Implement H2O-3 Vulnerability Scanning Workflow

### Status

This issue tracks the design and implementation of an automated vulnerability scanning pipeline for H2O-3 artifacts and Docker images.

---

## Goal
Build a **centralized, automated vulnerability scanning solution** using Trivy that provides:

- Continuous security visibility  
- Compliance support (FedRAMP readiness)  
- Metrics for dashboards and alerts  
- Consolidated reporting for stakeholders  

---

## Scope

### Artifacts to Scan
#### H2O-3 Assemblies
Branches to include:
- `master`
- `rel-3.46.0`

Assemblies:
- Steam assembly  
- Main assembly  

#### Docker Images

| Image | Tags |
|---|---|
| `h2oai/h2o-open-source-k8s` | `latest`, `latest-security` |
| `h2oai/h2o-open-source-k8s-minimal` | `latest`, `latest-security` |

---

## Triggers
- Daily scheduled run (00:00 UTC)
- Manual run with configurable options:
  - Enable/disable Docker image scanning
  - Enable/disable assembly scanning
  - Skip Slack notifications (testing)
  - Skip Google Drive upload (testing)

---

## Proposed Architecture

Workflow will:
1. Build H2O-3 assemblies from target branches  
2. Generate temporary Docker images for scanning  
3. Run Trivy scans  
4. Generate reports in multiple formats  
5. Push metrics to Prometheus  
6. Publish results and send alerts  

---

## Expected Outputs

### Reports
- JSON scan reports  
- HTML human-readable reports  
- CSV reports  
- Consolidated Excel workbook  

### Integrations
- GitHub Security alerts  
- Prometheus + Grafana dashboards  
- Slack alerts to `#h2o-3-alerts`  
- Google Drive report storage  
- GitHub Actions artifact retention (30 days)  

---

## Required Secrets / Integrations
- AWS OIDC role for ECR access  
- Docker Hub credentials  
- Slack bot token  
- Twingate service key for internal Prometheus access  
- Google Drive service account (optional)  

---

## Acceptance Criteria
- [x] Daily automated scan workflow created  
- [x] Assemblies built and scanned successfully  
- [x] Docker images scanned successfully  
- [x] Metrics pushed to Prometheus Pushgateway  
- [x] Grafana dashboards show vulnerability metrics  
- [x] Slack notifications sent with scan summary  
- [x] Reports generated and stored as artifacts  
- [x] Workflow documentation added

Image	Tags
`h2oai/h2o-open-source-k8s`	`latest`, `latest-security`
`h2oai/h2o-open-source-k8s-minimal`	`latest`, `latest-security`

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Implement H2O-3 Vulnerability Scanning Workflow #16762

Status

Goal

Scope

Artifacts to Scan

H2O-3 Assemblies

Docker Images

Triggers

Proposed Architecture

Expected Outputs

Reports

Integrations

Required Secrets / Integrations

Acceptance Criteria

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Implement H2O-3 Vulnerability Scanning Workflow #16762

Description

Status

Goal

Scope

Artifacts to Scan

H2O-3 Assemblies

Docker Images

Triggers

Proposed Architecture

Expected Outputs

Reports

Integrations

Required Secrets / Integrations

Acceptance Criteria

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions