From 1fba77e01a2c90df34c9a67bd0c162f8acd84868 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 25 Mar 2026 13:58:21 +0000
Subject: [PATCH 1/4] Initial plan


From c373269aa6fae0cfc014a65639874b241967b8b2 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 25 Mar 2026 14:03:14 +0000
Subject: [PATCH 2/4] Add Trivy filesystem scan workflow and update security
 docs

- Add .github/workflows/trivy.yml with SHA-pinned aquasecurity/trivy-action@v0.35.0
- Scan for CRITICAL,HIGH severity vulnerabilities in filesystem mode
- Upload SARIF results to GitHub Security tab
- Update code-security.md to include Trivy in required controls
- Update github-required-checks.md to add trivy-fs-scan for develop and main

Co-authored-by: seonghobae <8172694+seonghobae@users.noreply.github.com>
Agent-Logs-Url: https://github.com/seonghobae/bandscope/sessions/000af55a-1d33-44d3-9af0-1276cf1be7d1
---
 .github/workflows/trivy.yml             | 35 +++++++++++++++++++++++++
 docs/security/code-security.md          |  1 +
 docs/security/github-required-checks.md |  2 ++
 3 files changed, 38 insertions(+)
 create mode 100644 .github/workflows/trivy.yml

diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
new file mode 100644
index 00000000..59a0e491
--- /dev/null
+++ b/.github/workflows/trivy.yml
@@ -0,0 +1,35 @@
+name: trivy
+
+on:
+  pull_request:
+    branches:
+      - develop
+      - main
+  push:
+    branches:
+      - develop
+      - main
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  trivy-fs-scan:
+    name: trivy-fs-scan
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - name: Run Trivy filesystem scan
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
+        with:
+          scan-type: fs
+          scan-ref: .
+          format: sarif
+          output: trivy-results.sarif
+          severity: CRITICAL,HIGH
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1
+        if: always()
+        with:
+          sarif_file: trivy-results.sarif
diff --git a/docs/security/code-security.md b/docs/security/code-security.md
index 3c0ae4a1..f9163b9c 100644
--- a/docs/security/code-security.md
+++ b/docs/security/code-security.md
@@ -7,6 +7,7 @@ BandScope treats GitHub Code Security as part of bootstrap governance.
 ## Required controls
 
 - CodeQL or equivalent code scanning workflow
+- Trivy filesystem vulnerability scan
 - dependency review on pull requests
 - security audit workflow for npm, Python, and Rust dependencies in scope
 - Dependabot alerts and security updates
diff --git a/docs/security/github-required-checks.md b/docs/security/github-required-checks.md
index 10ff97fb..fbc15a4c 100644
--- a/docs/security/github-required-checks.md
+++ b/docs/security/github-required-checks.md
@@ -10,6 +10,7 @@ These are the merge-gate status checks that should be required on protected bran
 - `dependency-review`
 - `security-audit`
 - `CodeQL`
+- `trivy-fs-scan`
 - `sbom`
 - `release-preflight`
 - `gate / build / windows`
@@ -24,6 +25,7 @@ These are the merge-gate status checks that should be required on protected bran
 - `dependency-review`
 - `security-audit`
 - `CodeQL`
+- `trivy-fs-scan`
 - `sbom`
 - `release-preflight`
 - `gate / build / windows`

From d370e106245aa91b269865ca81738c78f91a4e27 Mon Sep 17 00:00:00 2001
From: Seongho Bae <me@seonghobae.me>
Date: Wed, 25 Mar 2026 23:37:14 +0900
Subject: [PATCH 3/4] fix: add limit-severities-for-sarif and exit-code to
 Trivy scan step

Ensures the SARIF upload contains only CRITICAL/HIGH findings (no noise from
lower severities) and the job fails fast when vulnerabilities are detected.

Addresses CodeRabbit review comment on PR #83.
---
 .github/workflows/trivy.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
index 59a0e491..e70dfebc 100644
--- a/.github/workflows/trivy.yml
+++ b/.github/workflows/trivy.yml
@@ -28,6 +28,8 @@ jobs:
           format: sarif
           output: trivy-results.sarif
           severity: CRITICAL,HIGH
+          limit-severities-for-sarif: true
+          exit-code: '1'
       - name: Upload Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1
         if: always()

From 9502f8ac48477bc8bf9ef2cc58286e6a345de467 Mon Sep 17 00:00:00 2001
From: Seongho Bae <me@seonghobae.me>
Date: Wed, 25 Mar 2026 23:57:38 +0900
Subject: [PATCH 4/4] ci: re-trigger build runners