Add Security Scan workflow as part of the SSDLC requirements

[srbouffard]

Applicable spec: SSDLC - Vulnerability Identification

Overview

This pull request introduces a dedicated security_scan.yaml GitHub Actions workflow. This workflow is designed to automate vulnerability management for the GitHub Runner charm, fulfilling the current SSDLC requirements.

The new workflow includes the following jobs:

• A vulnerability and secret scan of the charm's filesystem using Trivy.
• A Software Bill of Materials (SBOM) generation job.
• Conditional logic to upload the scan results to the GitHub Security tab (example) and the SBOM as a build artifact. The upload can be triggered automatically on pushes to main or manually via a workflow_dispatch event.

Rationale

The primary motivation for this change is to meet the vulnerability identification requirements outlined in this cycle's SSDLC policy for our GitHub Runner product. This workflow automates the required security scans directly within our CI pipeline.

Why a Dedicated Workflow?

While the existing integration_tests workflow includes a Trivy scan, a dedicated security workflow was because security scanning is a distinct concern from integration testing. Decoupling them allows for more focused, maintainable, and independent jobs that can be triggered separately if needed.

Why Not in operator-workflows (Yet)?

The current SSDLC requirements are specifically targeting the GitHub Runner product. The goal is to first implement and refine this security automation for the runner. Once the process is fully ironed out and proven effective, we can then look at generalizing this workflow and moving it to operator-workflows for all our projects to benefit from, especially as SSDLC requirements expand.

Checklist

• The charm style guide was applied.
• The contributing guide was applied.
• The changes are compliant with ISD054 - Managing Charm Complexity
• The documentation for charmhub is updated.
• The PR is tagged with appropriate label (urgent, trivial, complex).
• The changelog is updated with changes that affects the users of the charm.
• The application version number is updated in github-runner-manager/pyproject.toml.

[github-actions]

license-eye has checked 311 files.

Valid	Invalid	Ignored	Fixed
62	1	248	0

Click to see the invalid file list

• trivy.yaml

Use this command to fix any missing license headers

```bash

docker run -it --rm -v $(pwd):/github/workspace apache/skywalking-eyes header fix

</details>

[arturo-seijas]

I would recommend pinning the actions to an exact version and rely on renovate to update them so that workflows are not impeding reusable builds

[srbouffard]

What should be the recommended approach with regards to the renovate config?
From what I have read the default renovate behavior is to pickup Github workflow files. Is there anything specific I need adjust in our renoate.json?

[srbouffard]

Ah ok, I see now ;) Updated the versions to exact versions to make sure renovate will pick them up

[arturo-seijas]

Same here

[srbouffard]

Done

[arturo-seijas]

Same here

[srbouffard]

Done

[arturo-seijas]

Same here

[srbouffard]

Done

[arturo-seijas]

I don't see where this value might change so, why the env variable?

[srbouffard]

You are right, it serves nothing here. My initial thoughts was as a quick and "global" way to control the default upload behavior on the various jobs/steps. Using workflow_dispatch and workflow_call provides these global inputs and controls but having the workflow trigger on pushes and PRs, did not offer an inputs section.

I can remove it. But I have a followup question, what is the "upload" behavior you would expect when it's a "push to main", push to branch and a PR?

The Github security tab supports listing security events per branch so doing on upload on pushes to branch and PRs does not pollute anything or cause much noise.

[arturo-seijas]

Is there any reason for not defining this workflow as part of the operator workflows? It would be simpler to reuse by other repositories

[srbouffard]

100% with you on that and that is the longterm goal with this workflow.
The idea behind why I didn't go that route strait away was that the current SSDLC requirements are specifically targeting the GitHub Runner product.

• The goal is to first implement and refine this security automation for the runner. Once the process is fully ironed out and proven effective (meets the requirements of the SSDLC process), we can then look at generalizing this workflow and moving it to operator-workflows for all our projects to benefit from, especially as SSDLC requirements expand.
• Also, the workflow currently only does a fs scan, but I would want it to be more robust and support scanning a charm, rocks. Similar to what the data-platform team have done on their side.
• Then there is the whole vulnerability response aspect that I think needs to be ironed out before we propagate the security checks to other project.

Does that make any sense, or you think it would still be more worthwhile to start directly within the operator-workflow?

[arturo-seijas]

I don't see a license header in this file, not sure why

[srbouffard]

Added the license header to the new workflow file. Seems that the whole of github folder is configured to be ignored for the license check

[github-actions]

TICS Quality Gate

❌ Failed

The following errors have occurred during analysis:

❌ [ERROR 5333] Project database 'github-runner-operator' already is connected to a started TICSQServer process that has not registered a stop time. To avoid data corruption, analysis is aborted. Details of the other TICSQServer process: started at 2025-07-09 14:32:08.000 by user ubuntu.

.github/workflows/tics.yaml / TICS / TICS GitHub Action