You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As a relay maintainer, I want a scheduled workflow that re-runs both the runtime-image CVE scan and the source-side reachable-Go-vuln scan against the latest main SHA and automatically files a GitHub issue when it detects a regression, so that newly-disclosed CVEs against dependencies that have not changed since the last PR are surfaced for action instead of scrolling past in Actions logs.
Context
PR-time scanning only catches CVEs that exist at PR time. New CVEs are disclosed continuously against dependencies the relay has not touched in weeks. Without a periodic re-scan against main, a vuln disclosed today against a long-stable dep stays invisible until someone next happens to bump that dep.
This ticket adds a single "security audit" cron workflow that re-runs:
A scan failure must result in a GitHub issue being created automatically — not just a red workflow run — so the failure has an action owner and visible status.
Split from #40. Depends on the PR-time image scan landing first (so the cron can reuse the same scan invocation) and on #41 landing first (so the cron can invoke govulncheck against main with an established pattern).
Acceptance Criteria
A new workflow file (e.g. .github/workflows/security-scan.yml) runs on a schedule — daily or weekly, architect chooses — and additionally supports workflow_dispatch for manual re-runs.
The workflow checks out the latest main SHA and runs both the runtime-image CVE scan (same scanner, severity policy, and ignore-unfixed policy as the PR-time job) and govulncheck ./... (same invocation as relay: govulncheck in CI — flag reachable Go vulns at PR time #41).
When either scan reports a failure-condition finding, the workflow creates a GitHub issue in this repository via gh issue create whose body contains the scanner output excerpt, the offending CVE id(s) or vuln id(s), the affected dependency or image layer, and the workflow run URL.
The created issue is labeled security-sensitive so it routes through the normal triage flow.
The workflow does not file a duplicate issue if an open issue with the same CVE/vuln id and the same affected component already exists — either by searching open issues before filing or by using a deterministic title pattern that lets operators spot duplicates by eye. Perfect dedup is not required; non-spammy is.
Workflow permissions are scoped to the minimum needed: contents: read for checkout; issues: write only on the issue-filing step.
Scanner / action versions are pinned (same supply-chain logic as the PR-time scan).
A manual workflow_dispatch invocation against a clean main succeeds end-to-end without filing an issue (no findings → no issue); during verification a deliberately-vulnerable state results in an issue being filed.
Technical Notes
Re-using shared steps with the PR-time workflow (e.g. via a reusable workflow or composite action) is fine but not required at this size. Optimize for clarity over DRY at v1.
The auto-filed issue is the starting point for human triage, not its final form — the body can be terse as long as it links the workflow run.
User Story
As a relay maintainer, I want a scheduled workflow that re-runs both the runtime-image CVE scan and the source-side reachable-Go-vuln scan against the latest
mainSHA and automatically files a GitHub issue when it detects a regression, so that newly-disclosed CVEs against dependencies that have not changed since the last PR are surfaced for action instead of scrolling past in Actions logs.Context
PR-time scanning only catches CVEs that exist at PR time. New CVEs are disclosed continuously against dependencies the relay has not touched in weeks. Without a periodic re-scan against
main, a vuln disclosed today against a long-stable dep stays invisible until someone next happens to bump that dep.This ticket adds a single "security audit" cron workflow that re-runs:
A scan failure must result in a GitHub issue being created automatically — not just a red workflow run — so the failure has an action owner and visible status.
Split from #40. Depends on the PR-time image scan landing first (so the cron can reuse the same scan invocation) and on #41 landing first (so the cron can invoke
govulncheckagainstmainwith an established pattern).Acceptance Criteria
.github/workflows/security-scan.yml) runs on a schedule — daily or weekly, architect chooses — and additionally supportsworkflow_dispatchfor manual re-runs.mainSHA and runs both the runtime-image CVE scan (same scanner, severity policy, andignore-unfixedpolicy as the PR-time job) andgovulncheck ./...(same invocation as relay: govulncheck in CI — flag reachable Go vulns at PR time #41).gh issue createwhose body contains the scanner output excerpt, the offending CVE id(s) or vuln id(s), the affected dependency or image layer, and the workflow run URL.security-sensitiveso it routes through the normal triage flow.contents: readfor checkout;issues: writeonly on the issue-filing step.workflow_dispatchinvocation against a cleanmainsucceeds end-to-end without filing an issue (no findings → no issue); during verification a deliberately-vulnerable state results in an issue being filed.Technical Notes
Size Estimate
S