Skip to content

ci: replace Trivy with Docker Scout for image scanning #614

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
pkaeding merged 10 commits into from
Apr 2, 2026
+58 −48
Merged

ci: replace Trivy with Docker Scout for image scanning #614

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
051d144
ci: replace Trivy with Docker Scout for container image scanning
pkaeding Mar 30, 2026
47a6850
ci: add contents: read permission to security scan jobs
pkaeding Mar 30, 2026
4f85ecb
Update .github/workflows/ci.yml
pkaeding Mar 31, 2026
fad6a62
Apply suggestions from code review
pkaeding Mar 31, 2026
2f886fc
split get-docker-credentials job out so that the need for id-token is…
pkaeding Mar 31, 2026
bd6fa0b
Merge remote-tracking branch 'refs/remotes/origin/security/replace-tr…
pkaeding Mar 31, 2026
db6de6b
Apply suggestion from @pkaeding
pkaeding Apr 1, 2026
3d16159
use repo secret for Docker Hub credentials instead of AWS OIDC
pkaeding Apr 1, 2026
dc95909
use docker/login-action
pkaeding Apr 1, 2026
9088ace
Merge branch 'v8' into security/replace-trivy-with-docker-scout
pkaeding Apr 1, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
64 changes: 34 additions & 30 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
name: CI
on:
push:
branches: [ 'v8' ]
branches: ["v8"]
paths-ignore:
- '**.md' # Don't run CI on markdown changes.
- "**.md" # Don't run CI on markdown changes.
pull_request:
branches: [ 'v8', 'feat/**' ]
branches: ["v8", "feat/**"]
paths-ignore:
- '**.md'
- "**.md"

jobs:
go-versions:
Expand Down Expand Up @@ -51,65 +51,69 @@ jobs:
id-token: write
contents: read
with:
environment: 'staging'
environment: "staging"
go-version: ${{ needs.go-versions.outputs.latest }}


security-scan:
needs: go-versions
runs-on: ubuntu-latest
name: "Trivy Scan of Docker Image"
env:
# Avoid rate-limiting on ghcr.io (https://github.com/aquasecurity/trivy-action/issues/389)
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
name: "Docker Scout Scan"
permissions:
contents: read
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
fetch-tags: 'true'
fetch-tags: "true"
- name: Setup Go ${{ inputs.go-version }}
uses: actions/setup-go@v5
with:
go-version: ${{ needs.go-versions.outputs.latest }}
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
- name: Setup Docker Buildx
uses: docker/setup-buildx-action@v3
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
with:
platforms: linux/amd64,linux/arm64/v8,linux/arm/v7,linux/386
- name: Build Docker Images
run: make products-for-release
- name: Get current Relay version
id: image-tag
run:
echo "value=$(jq -r '.version' < dist/metadata.json)" >> $GITHUB_OUTPUT
- uses: aquasecurity/trivy-action@master
run: echo "value=$(jq -r '.version' < dist/metadata.json)" >> $GITHUB_OUTPUT
- uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
with:
username: ${{ vars.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_RO_TOKEN }}
- uses: docker/scout-action@f8c776824083494ab0d56b8105ba2ca85c86e4de # v1.18.2
id: scan-alpine
continue-on-error: true
with:
command: cves
# Using an explicit tag rather than ld-relay:latest to ensure we're scanning the local image that we just built.
# It's not clear why, but it seems goreleaser doesn't create the :latest tag when skipping the publish step
# as we do for CI, so the scan will end up checking the public image instead of the one we just built.
image-ref: launchdarkly/ld-relay:${{ steps.image-tag.outputs.value }}-amd64
format: 'table'
exit-code: '1'
ignore-unfixed: true
- uses: aquasecurity/trivy-action@master
image: local://launchdarkly/ld-relay:${{ steps.image-tag.outputs.value }}-amd64
exit-code: true
only-fixed: true
write-comment: false
- uses: docker/scout-action@f8c776824083494ab0d56b8105ba2ca85c86e4de # v1.18.2
id: scan-distroless
continue-on-error: true
with:
image-ref: launchdarkly/ld-relay:${{ steps.image-tag.outputs.value }}-static-debian12-nonroot-amd64
format: 'table'
exit-code: '1'
ignore-unfixed: true
- uses: aquasecurity/trivy-action@master
command: cves
image: local://launchdarkly/ld-relay:${{ steps.image-tag.outputs.value }}-static-debian12-nonroot-amd64
exit-code: true
only-fixed: true
write-comment: false
- uses: docker/scout-action@f8c776824083494ab0d56b8105ba2ca85c86e4de # v1.18.2
continue-on-error: true
id: scan-debug-distroless
with:
image-ref: launchdarkly/ld-relay:${{ steps.image-tag.outputs.value }}-static-debian12-debug-nonroot-amd64
format: 'table'
exit-code: '1'
ignore-unfixed: true
command: cves
image: local://launchdarkly/ld-relay:${{ steps.image-tag.outputs.value }}-static-debian12-debug-nonroot-amd64
exit-code: true
only-fixed: true
write-comment: false
- name: Fail if any of scan-alpine, scan-distroless, or scan-distroless-debug failed
if: ${{ steps.scan-alpine.outcome != 'success' || steps.scan-distroless.outcome != 'success' || steps.scan-debug-distroless.outcome != 'success' }}
run: exit 1
21 changes: 12 additions & 9 deletions .github/workflows/daily-security-scan-alpine.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,14 +11,17 @@ jobs:
tag: ['latest', 'latest-alpine', 'v8', 'v8-alpine']
fail-fast: false
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@v4
- uses: aquasecurity/trivy-action@master
env:
# Avoid rate-limiting on ghcr.io (https://github.com/aquasecurity/trivy-action/issues/389)
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
- uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
with:
image-ref: launchdarkly/ld-relay:${{ matrix.tag }}
format: 'table'
exit-code: '1'
ignore-unfixed: true
username: ${{ vars.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_RO_TOKEN }}
- uses: docker/scout-action@f8c776824083494ab0d56b8105ba2ca85c86e4de # v1.18.2
with:
command: cves
image: launchdarkly/ld-relay:${{ matrix.tag }}
exit-code: true
only-fixed: true
write-comment: false
21 changes: 12 additions & 9 deletions .github/workflows/daily-security-scan-distroless.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,14 +11,17 @@ jobs:
tag: ['latest-static-debian12-nonroot', 'v8-static-debian12-debug-nonroot']
fail-fast: false
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@v4
- uses: aquasecurity/trivy-action@master
env:
# Avoid rate-limiting on ghcr.io (https://github.com/aquasecurity/trivy-action/issues/389)
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
- uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
with:
image-ref: launchdarkly/ld-relay:${{ matrix.tag }}
format: 'table'
exit-code: '1'
ignore-unfixed: true
username: ${{ vars.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_RO_TOKEN }}
- uses: docker/scout-action@f8c776824083494ab0d56b8105ba2ca85c86e4de # v1.18.2
with:
command: cves
image: launchdarkly/ld-relay:${{ matrix.tag }}
exit-code: true
only-fixed: true
write-comment: false
Loading