add trivy

brendan-kellam · brendan-kellam · commit 7c904721b859 · 2026-04-14T13:53:20.000-07:00
diff --git a/.github/workflows/trivy-vulnerability-triage.yml b/.github/workflows/trivy-vulnerability-triage.yml
@@ -0,0 +1,71 @@
+name: Vulnerability Scan & Triage
+
+on:
+  # schedule:
+  #   # Run nightly at 2am UTC
+  #   - cron: '0 2 * * *'
+  workflow_dispatch:
+    inputs:
+      image_tag:
+        description: 'Image tag to scan (default: latest)'
+        required: false
+        default: 'latest'
+      dry_run:
+        description: 'Dry run (analyze but do not create Linear issues)'
+        required: false
+        type: boolean
+        default: false
+
+env:
+  IMAGE: ghcr.io/sourcebot-dev/sourcebot
+
+permissions:
+  contents: read
+  packages: read
+
+jobs:
+  scan:
+    name: Trivy Scan
+    runs-on: ubuntu-latest
+    outputs:
+      has_vulnerabilities: ${{ steps.check.outputs.has_vulnerabilities }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Log in to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Run Trivy vulnerability scan
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: "${{ env.IMAGE }}:${{ inputs.image_tag || 'latest' }}"
+          format: "json"
+          output: "trivy-results.json"
+          severity: "CRITICAL,HIGH,MEDIUM"
+          # Only report vulns that have a fix available
+          ignore-unfixed: true
+          trivy-config: trivy.yaml
+
+      - name: Check for vulnerabilities
+        id: check
+        run: |
+          VULN_COUNT=$(jq '[.Results[]?.Vulnerabilities // [] | .[] | select(.FixedVersion != null and .FixedVersion != "")] | length' trivy-results.json)
+          echo "Found $VULN_COUNT fixable vulnerabilities"
+          if [ "$VULN_COUNT" -gt 0 ]; then
+            echo "has_vulnerabilities=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "has_vulnerabilities=false" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Upload scan results
+        if: steps.check.outputs.has_vulnerabilities == 'true'
+        uses: actions/upload-artifact@v4
+        with:
+          name: trivy-results
+          path: trivy-results.json
+          retention-days: 30
diff --git a/trivy.yaml b/trivy.yaml
@@ -0,0 +1,9 @@
+# Docs: https://aquasecurity.github.io/trivy/latest/docs/references/configuration/config-file/
+ 
+scan:
+  scanners:
+    - vuln
+ 
+  pkg-types:
+    - os
+    - library
