Skip to content

ci: add trivy container vulnerability scanning pre-merge#399

Open
jay7-tech wants to merge 1 commit intodrasi-project:mainfrom
jay7-tech:feature/gsoc-trivy-scan
Open

ci: add trivy container vulnerability scanning pre-merge#399
jay7-tech wants to merge 1 commit intodrasi-project:mainfrom
jay7-tech:feature/gsoc-trivy-scan

Conversation

@jay7-tech
Copy link
Copy Markdown

@jay7-tech jay7-tech commented Feb 23, 2026

Description

The build-test workflow currently builds 30+ microservices for E2E testing without running a dedicated container vulnerability scan. High/Critical CVEs inherited from base images could merge undetected.

This PR adds local aquasecurity/trivy-action scanning directly within the build-images matrix. It scans the generated .tar artifacts for CRITICAL or HIGH vulnerabilities across all variants and fails the action if any are found (where a fix is available).

Scanning the local tarball avoids registry push overhead, securing the build phase with negligible latency cost.

Type of change

  • This pull request adds or changes features of Drasi and has an approved issue (issue link required).
  • This pull request is a minor refactor, code cleanup, test improvement, or other maintenance task and doesn't change the functionality of Drasi (issue link optional).

Fixes: N/A (Infrastructure Proactive Patch)

@jay7-tech jay7-tech requested a review from a team as a code owner February 23, 2026 07:49
@jay7-tech
ci: add trivy container vulnerability scanning pre-merge
7b1cbe3 
Signed-off-by: jay7tech <jayadeepgowda24@gmail.com>
@jay7-tech jay7-tech force-pushed the feature/gsoc-trivy-scan branch from 69881c1 to 7b1cbe3 Compare February 23, 2026 07:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jay7-tech