Skip to content

ops(security): scan main on push too, so post-fix scans clear stale alerts #148

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
amavashev merged 1 commit into from
May 3, 2026
Merged

ops(security): scan main on push too, so post-fix scans clear stale alerts #148

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 21 additions & 10 deletions .github/workflows/pr-container-scan.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,12 +1,15 @@
name: PR Container Scan
name: Container Scan

# Runs Trivy against a locally-built image on PRs that change the Dockerfile
# or Maven dependencies. Paths filter is deliberate: most PRs don't touch the
# image, and running this on every PR would add ~5-10 min of build time for
# no benefit. When the filter fires, we catch base-image / added-dependency
# CVEs before merge rather than discovering them at release-cut time.
# or Maven dependencies, AND on every push to main with the same paths filter.
# Paths filter is deliberate: most PRs don't touch the image, and running this
# on every PR would add ~5-10 min of build time for no benefit.
#
# Never pushes — this is PR-time feedback only. release.yml continues to run
# The push:main trigger ensures stale Trivy alerts auto-close after a fix
# lands — without it, the SARIF only ever uploads against PR refs and the
# main-branch alert track goes stale after every fix merge.
#
# Never pushes images — this is feedback only. release.yml continues to run
# the authoritative scan at release publish time (with the real version tag).

on:
Expand All @@ -17,6 +20,14 @@ on:
- 'pom.xml'
- '**/pom.xml'
- '.github/workflows/pr-container-scan.yml'
push:
branches: [main]
paths:
- 'Dockerfile'
- '**/Dockerfile'
- 'pom.xml'
- '**/pom.xml'
- '.github/workflows/pr-container-scan.yml'

permissions: read-all

Expand All @@ -41,16 +52,16 @@ jobs:
context: .
push: false
load: true
tags: ghcr.io/runcycles/cycles-server:pr-${{ github.event.pull_request.number }}
tags: ghcr.io/runcycles/cycles-server:scan-${{ github.event.pull_request.number || github.sha }}
build-args: |
APP_VERSION=pr-${{ github.event.pull_request.number }}
APP_VERSION=scan-${{ github.event.pull_request.number || github.sha }}
cache-from: type=gha
cache-to: type=gha,mode=max

- name: Trivy vulnerability scan
uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
with:
image-ref: ghcr.io/runcycles/cycles-server:pr-${{ github.event.pull_request.number }}
image-ref: ghcr.io/runcycles/cycles-server:scan-${{ github.event.pull_request.number || github.sha }}
severity: 'HIGH,CRITICAL'
ignore-unfixed: true
format: 'sarif'
Expand All @@ -62,4 +73,4 @@ jobs:
uses: github/codeql-action/upload-sarif@e46ed2cbd01164d986452f91f178727624ae40d7 # v4
with:
sarif_file: 'trivy-results.sarif'
category: trivy-container-pr
category: trivy-container-pr # category kept stable so push-to-main scans clear PR-track alerts
Loading