Add trivy and codeql workflows#681
Conversation
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
There was a problem hiding this comment.
Pull request overview
This PR adds GitHub Actions workflows to run Trivy (license/vulnerability scanning) and CodeQL analysis as part of CI, plus scheduled/manual entrypoints, so findings can be surfaced in the GitHub “Security and quality” views and exported as artifacts.
Changes:
- Extend the existing
Verifyworkflow to invoke reusable Trivy and CodeQL workflows. - Add reusable workflows
common-trivy.yamlandcommon-codeql.yaml, plus scheduled/manual wrappers. - Add report export templates/artifacts (Trivy CSV export and CodeQL PDF report artifact).
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/verify.yaml | Adds Trivy + CodeQL jobs to the main verification pipeline via reusable workflows. |
| .github/workflows/common-trivy.yaml | New reusable Trivy workflow (license + vuln scan, SARIF upload, optional CSV artifact). |
| .github/workflows/trivy-csv.tpl | New Trivy template intended to export findings/dependencies as CSV. |
| .github/workflows/common-codeql.yaml | New reusable CodeQL workflow (scan + optional PDF report artifact). |
| .github/workflows/scan-periodic.yaml | New scheduled Trivy run to continuously populate security findings. |
| .github/workflows/codeql.yaml | New manual CodeQL workflow_dispatch entrypoint. |
| .github/workflows/release.yaml | New tag-triggered scan workflow that exports Trivy CSV and CodeQL PDF artifacts on releases. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
uniemimu
force-pushed
the
codeqlaction
branch
4 times, most recently
from
c8caf5b to
9d6623f
Compare
| uses: "./.github/workflows/common-trivy.yaml" | ||
| with: | ||
| upload-to-github-security-tab: true |
There was a problem hiding this comment.
This part ${{ github.event_name != 'pull_request' }} would be a good improvement but can be added in a separate PR, too
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | ||
|
|
||
| - name: Initialize CodeQL | ||
| uses: github/codeql-action/init@3d8036cf7fe7433e4a725cf513a6ea56c7fd0f14 # codeql-bundle-v2.25.0 | ||
| with: | ||
| languages: go | ||
|
|
||
| - name: Perform CodeQL Analysis | ||
| uses: github/codeql-action/analyze@3d8036cf7fe7433e4a725cf513a6ea56c7fd0f14 # codeql-bundle-v2.25.0 | ||
|
|
||
| - name: Generate CodeQL Security Report | ||
| if: ${{ inputs.export-report }} | ||
| uses: rsdmike/github-security-report-action@a149b24539044c92786ec39af8ba38c93496495d # v3.0.4 | ||
| with: | ||
| template: report | ||
| token: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
||
| - name: Upload PDF report as an artifact | ||
| if: ${{ inputs.export-report }} | ||
| uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 | ||
| with: | ||
| name: codeql-report | ||
| path: report.pdf |
There was a problem hiding this comment.
The CodeQL job currently does not set up the Go toolchain (this repo’s go.mod specifies go 1.26.0) and does not run an autobuild/build step. This can lead to failed or incomplete extraction/analysis for Go projects
The autobuild is run as part of the analyze action. Also looking at the logs, builds/works fine
Also, CodeQL SARIF upload can fail on forked PRs due to security-events permission restrictions; wiring a conditional upload avoids that failure mode while still allowing analysis to run.
We don't upload/export the reports from the verify job (PRs), just releases and manual triggers for now. That could be changed (in the verify job) to upload/export on updates of branches (push trigger) but can be left as a future improvement
klihub
force-pushed
the
codeqlaction
branch
2 times, most recently
from
273aabe to
d7eb9bd
Compare
marquiz
left a comment
marquiz
left a comment
There was a problem hiding this comment.
Some notes below, but we could merge this even as is I think
| runs-on: ubuntu-22.04 | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 |
There was a problem hiding this comment.
Could update these to latest versions (e.g. v7 here)
|
|
||
| - name: Run Trivy in fs mode | ||
| # This can later be turned into a blocking step if deemed necessary, but now we just want the update to the security tab and the artifact for review. | ||
| continue-on-error: true |
There was a problem hiding this comment.
exit-code: 0 so this could be dropped(?)
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | ||
|
|
||
| - name: Initialize CodeQL | ||
| uses: github/codeql-action/init@3d8036cf7fe7433e4a725cf513a6ea56c7fd0f14 # codeql-bundle-v2.25.0 | ||
| with: | ||
| languages: go | ||
|
|
||
| - name: Perform CodeQL Analysis | ||
| uses: github/codeql-action/analyze@3d8036cf7fe7433e4a725cf513a6ea56c7fd0f14 # codeql-bundle-v2.25.0 | ||
|
|
||
| - name: Generate CodeQL Security Report | ||
| if: ${{ inputs.export-report }} | ||
| uses: rsdmike/github-security-report-action@a149b24539044c92786ec39af8ba38c93496495d # v3.0.4 | ||
| with: | ||
| template: report | ||
| token: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
||
| - name: Upload PDF report as an artifact | ||
| if: ${{ inputs.export-report }} | ||
| uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 | ||
| with: | ||
| name: codeql-report | ||
| path: report.pdf |
There was a problem hiding this comment.
The CodeQL job currently does not set up the Go toolchain (this repo’s go.mod specifies go 1.26.0) and does not run an autobuild/build step. This can lead to failed or incomplete extraction/analysis for Go projects
The autobuild is run as part of the analyze action. Also looking at the logs, builds/works fine
Also, CodeQL SARIF upload can fail on forked PRs due to security-events permission restrictions; wiring a conditional upload avoids that failure mode while still allowing analysis to run.
We don't upload/export the reports from the verify job (PRs), just releases and manual triggers for now. That could be changed (in the verify job) to upload/export on updates of branches (push trigger) but can be left as a future improvement
| uses: "./.github/workflows/common-trivy.yaml" | ||
| with: | ||
| upload-to-github-security-tab: true |
There was a problem hiding this comment.
This part ${{ github.event_name != 'pull_request' }} would be a good improvement but can be added in a separate PR, too
klihub
force-pushed
the
codeqlaction
branch
2 times, most recently
from
f3eec60 to
3e39863
Compare
Co-authored-by: Markus Lehtonen <markus.lehtonen@intel.com> Signed-off-by: Ukri Niemimuukko <ukri.niemimuukko@intel.com>
These workflow changes are originally for the most part from the goresctrl project, hence the co-authorship with marquiz.
Technically speaking, it is not absolutely necessary to have the possibility of running trivy and codeql inside the nri-plugins project itself. These tools can be also run in a fork, as I have been doing.
But for the longer term, it would perhaps be better for the project to keep an eye for security issues found by also these two tools. The issues are conveniently shown in the "Security and quality" tab for those with enough permissions in the project. A pdf-report will also be available.