Skip to content

ci: Cat 1072 security nightly cleanup #17983

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

ci: Cat 1072 security nightly cleanup #17983

wants to merge 2 commits into from
+175 −91

Conversation

shortstacked
Copy link
Contributor

Summary

  • Includes CVE details in scan slack message
  • Uses slack official action instead of 3rd party action
  • Adds detailed summary report to the Github action using Github Summaries
  • No longer sends on successful check, but will still add summary.

Related Linear tickets, Github issues, and Community forum posts

https://linear.app/n8n/issue/CAT-1072/ci-remove-positive-result-from-nightly-security-scan

Review / Merge checklist

  • PR title and summary are descriptive. (conventions)
  • Docs updated or follow-up ticket created.
  • Tests included.
  • PR Labeled with release/backport (if the PR is an urgent fix that needs to be backported)

@shortstacked shortstacked requested a review from tomi August 4, 2025 22:27
@n8n-assistant n8n-assistant bot added the n8n team Authored by the n8n team label Aug 4, 2025
cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Aug 4, 2025
View reviewed changes
Copy link
Contributor

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cubic analysis

1 issue found across 2 files • Review in cubic

React with 👍 or 👎 to teach cubic. You can also tag @cubic-dev-ai to give feedback, ask questions, or re-run the review.

.github/workflows/security-trivy-scan-callable.yml
[.Results[] | select(.Vulnerabilities != null) | .Vulnerabilities[]] |
group_by(.VulnerabilityID) |
map(.[0]) |
sort_by((.Severity == "HIGH" | if . then 1 else 0 end), -((.CVSS.nvd.V3Score // 0) | tonumber? // 0)) |
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Invalid two-parameter call to sort_by will make the Slack-block jq script crash, so no Slack message will be posted.

Prompt for AI agents 
Address the following comment on .github/workflows/security-trivy-scan-callable.yml at line 178:

<comment>Invalid two-parameter call to sort_by will make the Slack-block jq script crash, so no Slack message will be posted.</comment>

<file context>
@@ -4,123 +4,206 @@ on:
   workflow_dispatch:
     inputs:
       image_ref:
-        description: Full image reference to scan e.g ghcr.io/n8n-io/n8n:latest
+        description: &#39;Full image reference to scan e.g. ghcr.io/n8n-io/n8n:latest&#39;
         required: true
         default: &#39;ghcr.io/n8n-io/n8n:latest&#39;
   workflow_call:
     inputs:
</file context>
Suggested change
sort_by((.Severity == "HIGH" | if . then 1 else 0 end), -((.CVSS.nvd.V3Score // 0) | tonumber? // 0)) |
sort_by([(.Severity == "HIGH" | if . then 1 else 0 end), -((.CVSS.nvd.V3Score // 0) | tonumber? // 0)]) |

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

@tomi tomi Awaiting requested review from tomi

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
n8n team Authored by the n8n team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@shortstacked