Skip to content

ci: add trivy security scanning workflow #571

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 25, 2025
Merged

ci: add trivy security scanning workflow #571

merged 1 commit into from
Sep 25, 2025

Conversation

andyatmiami
Copy link
Contributor

@andyatmiami andyatmiami commented Sep 5, 2025
edited
Loading

ℹ️ : NO GH ISSUE

This commit provides a basic GHA to enable Trivy FS scanning on the notebooks-v1 and notebooks-v2 branches. In order to support workflow_dispatch and cron triggers - this GHA needs to live on the default branch (main). But while the workflow lives on the main branch - it will only scan notebooks-v1 and/or notebooks-v2 branches depending on how its invoked.

It scans from the root of repo and reports on CRITICAL or HIGH vulnerabilities that have fixes available. It will also scan for secrets. It will always exit with status code 0 and upload its results to the GitHub Security tab. Custom ruleId metadata is injected into the report to help differentiate whether reported findings originated in notebooks-v1 or notebooks-v2.

  • custom ruleId also ensures flagging a false positive in notebooks-v1 will not auto-apply to notebooks-v2 branch if similar vulnerabilities exist and vice-versa.

The workflow is configured to fire every Sunday at 6:00 AM UTC and also supports manually invoking it. I personally did not see any reason to run this on pull_requests and/or pushes to notebooks-v1 or notebooks-v2 branches as vulnerabilities could be disclosed / fixes made available at any time. Therefore, having it set on a weekly schedule as well as supported ad-hoc runs seems a reasonable way to manage.

Addtionally, the build has an if: conditional to prevent the schedule runs from running on forks in an attempt to be a good/responsible github citizen.

@github-project-automation github-project-automation bot moved this to Needs Triage in Kubeflow Notebooks Sep 5, 2025
@andyatmiami
Copy link
Contributor Author

/ok-to-test

@google-oss-prow google-oss-prow bot added the area/ci area - related to ci label Sep 18, 2025
@andyatmiami andyatmiami force-pushed the ci/trivy-fs-scan branch 2 times, most recently from 32542fb to f99f030 Compare September 25, 2025 19:16
@andyatmiami
ci: add trivy filesystem scanning workflow
55c2ace 
This commit provides a basic GHA to enable Trivy FS scanning on the notebooks-v1 and notebooks-v2 branches.  In order to support `workflow_dispatch` and `cron` triggers - this GHA needs to live on the default branch (`main`).  But while the workflow lives on the `main` branch - it will only scan `notebooks-v1` and/or `notebooks-v2` branches depending on how its invoked.

It scans from the root of repo and reports on `CRITICAL`, `HIGH` or `MEDIUM` vulnerabilities that have fixes available.  It will also scan for secrets.  It will always exit with status code 0 and upload its results to the GitHub Security tab.  Custom ruleId metadata is injected into the report to help differentiate whether reported findings originated in `notebooks-v1` or `notebooks-v2`.
- custom `ruleId` also ensures flagging a false positive in `notebooks-v1` will not auto-apply to `notebooks-v2` branch if similar vulnerabilities exist and vice-versa.

The workflow is configured to fire every day at 6:00 AM UTC and also supports manually invoking it.  I personally did not see any reason to run this on pull_requests and/or pushes to `notebooks-v1` or `notebooks-v2` branches as vulnerabilities could be disclosed / fixes made available **at any time**.  Therefore, having it set on a daily schedule as well as supported ad-hoc runs seems a reasonable way to manage.

Addtionally, the build has an `if:` conditional to prevent the `schedule` runs from running on forks in an attempt to be a good/responsible github citizen.

Signed-off-by: Andy Stoneberg <[email protected]>
@thesuperzapper thesuperzapper changed the title ci: add trivy filesystem scanning workflow ci: add trivy security scanning workflow Sep 25, 2025
@thesuperzapper
Copy link
Member

/lgtm
/approve

@google-oss-prow google-oss-prow bot added the lgtm label Sep 25, 2025
@google-oss-prow Google OSS Prow
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: thesuperzapper

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@google-oss-prow google-oss-prow bot merged commit 5c7abde into kubeflow:main Sep 25, 2025
9 of 10 checks passed
@github-project-automation github-project-automation bot moved this from Needs Triage to Done in Kubeflow Notebooks Sep 25, 2025
@andyatmiami andyatmiami deleted the ci/trivy-fs-scan branch October 6, 2025 14:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kimwnasptd kimwnasptd Awaiting requested review from kimwnasptd

@thesuperzapper thesuperzapper Awaiting requested review from thesuperzapper

Assignees

@thesuperzapper thesuperzapper

Labels

approved area/ci area - related to ci lgtm ok-to-test size/M

Projects

Kubeflow Notebooks
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@andyatmiami @thesuperzapper