF report.

Changes:

• Introduces a workflow_dispatch-only workflow that generates an empty SARIF payload for Trivy.
• Uploads that SARIF to GitHub code scanning using a fixed category to target legacy results.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.