Feat/1054 feature testing trivy #1093
Conversation
|
Warning Rate limit exceeded
⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. 📒 Files selected for processing (2)
📝 WalkthroughWalkthroughAdds a GitHub Actions workflow that runs Trivy on pull requests and a repository-level .trivyignore listing one CVE to be excluded; the workflow checks out the repo, runs Trivy in filesystem mode, outputs JSON, and fails the job when vulnerabilities are found. Changes
Sequence Diagram(s)sequenceDiagram
autonumber
actor Dev as Developer
participant GH as GitHub
participant R as Runner (ubuntu-latest)
participant CO as actions/checkout@v4
participant TV as aquasecurity/[email protected]
Dev->>GH: Open or update PR
GH-->>R: Trigger "build" workflow
R->>CO: Checkout repository
CO-->>R: Repository fetched
R->>TV: Run Trivy (scan-type=fs, format=json, trivyignores=.trivyignore)
Note right of TV: Reads `.trivyignore` (contains CVE-2025-48924)
TV-->>R: Exit code (0 = no vulns, 1 = vulns)
alt Exit code 0
R-->>GH: Report success
else Exit code 1
R-->>GH: Mark job failed (PR check fails)
end
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Poem
Pre-merge checks and finishing touches❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
📜 Review details
Configuration used: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
📒 Files selected for processing (1)
.github/workflows/trivy.yml(1 hunks)
🧰 Additional context used
🪛 actionlint (1.7.7)
.github/workflows/trivy.yml
4-4: string should not be empty
(syntax-check)
🪛 GitHub Check: Run actionlint
.github/workflows/trivy.yml
[failure] 4-4:
string should not be empty
🪛 GitHub Actions: Actionlint
.github/workflows/trivy.yml
[error] 4-4: actionlint syntax-check error: string should not be empty
⏰ Context from checks skipped due to timeout of 90000ms (1)
- GitHub Check: build (refarch-backend)
🔇 Additional comments (1)
.github/workflows/trivy.yml (1)
8-10: Confirm runner availability
ubuntu-24.04is still in preview and not enabled by default for all orgs. Jobs may queue indefinitely or fail. Switch toubuntu-latestor confirm that 24.04 is permitted in your org settings.
There was a problem hiding this comment.
Actionable comments posted: 1
📜 Review details
Configuration used: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
📒 Files selected for processing (1)
.github/workflows/trivy.yml(1 hunks)
⏰ Context from checks skipped due to timeout of 90000ms (1)
- GitHub Check: build (refarch-backend)
🔇 Additional comments (2)
.github/workflows/trivy.yml (2)
2-4: Trigger section fixed – looks good.You removed the empty
branches:array and alignedpull_request:correctly, resolving theactionlinterror flagged earlier.
No further issues here.
6-7: I’ll verify whetherubuntu-24.04is still marked as beta on GitHub’s hosted runners.[web_search]
site:docs.github.com ubuntu-24.04 GitHub hosted runners
There was a problem hiding this comment.
Actionable comments posted: 1
♻️ Duplicate comments (1)
.github/workflows/trivy.yml (1)
12-20: Still missingscan-type&cacheparametersPrior feedback suggested adding
scan-type: imagefor explicitness andcache: truefor ~2× faster subsequent runs, but they are still absent.- name: Run Trivy vulnerability scanner in Image mode uses: aquasecurity/[email protected] with: + scan-type: image # explicit, avoids confusion image-ref: 'ghcr.io/it-at-m/refarch-templates/refarch-backend:dev' format: 'table' exit-code: '1' ignore-unfixed: true vuln-type: 'os,library' severity: 'CRITICAL,HIGH' + cache: true # reuse vulnerability DB, speeds up CI
There was a problem hiding this comment.
Actionable comments posted: 1
♻️ Duplicate comments (1)
.github/workflows/trivy.yml (1)
7-7: Runner label still not GA – workflow may never start
ubuntu-24.04isn’t yet available on GitHub-hosted runners. Workflows will stay in the “queued” state once merged (or require a self-hosted runner). Use a GA label such asubuntu-latestorubuntu-22.04.This is the same concern raised in a previous review and is still unresolved.
📜 Review details
Configuration used: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
📒 Files selected for processing (1)
.github/workflows/trivy.yml(1 hunks)
⏰ Context from checks skipped due to timeout of 90000ms (1)
- GitHub Check: build (refarch-backend)
|
eigentlich muss alles in https://github.com/it-at-m/lhm_actions ausgelagert werden |
|
There was a problem hiding this comment.
Actionable comments posted: 7
♻️ Duplicate comments (1)
.github/workflows/trivy.yml (1)
12-17: Fix step name ↔ scan-type mismatch and drop superfluous quoting.The step says “Image mode” but runs fs scan; also quotes aren’t needed.
Apply:
- - name: Run Trivy vulnerability scanner in Image mode + - name: Run Trivy vulnerability scanner in FS mode uses: aquasecurity/[email protected] with: - scan-type: 'fs' - format: 'table' - exit-code: '1' + scan-type: fs + format: table + exit-code: 1
📜 Review details
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
💡 Knowledge Base configuration:
- MCP integration is disabled by default for public repositories
- Jira integration is disabled by default for public repositories
- Linear integration is disabled by default for public repositories
You can enable these sources in your CodeRabbit configuration.
📒 Files selected for processing (1)
.github/workflows/trivy.yml(1 hunks)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
- GitHub Check: build (refarch-backend)
There was a problem hiding this comment.
Actionable comments posted: 2
♻️ Duplicate comments (7)
.github/workflows/trivy.yml (7)
12-17: Step name says “Image mode” but you scan FS; drop quotes for cleanliness.Align label with scan-type and remove superfluous quoting.
- - name: Run Trivy vulnerability scanner in Image mode + - name: Run Trivy vulnerability scanner in FS mode uses: aquasecurity/[email protected] with: - scan-type: 'fs' - format: 'table' - exit-code: '1' + scan-type: fs + format: table + exit-code: 1
15-18: Gate on actionable issues; enable broader scanners and cache.Tighten signal and speed up CI.
scan-type: fs - format: table - exit-code: 1 - trivyignores: '.github/.trivyignore' + format: table + exit-code: 1 + severity: HIGH,CRITICAL + ignore-unfixed: true + scanners: vuln,secret,misconfig + cache: true + trivyignores: '.github/.trivyignore'
13-13: Pin the action to a commit SHA (supply-chain hardening).Replace the tag with the release commit SHA.
- uses: aquasecurity/[email protected] + uses: aquasecurity/trivy-action@<commit-sha-for-desired-release>What is the latest stable commit SHA for aquasecurity/trivy-action, and which release tag does it correspond to?
1-4: Triggers: add push (deps), schedule, manual — aligns with PR discussion.Covers “run on main” and “on new dependency” asks.
name: build on: - pull_request: + pull_request: + branches: ['**'] + types: [opened, synchronize, reopened, ready_for_review] + push: + branches: [main] + paths: + - '**/package-lock.json' + - '**/pnpm-lock.yaml' + - '**/yarn.lock' + - '**/pom.xml' + - '**/build.gradle*' + - '**/gradle.lockfile' + - '**/go.mod' + - '**/go.sum' + - '**/requirements*.txt' + - '**/Pipfile.lock' + schedule: + - cron: '0 2 * * 1' + workflow_dispatch:
1-7: Harden workflow: least-privilege, concurrency, timeout.Prevents privilege creep and hanging runs.
on: pull_request: +permissions: + contents: read + +concurrency: + group: trivy-${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true jobs: build: name: Trivy Check runs-on: ubuntu-latest + timeout-minutes: 20
12-17: Optional: publish SARIF to Security tab while keeping gating step.Adds history and annotations without weakening the gate.
- name: Generate Trivy SARIF (no gate) uses: aquasecurity/trivy-action@<pinned-sha> with: scan-type: fs format: sarif output: trivy-results.sarif severity: HIGH,CRITICAL ignore-unfixed: true scanners: vuln,secret,misconfig cache: true exit-code: 0 - name: Upload SARIF uses: github/codeql-action/upload-sarif@v3 with: sarif_file: trivy-results.sarif
1-19: Consider centralizing Trivy as a composite action in lhm_actions.Improves reuse and consistency across repos.
Example consumer:
- name: Trivy FS scan uses: it-at-m/lhm_actions/trivy-scan@v1 with: scan-type: fs severity: HIGH,CRITICAL ignore-unfixed: true exit-code: 1 trivyignores: .github/.trivyignore
📜 Review details
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
💡 Knowledge Base configuration:
- MCP integration is disabled by default for public repositories
- Jira integration is disabled by default for public repositories
- Linear integration is disabled by default for public repositories
You can enable these sources in your CodeRabbit configuration.
📒 Files selected for processing (2)
.github/.trivyignore(1 hunks).github/workflows/trivy.yml(1 hunks)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
- GitHub Check: build (refarch-backend)
There was a problem hiding this comment.
Actionable comments posted: 2
♻️ Duplicate comments (6)
.github/workflows/trivy.yml (6)
12-17: Step name ↔ scan type mismatch; tighten inputs and drop superfluous quotes.Rename to reflect fs scan; add severity gating, enable cache, and remove unnecessary quotes.
- - name: Run Trivy vulnerability scanner in Image mode - uses: aquasecurity/[email protected] + - name: Run Trivy vulnerability scanner in FS mode + uses: aquasecurity/[email protected] with: - scan-type: 'fs' - format: 'table' - exit-code: '1' + scan-type: fs + format: table + exit-code: 1 + severity: HIGH,CRITICAL + ignore-unfixed: true + scanners: vuln,secret,misconfig + cache: true
18-18: Broken ignore-file path: points to filesystem root.'/.trivyignore' won’t exist on the runner; use the actual repo path added in this PR.
- trivyignores: '/.trivyignore' + trivyignores: '.github/workflows/.trivyignore'
12-18: Optional: publish SARIF to Security tab while keeping gate.Keeps the first step as the gate; add a non-gating SARIF run and upload.
- name: Run Trivy vulnerability scanner in FS mode uses: aquasecurity/trivy-action@f9424c1 with: scan-type: fs format: table exit-code: 1 severity: HIGH,CRITICAL ignore-unfixed: true scanners: vuln,secret,misconfig cache: true trivyignores: .github/workflows/.trivyignore + + - name: Generate Trivy SARIF (no gate) + uses: aquasecurity/trivy-action@f9424c1 + with: + scan-type: fs + format: sarif + output: trivy-results.sarif + severity: HIGH,CRITICAL + ignore-unfixed: true + scanners: vuln,secret,misconfig + cache: true + trivyignores: .github/workflows/.trivyignore + exit-code: 0 + + - name: Upload SARIF + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: trivy-results.sarif
5-7: Set a job timeout.Avoids hanging CI on network/DB stalls.
jobs: build: name: Trivy Check runs-on: ubuntu-latest + timeout-minutes: 20
1-4: Add least-privilege permissions and concurrency.Prevents privilege creep and cancels redundant runs.
on: pull_request: +permissions: + contents: read + # security-events: write # only if uploading SARIF + +concurrency: + group: trivy-${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true
1-4: Triggers don’t match PR objectives; add push + schedule + manual.Aligns with comments: run on main (dependency changes) and on a schedule, keep PR scans.
name: build on: - pull_request: + pull_request: + branches: ['**'] + types: [opened, synchronize, reopened, ready_for_review] + push: + branches: [main] + paths: + - '**/package-lock.json' + - '**/pnpm-lock.yaml' + - '**/yarn.lock' + - '**/pom.xml' + - '**/build.gradle*' + - '**/gradle.lockfile' + - '**/go.mod' + - '**/go.sum' + - '**/requirements*.txt' + - '**/Pipfile.lock' + schedule: + - cron: '0 2 * * 1' # weekly Mon 02:00 UTC + workflow_dispatch:
📜 Review details
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
💡 Knowledge Base configuration:
- MCP integration is disabled by default for public repositories
- Jira integration is disabled by default for public repositories
- Linear integration is disabled by default for public repositories
You can enable these sources in your CodeRabbit configuration.
📒 Files selected for processing (2)
.github/workflows/.trivyignore(1 hunks).github/workflows/trivy.yml(1 hunks)
🔇 Additional comments (1)
.github/workflows/trivy.yml (1)
13-13: Pin Trivy Action to a specific commit SHA
Replace the version tag with the exact commit SHA to prevent tag hijacks:- uses: aquasecurity/[email protected] + uses: aquasecurity/trivy-action@<commit-sha> # pin to the exact release commit.github/workflows/trivy.yml:13
There was a problem hiding this comment.
Actionable comments posted: 1
♻️ Duplicate comments (7)
.github/.trivyignore (1)
1-1: Don’t blanket-ignore a CVE; add rationale + expiry or use a policy.Document why this CVE is safe and timebox the exception, or move to a scoped
.trivyignore.yaml.Apply minimal inline annotation:
-CVE-2025-48924 +# reason: "<why safe>"; added: 2025-09-04; review-by: 2025-12-01; owner: "<team>" +# scope: "<package-name>@<version>" # optional, narrow the exception +CVE-2025-48924Stronger alternative (scoped, expirable) — create
.github/.trivyignore.yaml:ignore: - vulnerabilityID: CVE-2025-48924 reason: "<why safe>" expiresOn: "2025-12-01" package: name: "<package-name>" # version: "<affected-version>"Then reference it from the workflow with
args: --ignore-policy .github/.trivyignore.yaml..github/workflows/trivy.yml (6)
1-19: Centralize scanning logic in lhm_actions composite action.Abstract Trivy invocation (inputs: scan-type, severity, ignore-unfixed, cache, output mode, exit code) and reuse here; aligns with reviewer guidance and reduces drift across repos.
1-4: Trigger strategy: add push (deps), schedule, and manual; rename workflow.Aligns with discussion: scan PRs, weekly on main, and on dependency changes.
-name: build +name: security: trivy fs scan on: - pull_request: + pull_request: + branches: ['**'] + types: [opened, synchronize, reopened, ready_for_review] + push: + branches: [main] + paths: + - '**/package-lock.json' + - '**/pnpm-lock.yaml' + - '**/yarn.lock' + - '**/pom.xml' + - '**/build.gradle*' + - '**/gradle.lockfile' + - '**/go.mod' + - '**/go.sum' + - '**/requirements*.txt' + - '**/Pipfile.lock' + schedule: + - cron: '0 2 * * 1' # weekly Monday 02:00 UTC + workflow_dispatch: + +permissions: + contents: read + security-events: write # needed only if uploading SARIF (see below) + +concurrency: + group: trivy-${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true
6-7: Set a job timeout to avoid hanging CI.jobs: build: name: Trivy Check runs-on: ubuntu-latest + timeout-minutes: 20
12-18: Fix step name vs scan-type; tighten scope; speed up; cache DB.Rename step (it’s FS scan), drop needless quotes, gate on HIGH,CRITICAL, ignore unfixed, enable secret/misconfig scanners, and cache DB.
- - name: Run Trivy vulnerability scanner in Image mode - uses: aquasecurity/[email protected] + - name: Run Trivy vulnerability scanner in FS mode + uses: aquasecurity/[email protected] with: - scan-type: 'fs' - format: 'table' - exit-code: '1' - trivyignores: '.github/.trivyignore' + scan-type: fs + format: table + exit-code: 1 + severity: HIGH,CRITICAL + ignore-unfixed: true + scanners: vuln,secret,misconfig + cache: true + trivyignores: .github/.trivyignore
12-18: Optional: publish SARIF to Security tab (keep gate in first step).Add after the gating step:
- name: Generate Trivy SARIF (no gate) uses: aquasecurity/[email protected] with: scan-type: fs format: sarif output: trivy-results.sarif severity: HIGH,CRITICAL ignore-unfixed: true scanners: vuln,secret,misconfig cache: true exit-code: 0 - name: Upload SARIF uses: github/codeql-action/upload-sarif@v3 with: sarif_file: trivy-results.sarifEnsure top-level
permissions.security-events: writeis present.
12-14: Pin Trivy Action to specific commit SHA
Avoid tag drift; use the exact commit from release v0.33.0 (Aug 27, 2025).- uses: aquasecurity/[email protected] + uses: aquasecurity/trivy-action@f9424c1
📜 Review details
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
💡 Knowledge Base configuration:
- MCP integration is disabled by default for public repositories
- Jira integration is disabled by default for public repositories
- Linear integration is disabled by default for public repositories
You can enable these sources in your CodeRabbit configuration.
📒 Files selected for processing (2)
.github/.trivyignore(1 hunks).github/workflows/trivy.yml(1 hunks)
There was a problem hiding this comment.
Actionable comments posted: 1
♻️ Duplicate comments (6)
.trivyignore (1)
1-1: Prefer expiring, reasoned ignores (policy file).Switch from flat ignore to a policy with reason/scope/expiry (e.g., .trivyignore.yaml) to prevent permanent suppression.
.github/workflows/trivy.yml (5)
12-16: Step name ≠ scan-type (confusing).Name says “Image mode” but scan-type is fs. Align name or set scan-type: image and provide image-ref.
15-17: Minor YAML polish.Quotes around simple scalars are unnecessary; drop them for consistency.
12-18: Hardening and CI hygiene (caching, timeouts, permissions, triggers).
- Enable Trivy DB cache for speed.
- Add job timeout.
- Add least‑privilege permissions + concurrency.
- Extend triggers (push on main/deps, schedule, manual) per PR discussion.
13-13: Pin action to commit SHA (supply‑chain hardening).Replace tag with the release commit SHA.
12-18: Broken ignore file path blocks the job.Trivy fails with “cannot find ignorefile '/.trivyignore'” because the path is absolute. Use repo‑relative path.
Apply:
- name: Run Trivy vulnerability scanner in Image mode uses: aquasecurity/[email protected] with: scan-type: 'fs' format: 'table' exit-code: '1' - trivyignores: '/.trivyignore' + trivyignores: '.trivyignore'
📜 Review details
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
📒 Files selected for processing (2)
.github/workflows/trivy.yml(1 hunks).trivyignore(1 hunks)
🧰 Additional context used
🪛 GitHub Actions: build
.trivyignore
[error] 1-1: Trivy: cannot find ignorefile '/.trivyignore'. Entry point 'entrypoint.sh' failed (exit code 1).
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
- GitHub Check: build (refarch-backend)
There was a problem hiding this comment.
Actionable comments posted: 2
♻️ Duplicate comments (8)
.github/workflows/trivy.yml (8)
1-1: Rename workflow for clarity in checks/badges“build” is generic; make it obvious this is Trivy.
-name: build +name: security: trivy fs scan
2-4: Broaden triggers: PR + push (deps), schedule, manualAligns with earlier guidance and the discussion about cadence and dependency changes.
on: - pull_request: + pull_request: + branches: + - '**' + types: [opened, synchronize, reopened, ready_for_review] + push: + branches: [main] + paths: + - '**/package-lock.json' + - '**/pnpm-lock.yaml' + - '**/yarn.lock' + - '**/pom.xml' + - '**/build.gradle*' + - '**/gradle.lockfile' + - '**/go.mod' + - '**/go.sum' + - '**/requirements*.txt' + - '**/Pipfile.lock' + schedule: + - cron: '0 2 * * 1' # weekly Monday 02:00 UTC + workflow_dispatch:
5-7: Add a job timeout to avoid hanging CITrivy DB/network stalls can leave runs stuck.
jobs: build: name: Trivy Check runs-on: ubuntu-latest + timeout-minutes: 20
12-18: Step name ↔ scan-type mismatch and superfluous quotingName says “Image mode” but you’re scanning filesystem; also quotes are unnecessary.
- - name: Run Trivy vulnerability scanner in Image mode - uses: aquasecurity/[email protected] + - name: Run Trivy vulnerability scanner in FS mode + uses: aquasecurity/[email protected] with: - scan-type: 'fs' - format: 'table' - exit-code: '1' - trivyignores: '.trivyignore' + scan-type: fs + format: table + exit-code: 1 + trivyignores: .trivyignore
12-18: Gate on actionable issues and speed up scansAdd severity filter, ignore unfixed, enable extra scanners, and cache the DB.
with: scan-type: fs - format: table - exit-code: 1 - trivyignores: .trivyignore + format: table + exit-code: 1 + severity: HIGH,CRITICAL + ignore-unfixed: true + scanners: vuln,secret,misconfig + cache: true + trivyignores: .trivyignore
2-4: Harden defaults: least-privilege permissions + cancel redundant runsPrevents privilege creep and saves CI minutes.
on: pull_request: +permissions: + contents: read + # security-events: write # only if you add SARIF upload step + +concurrency: + group: trivy-${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true
12-18: Pin aquasecurity/trivy-action to an exact commit (v0.33.1 — b6643a2, 2025-09-16)
Replace the floating tag with the release commit SHA to avoid unexpected updates.- uses: aquasecurity/[email protected] + uses: aquasecurity/trivy-action@b6643a2
12-18: Prefer expiring ignore policy over flat .trivyignoreStructured YAML with reason/expiry reduces silent drift.
- trivyignores: .trivyignore + args: --ignore-policy .github/.trivyignore.yamlCreate .github/.trivyignore.yaml with entries: id/CVE, reason, expires, path scope.
There was a problem hiding this comment.
Actionable comments posted: 1
♻️ Duplicate comments (8)
.github/workflows/trivy.yml (8)
12-16: Step name ↔ scan-type mismatch; fix naming and drop superfluous quoting.The step says “Image mode” but runs
scan-type: fs.- - name: Run Trivy vulnerability scanner in Image mode + - name: Run Trivy vulnerability scanner in FS mode uses: aquasecurity/[email protected] with: - scan-type: 'fs' - format: 'json' + scan-type: fs + format: json
5-7: Set a job timeout to avoid hung runs.Long network/DB pulls can stall CI.
jobs: build: name: Trivy Check runs-on: ubuntu-latest + timeout-minutes: 20
1-4: Broaden triggers to match the PR intent (PR + main schedule + dep changes + manual).Only
pull_requestis wired. Add push-on-main with dependency file paths, a weekly schedule, and manual dispatch. Also rename workflow for clarity.Apply:
-name: build -on: - pull_request: +name: security: trivy fs scan +on: + pull_request: + branches: + - '**' + types: [opened, synchronize, reopened, ready_for_review] + push: + branches: [main] + paths: + - '**/package-lock.json' + - '**/pnpm-lock.yaml' + - '**/yarn.lock' + - '**/pom.xml' + - '**/build.gradle*' + - '**/gradle.lockfile' + - '**/go.mod' + - '**/go.sum' + - '**/requirements*.txt' + - '**/Pipfile.lock' + schedule: + - cron: '0 2 * * 1' # Mon 02:00 UTC + workflow_dispatch: + +permissions: + contents: read + security-events: write # if you upload SARIF later + +concurrency: + group: trivy-${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true
18-18: Prefer expiring ignore policy over flat .trivyignore.Move to
.github/.trivyignore.yamlwith reason and expiry to avoid permanent blind spots.- trivyignores: '.trivyignore' + args: --ignore-policy .github/.trivyignore.yamlI can provide a starter
.trivyignore.yamlif you want.
12-18: Optional: publish findings to Security tab (SARIF), even on failures.Keep the first step as the gate; add a non-gating SARIF run and upload. Ensure they run with
if: always().+ - name: Generate Trivy SARIF (no gate) + uses: aquasecurity/[email protected] + if: always() + with: + scan-type: fs + format: sarif + output: trivy-results.sarif + severity: HIGH,CRITICAL + ignore-unfixed: true + scanners: vuln,secret,misconfig + cache: true + exit-code: 0 + + - name: Upload SARIF + uses: github/codeql-action/upload-sarif@v3 + if: always() + with: + sarif_file: trivy-results.sarifNote: top-level permissions already added in a previous comment.
13-18: Gate on actionable severities, enable additional scanners, cache DB, and write output.Failing on any severity is noisy; also enable secret/misconfig and cache to speed up. Persist JSON to an artifact.
- name: Run Trivy vulnerability scanner in FS mode - uses: aquasecurity/[email protected] + uses: aquasecurity/[email protected] with: scan-type: fs - format: json - exit-code: '1' + format: table + severity: HIGH,CRITICAL + ignore-unfixed: true + scanners: vuln,secret,misconfig + cache: true + exit-code: 1 + output: trivy-results.json trivyignores: '.trivyignore' + + - name: Upload Trivy JSON artifact + uses: actions/upload-artifact@v4 + if: always() + with: + name: trivy-results + path: trivy-results.json
9-10: Pin actions/checkout@v4 to the recommended v4 commit SHA.Supply‑chain hardening — use SHA 08eba0b27e820071cde6df949e0beb9ba4906955 (current v4 pin).
File: .github/workflows/trivy.yml (lines 9–10)
- - name: Checkout code - uses: actions/checkout@v4 + - name: Checkout code + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955
12-13: Pin aquasecurity/trivy-action to the release commit (v0.33.1, b6643a2).Update .github/workflows/trivy.yml (lines 12–13):
- uses: aquasecurity/[email protected] + uses: aquasecurity/trivy-action@b6643a2
📜 Review details
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
📒 Files selected for processing (1)
.github/workflows/trivy.yml(1 hunks)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
- GitHub Check: build (refarch-backend)
…4-feature-testing-trivy
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Fix all issues with AI agents
In @.github/workflows/trivy.yml:
- Around line 22-27: Update the "Upload Vulnerability Scan Results" step so the
actions/upload-artifact action is pinned to the provided commit SHA instead of
the floating tag; replace uses: actions/upload-artifact@v4 with uses:
actions/upload-artifact@ea165f8 in that workflow step to match the other pinned
actions and improve supply-chain consistency.
♻️ Duplicate comments (1)
.github/workflows/trivy.yml (1)
12-20: Trivy configuration looks solid.The step correctly:
- Uses filesystem scan mode matching the step name
- Pins the action to a commit SHA for supply-chain security
- Sets
exit-code: "1"to fail the build on findings- References the
.trivyignorefileConsider adding
severity: 'HIGH,CRITICAL'andcache: trueto filter actionable issues and speed up subsequent runs, as suggested in earlier reviews.
📜 Review details
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
📒 Files selected for processing (1)
.github/workflows/trivy.yml
🔇 Additional comments (1)
.github/workflows/trivy.yml (1)
9-10: Well done pinning actions/checkout to a commit SHA.Supply-chain hardening via SHA pinning is correctly applied here. The version comment
# v4.3.1aids maintainability.
✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.
| - name: Upload Vulnerability Scan Results | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: trivy-report | ||
| path: trivy-report.txt | ||
| retention-days: 1 No newline at end of file |
There was a problem hiding this comment.
🧹 Nitpick | 🔵 Trivial
🧩 Analysis chain
🏁 Script executed:
cat .github/workflows/trivy.ymlRepository: it-at-m/refarch-templates
Length of output: 823
🌐 Web query:
latest commit SHA actions/upload-artifact v4
💡 Result:
Do you mean the Git commit SHA for the latest published v4 tag (e.g., v4.12.0) of actions/upload-artifact, or the SHA of the repository's main branch commit that implements v4? Which exact reference do you want?
🌐 Web query:
actions/upload-artifact v4 latest release commit SHA github
💡 Result:
The latest v4 release is v4.6.2 — commit SHA (short): ea165f8. [1][2]
Sources:
- Release page for v4.6.2. [1]
- Releases list for actions/upload-artifact. [2]
Pin actions/upload-artifact to a commit SHA for consistency.
The workflow correctly pins actions/checkout and aquasecurity/trivy-action to commit SHAs, but actions/upload-artifact uses a floating tag @v4. This inconsistency weakens supply-chain hardening.
Update to:
uses: actions/upload-artifact@ea165f8
This pins to the latest v4 release (v4.6.2) and matches the security posture of the other pinned actions.
🤖 Prompt for AI Agents
In @.github/workflows/trivy.yml around lines 22 - 27, Update the "Upload
Vulnerability Scan Results" step so the actions/upload-artifact action is pinned
to the provided commit SHA instead of the floating tag; replace uses:
actions/upload-artifact@v4 with uses: actions/upload-artifact@ea165f8 in that
workflow step to match the other pinned actions and improve supply-chain
consistency.
| with: | ||
| name: trivy-report | ||
| path: trivy-report.txt | ||
| retention-days: 1 No newline at end of file |
There was a problem hiding this comment.
ich sage, ein Tag zur Aufbewahrung ist sehr kurz. bitte eine Woche daraus machen
TBD
Zu klären:
Summary by CodeRabbit
✏️ Tip: You can customize this high-level summary in your review settings.