Skip to content

feat(ci): real CodeQL + Trivy scanner configuration#3

Open
ashvinctrl wants to merge 1 commit into
mainfrom
feat/real-scanners
Open

feat(ci): real CodeQL + Trivy scanner configuration#3
ashvinctrl wants to merge 1 commit into
mainfrom
feat/real-scanners

Conversation

@ashvinctrl

Copy link
Copy Markdown
Owner

What was broken

Scanner Problem
CodeQL No config file — used bare default query set (minimal coverage). No permissions block so SARIF upload silently failed on private repos.
Trivy image @0.20.0 (2022). No exit-code so it never failed the build. No misconfig or secret scanning.
Trivy FS Did not exist — source code was never scanned for hardcoded secrets or misconfigured files.
safety check Deprecated.
bandit Reported everything but only failed on syntax errors (no severity threshold).

What changed

.github/codeql/codeql-config.yml (new)

  • Uses security-and-quality query suite: injection, SSRF, path traversal, insecure deserialization, etc.
  • Excludes src/tests and cache dirs from analysis

.trivyignore (new)

  • Placeholder file for suppressing accepted false positives (CVE IDs, one per line)

ci-cd.yml

  • security-scan job: added permissions block, CodeQL config reference, category param; added Trivy filesystem scan (secrets + misconfigs on source checkout, no Docker needed)
  • docker-build job: Trivy updated to @0.28.0, added exit-code: 1, severity: CRITICAL,HIGH, ignore-unfixed: true, scanners: vuln,secret,misconfig; both FS and image results go to separate SARIF categories in the Security tab
  • test job: safety replaced with pip-audit; bandit now uses -ll -ii (MEDIUM+ severity, MEDIUM+ confidence)

Security tab

After merge, GitHub Security → Code scanning will show three sources:

  1. CodeQL — Python security findings
  2. trivy-filesystem — hardcoded secrets / Dockerfile misconfigurations
  3. trivy-image — OS and app-layer CVEs in the built container

CodeQL:
- Add .github/codeql/codeql-config.yml using security-and-quality
  query suite (catches injection, SSRF, path traversal, etc.)
- Add permissions block (security-events: write) so SARIF upload
  works on private repos without silent failure
- Add category parameter for clean Security tab grouping

Trivy:
- Add filesystem scan (secrets + misconfigs) in security-scan job —
  runs on source checkout, no Docker needed
- Update image scan from @0.20.0 to @0.28.0
- Add exit-code: 1 so CRITICAL/HIGH CVEs actually fail the build
- Add severity: CRITICAL,HIGH gate with ignore-unfixed: true
- Add misconfig + secret scanners to image scan
- Add .trivyignore for suppressing accepted false positives
- Upload both FS and image scans to separate SARIF categories

Other:
- Replace deprecated safety check with pip-audit
- Add -ll -ii flags to bandit so it only fails on MEDIUM+ severity
  and MEDIUM+ confidence (reduces noise from low-severity findings)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant