Skip to content

Add Trivy filesystem scan to GitHub Actions#83

Merged
seonghobae merged 6 commits into
developfrom
copilot/add-trivy-scan-to-github-actions
Mar 25, 2026
Merged

Add Trivy filesystem scan to GitHub Actions#83
seonghobae merged 6 commits into
developfrom
copilot/add-trivy-scan-to-github-actions

Conversation

Copilot AI commented Mar 25, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Adds Trivy filesystem vulnerability scanning to the CI pipeline, scanning lockfiles and dependencies for CRITICAL/HIGH severity issues with results surfaced in the GitHub Security tab.

Changes

  • .github/workflows/trivy.yml — New workflow: fs scan on push/PR to develop/main, SARIF upload to Security tab. Pinned to aquasecurity/trivy-action@v0.35.0 (57a97c7...) — the only uncompromised release post CVE-2026-33634 supply chain attack.
  • docs/security/code-security.md — Added Trivy to required controls list.
  • docs/security/github-required-checks.md — Added trivy-fs-scan as intended required check for both develop and main.

Notes

All actions are commit-SHA pinned per repo dependency policy. Reuses the same actions/checkout and codeql-action/upload-sarif SHAs already in use by existing workflows.

Original prompt

Trivy Scan 추가를 GitHub Actions에 추가해 주세요.

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

@seonghobae
Add Trivy filesystem scan workflow and update security docs
c373269 
- Add .github/workflows/trivy.yml with SHA-pinned aquasecurity/trivy-action@v0.35.0
- Scan for CRITICAL,HIGH severity vulnerabilities in filesystem mode
- Upload SARIF results to GitHub Security tab
- Update code-security.md to include Trivy in required controls
- Update github-required-checks.md to add trivy-fs-scan for develop and main

Co-authored-by: seonghobae <8172694+seonghobae@users.noreply.github.com>
Agent-Logs-Url: https://github.com/seonghobae/bandscope/sessions/000af55a-1d33-44d3-9af0-1276cf1be7d1
Copilot AI changed the title [WIP] Add Trivy Scan to GitHub Actions Add Trivy filesystem scan to GitHub Actions Mar 25, 2026
Copilot AI requested a review from seonghobae March 25, 2026 14:05
@seonghobae seonghobae marked this pull request as ready for review March 25, 2026 14:23
@seonghobae

seonghobae commented Mar 25, 2026

Copy link
Copy Markdown
Collaborator

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Mar 25, 2026

Copy link
Copy Markdown
Contributor
✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@coderabbitai

coderabbitai Bot commented Mar 25, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 55a59616-f85e-459b-ab52-b2ed46eb9bf7

📥 Commits

Reviewing files that changed from the base of the PR and between c373269 and 9502f8a.

📒 Files selected for processing (1)
  • .github/workflows/trivy.yml

Cache: Disabled due to Reviews > Disable Cache setting

Disabled knowledge base sources:

  • Linear integration is disabled

You can enable these sources in your CodeRabbit configuration.

📝 Walkthrough

Summary by CodeRabbit

릴리스 노트

  • Chores

    • 자동화된 파일시스템 취약점 스캔 워크플로우가 추가되었습니다.

  • Documentation

    • 코드 보안 제어 문서에 새 파일시스템 취약점 스캔 항목이 추가되었습니다.
    • 병합 게이트 필수 검사 목록에 해당 스캔 상태 검사가 포함되어 검토 및 병합 요구사항이 강화되었습니다.

Walkthrough

새 GitHub Actions 워크플로우 .github/workflows/trivy.yml를 추가해 Trivy 파일시스템 취약점 스캔을 실행하고, 이 워크플로우를 보안 문서 및 develop/main 브랜치의 필수 병합 검사에 등록했습니다.

Changes

Cohort / File(s) Summary
워크플로우 파일
.github/workflows/trivy.yml		 새 워크플로우 trivy 추가. PR 및 push(대상: develop, main)에서 트리거되며 trivy-fs-scan 잡이 ubuntu-latest에서 파일시스템 스캔(scan-type: fs, scan-ref: '.')을 실행해 SARIF(trivy-results.sarif)로 출력, CRITICAL/HIGH만 포함하고 결과를 항상 업로드(if: always())합니다.
보안 문서 업데이트
docs/security/code-security.md, docs/security/github-required-checks.md		 코드 보안 제어 목록에 Trivy filesystem vulnerability scan 추가 및 trivy-fs-scandevelop/main 병합-gate 필수 체크에 등록했습니다.

Sequence Diagram(s)

sequenceDiagram
    participant Dev as Developer
    participant GH as GitHub Actions
    participant Runner as Actions Runner (ubuntu-latest)
    participant Trivy as Trivy Scanner
    participant SARIF as SARIF Upload (Security Tab)

    Dev->>GH: push / open PR targeting develop/main
    GH->>Runner: dispatch trivy-fs-scan job
    Runner->>Trivy: run fs scan (scan-ref='.', severities=CRITICAL,HIGH)
    Trivy-->>Runner: write `trivy-results.sarif` and return exit code (1 on findings)
    Runner->>SARIF: upload `trivy-results.sarif` via github/codeql-action/upload-sarif [if: always()]
    SARIF-->>GH: SARIF processed in Security tab
Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

Poem

🐇 새벽밭을 깡충이며 살핀다,
트리비 빛으로 틈을 찾아내고,
경고 깃발들 낮게 흔들리면,
나는 당당히 점프해 고쳐놓네,
안전한 밭에 당근 하나 남기리 🥕

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed 제목은 풀 리퀘스트의 주요 변경사항인 Trivy 파일시스템 스캔을 GitHub Actions에 추가하는 내용을 명확하고 간결하게 요약합니다.
Description check ✅ Passed 설명은 변경사항의 모든 부분과 관련이 있으며, 구체적인 파일 변경, 설정 세부사항 및 보안 정책 준수를 포함합니다.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch copilot/add-trivy-scan-to-github-actions

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai Bot previously requested changes Mar 25, 2026
View reviewed changes

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/trivy.yml:
- Around line 23-30: The Trivy scan step ("Run Trivy filesystem scan" using
aquasecurity/trivy-action) currently sets severity: CRITICAL,HIGH but misses the
SARIF filtering and fail-on-severity behavior; update the Trivy action step to
add limit-severities-for-sarif: true so the SARIF output is restricted to
CRITICAL/HIGH and add exit-code: '1' so the step fails when those severities are
found (keep existing keys like scan-type, scan-ref, format and output
unchanged).
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: cd50e862-9a7b-44e9-84b8-dfc6c2eb7e77

📥 Commits

Reviewing files that changed from the base of the PR and between 6e93f87 and c373269.

📒 Files selected for processing (3)
  • .github/workflows/trivy.yml
  • docs/security/code-security.md
  • docs/security/github-required-checks.md

Comment thread .github/workflows/trivy.yml
@github-advanced-security

github-advanced-security AI commented Mar 25, 2026

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@seonghobae
fix: add limit-severities-for-sarif and exit-code to Trivy scan step
d370e10 
Ensures the SARIF upload contains only CRITICAL/HIGH findings (no noise from
lower severities) and the job fails fast when vulnerabilities are detected.

Addresses CodeRabbit review comment on PR #83.
@seonghobae

seonghobae commented Mar 25, 2026

Copy link
Copy Markdown
Collaborator

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Mar 25, 2026

Copy link
Copy Markdown
Contributor
✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@seonghobae seonghobae dismissed coderabbitai[bot]’s stale review March 25, 2026 14:51

All requested changes implemented in commit d370e10: added limit-severities-for-sarif: true and exit-code: '1' to trivy.yml

@seonghobae seonghobae enabled auto-merge (squash) March 25, 2026 14:52
@seonghobae seonghobae merged commit 01fa085 into develop Mar 25, 2026
21 checks passed
@coderabbitai coderabbitai Bot mentioned this pull request Mar 27, 2026
Merged
This was referenced Apr 30, 2026
Closed
Closed
Closed
Merged
@coderabbitai coderabbitai Bot mentioned this pull request Apr 30, 2026
Merged
This was referenced Jun 9, 2026
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@seonghobae seonghobae Awaiting requested review from seonghobae seonghobae is a code owner

1 more reviewer

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@seonghobae seonghobae

Copilot code review Copilot

Labels

aardvark codex

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@seonghobae @github-advanced-security