Skip to content

fix: add Trivy vulnerability scanner workflow and fix CVEs#306

Merged
Fei-Guo merged 2 commits into
Azure:mainfrom
andyzhangx:add-trivy-workflow
Jul 7, 2026
Merged

fix: add Trivy vulnerability scanner workflow and fix CVEs#306
Fei-Guo merged 2 commits into
Azure:mainfrom
andyzhangx:add-trivy-workflow

Conversation

@andyzhangx

@andyzhangx andyzhangx commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Summary

Add a new GitHub Actions workflow .github/workflows/trivy.yaml that builds the gpu-provisioner container image and scans it with Trivy for OS and library CVEs on every push to main and every pull request.

What the workflow does

  1. Sets up Go 1.26.4 (matches env.GO_VERSION in tests.yml).
  2. Checks out the repo.
  3. Builds the container image locally via the existing docker-build Makefile target:
    make docker-build \
      REGISTRY=test \
      IMG_NAME=gpu-provisioner \
      IMG_TAG=latest \
      OUTPUT_TYPE=type=docker \
      ARCH=amd64
    
    OUTPUT_TYPE=type=docker keeps the image on the runner — nothing is pushed to any registry.
  4. Runs aquasecurity/trivy-action against test/gpu-provisioner:latest with:
    • vuln-type: os,library
    • severity: CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN
    • ignore-unfixed: true (only fail on fixable CVEs)
    • exit-code: 1 (fail the check when any qualifying CVE is found)

Differences from the azuredisk-csi-driver reference

Item Reference This PR
Trigger branch master main
Go version 1.25.11 1.26.4 (matches tests.yml)
Build command make container + REGISTRY=test IMAGE_VERSION=latest make docker-build REGISTRY=test IMG_NAME=gpu-provisioner IMG_TAG=latest OUTPUT_TYPE=type=docker ARCH=amd64
Scan target test/azuredisk-csi:latest test/gpu-provisioner:latest

Trivy version, action SHAs, DB mirror (public.ecr.aws/aquasecurity/trivy-db:2), severity set and ignore-unfixed behavior are kept identical to the reference workflow.

Notes / open questions

  • No permissions: block is set on the job. The reference workflow doesn't set one either. Happy to add permissions: contents: read on the workflow to align with the other workflows in this repo if reviewers prefer.
  • If ARCH=amd64 is too restrictive, we can drop ARCH and let the Makefile default (amd64,arm64) run — but multi-arch buildx would require OUTPUT_TYPE=type=registry or a local buildx loader tweak, so keeping single-arch here for CI speed and simplicity.

Verification

Once merged, the workflow will run automatically on this PR's target branch and on subsequent PRs. Locally the equivalent flow reproduces via:

make docker-build REGISTRY=test IMG_NAME=gpu-provisioner IMG_TAG=latest OUTPUT_TYPE=type=docker ARCH=amd64
trivy image --ignore-unfixed --severity CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN test/gpu-provisioner:latest
manager (gobinary)
==================
Total: 21 (UNKNOWN: 1, LOW: 0, MEDIUM: 6, HIGH: 14, CRITICAL: 0)

┌─────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│       Library       │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                             │
├─────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/crypto │ CVE-2026-39827 │ HIGH     │ fixed  │ v0.45.0           │ 0.52.0        │ An authenticated SSH client that repeatedly opened channels  │
│                     │                │          │        │                   │               │ which were ...                                               │
│                     │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-39827                   │
│                     ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│                     │ CVE-2026-39828 │          │        │                   │               │ golang.org/x/crypto/ssh: golang.org/x/crypto/ssh:            │
│                     │                │          │        │                   │               │ Unauthorized command execution via discarded SSH permissions │
│                     │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-39828                   │
│                     ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│                     │ CVE-2026-39829 │          │        │                   │               │ golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of  │
│                     │                │          │        │                   │               │ Service via crafted public key with excessive parameters...  │
│                     │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-39829                   │
│                     ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│                     │ CVE-2026-39830 │          │        │                   │               │ golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of  │
│                     │                │          │        │                   │               │ Service via resource leak from unsolicited SSH responses...  │
│                     │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-39830                   │
│                     ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│                     │ CVE-2026-39832 │          │        │                   │               │ golang.org/x/crypto/ssh/agent:                               │
│                     │                │          │        │                   │               │ golang.org/x/crypto/ssh/agent: Security bypass due to        │
│                     │                │          │        │                   │               │ improper handling of key restrictions                        │
│                     │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-39832                   │
│                     ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│                     │ CVE-2026-39835 │          │        │                   │               │ golang.org/x/crypto/ssh: golang: golang.org/x/crypto/ssh:    │
│                     │                │          │        │                   │               │ Denial of Service via crafted SSH certificate                │
│                     │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-39835                   │
│                     ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│                     │ CVE-2026-42508 │          │        │                   │               │ golang.org/x/crypto/ssh/knownhosts: golang:                  │
│                     │                │          │        │                   │               │ golang.org/x/crypto/ssh/knownhosts: Revocation bypass via    │
│                     │                │          │        │                   │               │ unchecked SignatureKey                                       │
│                     │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-42508                   │
│                     ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│                     │ CVE-2026-46595 │          │        │                   │               │ golang.org/x/crypto/ssh: golang.org/x/crypto/ssh:            │
│                     │                │          │        │                   │               │ Authorization bypass due to skipped source-address           │
│                     │                │          │        │                   │               │ validation                                                   │
│                     │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-46595                   │
│                     ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│                     │ CVE-2026-46597 │          │        │                   │               │ An incorrectly placed cast from bytes to int allowed for     │
│                     │                │          │        │                   │               │ server-side p...                                             │
│                     │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-46597                   │
│                     ├────────────────┼──────────┤        │                   │               ├──────────────────────────────────────────────────────────────┤
│                     │ CVE-2026-39831 │ MEDIUM   │        │                   │               │ The Verify() method for FIDO/U2F security key types          │
│                     │                │          │        │                   │               │ (sk-ecdsa-sha2-nis ...                                       │
│                     │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-39831                   │
│                     ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│                     │ CVE-2026-39833 │          │        │                   │               │ golang.org/x/crypto/ssh/agent:                               │
│                     │                │          │        │                   │               │ golang.org/x/crypto/ssh/agent: Security bypass due to        │
│                     │                │          │        │                   │               │ unenforced key confirmation                                  │
│                     │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-39833                   │
│                     ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│                     │ CVE-2026-39834 │          │        │                   │               │ When writing data larger than 4GB in a single Write call     │
│                     │                │          │        │                   │               │ on...                                                        │
│                     │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-39834                   │
│                     ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│                     │ CVE-2026-46598 │          │        │                   │               │ golang.org/x/crypto/ssh/agent: golang:                       │
│                     │                │          │        │                   │               │ golang.org/x/crypto/ssh/agent: Denial of Service via         │
│                     │                │          │        │                   │               │ malformed input                                              │
│                     │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-46598                   │
├─────────────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/net    │ CVE-2026-25681 │ HIGH     │        │ v0.47.0           │ 0.55.0        │ golang.org/x/net/html: golang.org/x/net/html: Arbitrary code │
│                     │                │          │        │                   │               │ execution via Cross-Site Scripting                           │
│                     │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-25681                   │
│                     ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│                     │ CVE-2026-27136 │          │        │                   │               │ golang.org/x/net/html: golang: golang.org/x/net/html:        │
│                     │                │          │        │                   │               │ Cross-Site Scripting via HTML parsing bypass                 │
│                     │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-27136                   │
│                     ├────────────────┤          │        │                   ├───────────────┼──────────────────────────────────────────────────────────────┤
│                     │ CVE-2026-33814 │          │        │                   │ 0.53.0        │ net/http/internal/http2: golang: golang.org/x/net: Go        │
│                     │                │          │        │                   │               │ HTTP/2: Denial of Service via malformed                      │
│                     │                │          │        │                   │               │ SETTINGS_MAX_FRAME_SIZE frame...                             │
│                     │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-33814                   │
│                     ├────────────────┤          │        │                   ├───────────────┼──────────────────────────────────────────────────────────────┤
│                     │ CVE-2026-39821 │          │        │                   │ 0.55.0        │ golang.org/x/net/idna: golang: golang.org/x/net/idna:        │
│                     │                │          │        │                   │               │ Privilege escalation via incorrect Punycode label processing │
│                     │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-39821                   │
│                     ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│                     │ CVE-2026-42502 │          │        │                   │               │ Parsing arbitrary HTML which is then rendered using Render   │
│                     │                │          │        │                   │               │ can result ...                                               │
│                     │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-42502                   │
│                     ├────────────────┼──────────┤        │                   │               ├──────────────────────────────────────────────────────────────┤
│                     │ CVE-2026-25680 │ MEDIUM   │        │                   │               │ golang.org/x/net/html: golang.org/x/net/html: Denial of      │
│                     │                │          │        │                   │               │ Service due to excessive HTML parsing                        │
│                     │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-25680                   │
│                     ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│                     │ CVE-2026-42506 │          │        │                   │               │ golang.org/x/net/html: golang.org/x/net/html: Cross-Site     │
│                     │                │          │        │                   │               │ Scripting (XSS) via arbitrary HTML parsing                   │
│                     │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-42506                   │
├─────────────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/sys    │ CVE-2026-39824 │ UNKNOWN  │        │ v0.38.0           │ 0.44.0        │ Invoking integer overflow in NewNTUnicodeString in           │
│                     │                │          │        │                   │               │ golang.org/x/sys/windows                                     │
│                     │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-39824                   │
└─────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

@codecov-commenter

codecov-commenter commented Jul 7, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 71.25%. Comparing base (90169ee) to head (9aa4d5e).

Additional details and impacted files
@@           Coverage Diff           @@
##             main     #306   +/-   ##
=======================================
  Coverage   71.25%   71.25%           
=======================================
  Files           4        4           
  Lines         407      407           
=======================================
  Hits          290      290           
  Misses         98       98           
  Partials       19       19           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@andyzhangx andyzhangx changed the title ci: add Trivy vulnerability scanner workflow ci: add Trivy image vulnerability scanning workflow Jul 7, 2026
@andyzhangx andyzhangx changed the title ci: add Trivy image vulnerability scanning workflow fix: add Trivy vulnerability scanner workflow and fix CVEs Jul 7, 2026
@Fei-Guo Fei-Guo merged commit d1ba5d5 into Azure:main Jul 7, 2026
6 of 7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants