Skip to content

Adding nightly and PR trivy scans #11

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 18 commits into from
Jun 9, 2025
Merged

Adding nightly and PR trivy scans #11

merged 18 commits into from
Jun 9, 2025

Conversation

jmfiola
Copy link
Collaborator

@jmfiola jmfiola commented Jun 4, 2025
edited
Loading

Automated Trivy Security Scans

This PR adds automated Trivy scans to every pull request targeting main and sets up a nightly job that runs the same scan directly against the main branch.

 Key Changes

Workflow Frequency Behaviour
Pull Request Every PR to main Fails if any HIGH or CRITICAL vulnerabilities, or secrets are detected.
Nightly (main) Daily ‑ 03:00 UTC Runs on main; when the scan fails on HIGH or CRITICAL findings, the workflow opens  or re‑uses  a GitHub issue.
Example: Issue #13.

Type of Change

New feature – adds preventive security gates and continuous monitoring.

Validation & Testing

Pull‑Request Pipeline

  • Tested with branches containing known HIGH/CRITICAL findings → workflow failed as expected.
  • Tested with a clean branch → workflow passed.

Nightly Workflow

  • Temporarily removed branch/schedule guard to trigger issue‑creation logic.
  • Confirmed:
    • A single issue is opened on first failure.
    • Subsequent failures detect the open issue and do not create duplicates.

@jmfiola jmfiola changed the title Adding trivy scans to PR pipeline DRAFT: Adding trivy scans to PR pipeline Jun 4, 2025
@jmfiola jmfiola changed the title DRAFT: Adding trivy scans to PR pipeline Adding nightly and PR trivy scans Jun 5, 2025
@jmfiola jmfiola requested a review from thathaneydude June 6, 2025 17:29
thathaneydude
thathaneydude previously approved these changes Jun 6, 2025
View reviewed changes
Copy link
Collaborator

@thathaneydude thathaneydude left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice job! Let's let it soak over the weekend and if all goes well we can implement it across all the repos 👍

HassanBaker
HassanBaker requested changes Jun 9, 2025
View reviewed changes
Copy link
Collaborator

@HassanBaker HassanBaker left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great! I agree with Ryan, this would be better off in a standalone workflows repo so we can import it into the other projects as well

HassanBaker
HassanBaker approved these changes Jun 9, 2025
View reviewed changes
Copy link
Collaborator

@HassanBaker HassanBaker left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great work!

@jmfiola jmfiola merged commit 06f3820 into main Jun 9, 2025
4 checks passed
@jmfiola jmfiola deleted the add-trivy-scans branch June 9, 2025 17:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@HassanBaker HassanBaker HassanBaker approved these changes

@thathaneydude thathaneydude thathaneydude left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jmfiola @HassanBaker @thathaneydude