Skip to content

Add Trivy container security scanning #205

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
rdimitrov merged 1 commit into from
Nov 25, 2025
Merged

Add Trivy container security scanning #205

rdimitrov merged 1 commit into from
Nov 25, 2025

Conversation

@JAORMX
Copy link
Collaborator

@JAORMX JAORMX commented Nov 24, 2025

Summary

This PR integrates Trivy container security scanning into the Dockyard pipeline to provide comprehensive vulnerability detection for all built container images.

What's Changed

🔍 PR-Level Scanning

  • When: On every PR and main branch build
  • Scans for: CRITICAL, HIGH, and MEDIUM severity vulnerabilities
  • Results: Uploaded to GitHub Security tab → Code Scanning
  • Blocking: No - provides visibility without stopping development
  • Coverage: CVEs in OS packages and application dependencies

📅 Periodic Scanning (New Workflow)

  • When: Weekly on Monday at 2am UTC + manual trigger
  • Scans for: All severities (CRITICAL, HIGH, MEDIUM, LOW) + secrets + misconfigurations + licenses
  • Results: GitHub Security tab + automatic issue creation
  • Smart Alerting:
    • Creates GitHub issues for CRITICAL vulnerabilities or detected secrets
    • Updates existing issues instead of creating duplicates
    • 90-day artifact retention for audit trail

📚 Documentation Updates

  • Added comprehensive "Container Vulnerability Scanning" section
  • Updated "Security Guarantees" to include container scanning
  • Updated pipeline diagram to show Trivy integration
  • Documented scan schedules and result locations

Technical Details

Files Changed

  • .github/workflows/build-containers.yml - Added Trivy scan step after build
  • .github/workflows/periodic-security-scan.yml - New workflow for periodic scans
  • README.md - Documentation updates

Permissions Added

  • security-events: write - Required for SARIF upload to GitHub Security tab

Benefits

  1. Continuous Monitoring - Weekly scans catch newly disclosed CVEs in published images
  2. Early Detection - Developers see vulnerabilities during PR review
  3. Actionable Results - GitHub Security tab integration makes review easy
  4. Comprehensive Coverage - Scans OS packages, dependencies, secrets, and configs
  5. Low Maintenance - Trivy auto-updates its vulnerability database daily
  6. Non-Blocking - Won't slow down development velocity

Why Trivy?

After deep research comparing Trivy vs Grype:

  • All-in-one: Vulnerabilities + secrets + misconfigurations + SBOM
  • Larger community: 29,900+ GitHub stars, 100M+ annual downloads
  • Superior documentation: Consistently praised for excellent docs
  • Built-in secret detection: Critical for catching leaked credentials
  • Better GitHub Actions integration: Mature action with SARIF support
  • Simpler to maintain: One tool vs multiple specialized tools

Testing

The PR workflow will:

  1. Trigger on changes to workflow files (these changes)
  2. Scan any built containers with Trivy
  3. Upload results to Security tab
  4. Show scan status in PR checks

Note: Since no MCP server configs changed, container builds won't trigger, but the workflow syntax will be validated.

Future Enhancements (Optional)

  • Add Trivy scan attestations (similar to MCP scan attestations)
  • Make scanning blocking for CRITICAL vulnerabilities after tuning
  • Add allowlists for known false positives
  • Integrate with Slack/Discord for notifications

🤖 Generated with Claude Code

Co-Authored-By: Claude noreply@anthropic.com

@JAORMX @claude
Add Trivy container security scanning
8400de8 
This commit integrates Trivy vulnerability scanning into the Dockyard
pipeline to provide comprehensive container security scanning.

## Changes

### PR-Level Scanning (build-containers.yml)
- Add Trivy scan step after container build
- Scan for CRITICAL, HIGH, and MEDIUM severity vulnerabilities
- Upload SARIF results to GitHub Security tab (Code Scanning)
- Non-blocking: provides visibility without stopping PRs
- Add security-events permission for SARIF upload

### Periodic Scanning (new workflow)
- Add periodic-security-scan.yml workflow
- Runs weekly (Monday 2am UTC) on all published images
- Comprehensive scan: vulnerabilities, secrets, configs, licenses
- Auto-creates GitHub issues for CRITICAL findings or detected secrets
- Smart issue management: updates existing issues instead of duplicates
- Manual trigger available for on-demand scans
- 90-day artifact retention for audit trail

### Documentation (README.md)
- Add "Container Vulnerability Scanning" section
- Document Trivy integration and scan schedules
- Update "Security Guarantees" section
- Update pipeline diagram to include Trivy scan step

## Benefits

1. **Continuous Monitoring**: Catches newly disclosed CVEs in published images
2. **Early Detection**: Developers see vulnerabilities during PR review
3. **Actionable Results**: GitHub Security tab integration for easy review
4. **Comprehensive**: Scans OS packages, dependencies, secrets, and configs
5. **Low Maintenance**: Trivy auto-updates vulnerability database

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@rdimitrov rdimitrov merged commit a815c29 into main Nov 25, 2025
2 checks passed
@rdimitrov rdimitrov deleted the add-trivy-container-scanning branch November 25, 2025 08:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rdimitrov rdimitrov rdimitrov approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@JAORMX @rdimitrov