Skip to content

ci: add Trivy container vulnerability scan#1697

Open
bong-water-water-bong wants to merge 1 commit into
Osmantic:mainfrom
bong-water-water-bong:clean-add/trivy-scan-2
Open

ci: add Trivy container vulnerability scan#1697
bong-water-water-bong wants to merge 1 commit into
Osmantic:mainfrom
bong-water-water-bong:clean-add/trivy-scan-2

Conversation

@bong-water-water-bong

Copy link
Copy Markdown

Adds Trivy container vulnerability scanning. No unrelated workflow files.

Scans all 9 core Dockerfiles for HIGH/CRITICAL CVEs on every PR and
push to main, plus weekly Monday scans. Results uploaded as SARIF to
GitHub Code Scanning.

Covers: dashboard, dashboard-api, comfyui, brave-search, privacy-shield,
token-spy, ape, llama-server (AMD), llama-sycl.
@Lightheartdevs

Copy link
Copy Markdown
Collaborator

Thanks for adding container scanning; this is a useful safety net for the service images once it is wired to the current tree.

Advisory status: not ready yet

Quickest path to merge:

  • .github/workflows/trivy-scan.yml: update the matrix from dream-server/... to the real Dockerfile paths under ods/... (ods/extensions/services/... and ods/images/llama-sycl/Dockerfile). The current matrix points to files that do not exist in this branch, so the workflow cannot scan the intended surfaces.
  • Decide whether this should scan Dockerfile configuration or built image vulnerabilities. The PR description says HIGH/CRITICAL CVEs, but scan-type: config on a Dockerfile is an IaC/config scan, not a built container image vulnerability scan. If the goal is CVE coverage, build or reference the images and use the Trivy mode that scans image vulnerabilities.
  • Match the repo’s workflow hardening convention by pinning aquasecurity/trivy-action instead of using @master; existing workflows pin third-party actions by SHA with a version comment.

What I checked:

  • Static review of the new workflow against the current Dockerfile layout and existing workflow pinning style.
  • Path checks confirmed the dream-server/... matrix paths are absent while the corresponding ods/... paths exist.
  • git diff --check origin/main...origin/pr/1697 passed; gh pr checks reports no checks on this branch.

Thanks again for adding this security coverage.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants