Skip to content

Implement Basic Trivy Scanning Workflow #251

New issue
New issue
Closed
#256
Closed
Implement Basic Trivy Scanning Workflow#251
#256
Assignees
josecelano
Labels
ci-cdenhancementNew feature or requestsecurity
@josecelano

Description

@josecelano
josecelano
opened on Dec 22, 2025

Parent Epic: #250 - Implement Automated Docker Image Vulnerability Scanning

Overview

Implement a GitHub Actions workflow that uses Trivy to scan Docker images for vulnerabilities. This initial implementation uses a hardcoded list of images and provides immediate security coverage while Phase 2 makes it dynamic.

Goals

  • Create GitHub Actions workflow for Trivy scanning
  • Scan all project Docker images for HIGH/CRITICAL vulnerabilities
  • Run scans on push, PR, and periodically
  • Fail builds when vulnerabilities detected
  • Generate actionable vulnerability reports

Docker Images to Scan

Project-built (build first, then scan):

  1. torrust-tracker-deployer/provisioned-instance:latest
  2. torrust-tracker-deployer/ssh-server:latest

Third-party (direct scan):
3. torrust/tracker:develop
4. mysql:8.0
5. grafana/grafana:11.4.0
6. prom/prometheus:v3.0.1

Implementation Phases

Phase 1: Workflow File Creation

  • Create .github/workflows/docker-security-scan.yml
  • Configure workflow triggers (push to main, pull_request, schedule)
  • Set up job structure for parallel scanning

Phase 2: Project Image Scanning

  • Build provisioned-instance and ssh-server images
  • Run Trivy scanner on built images
  • Configure severity filter (HIGH, CRITICAL)

Phase 3: Third-Party Image Scanning

  • Scan torrust/tracker:develop
  • Scan mysql:8.0
  • Scan grafana/grafana:11.4.0
  • Scan prom/prometheus:v3.0.1

Phase 4: Results Upload

  • Generate SARIF format reports
  • Upload to GitHub Security tab
  • Configure exit-code: 1 for failures

Phase 5: Testing & Documentation

  • Test workflow on PR
  • Add workflow badge to README
  • Document in security guidelines

Acceptance Criteria

Quality Checks:

  • Workflow YAML passes yamllint
  • No syntax errors in workflow file

Functional Requirements:

  • All 6 images scanned successfully
  • Vulnerabilities displayed in GitHub Security tab
  • Build fails when HIGH/CRITICAL vulnerabilities found
  • Workflow runs on: push to main, PRs, weekly schedule
  • Badge shows workflow status in README

Testing:

  • Manual test: create PR to trigger workflow
  • Verify SARIF uploads to Security tab
  • Verify build fails with vulnerable image

Documentation:

  • README.md updated with workflow badge
  • Security documentation references workflow

Estimated effort: 2-4 hours

Full specification: docs/issues/implement-basic-trivy-scanning-workflow.md

Metadata

Metadata

Assignees

Labels

ci-cdenhancementNew feature or requestsecurity

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions