fix: add Trivy vulnerability scanner workflow and fix CVEs#306
Merged
Conversation
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #306 +/- ##
=======================================
Coverage 71.25% 71.25%
=======================================
Files 4 4
Lines 407 407
=======================================
Hits 290 290
Misses 98 98
Partials 19 19 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
1dede1b to
9aa4d5e
Compare
rambohe-ch
approved these changes
Jul 7, 2026
Fei-Guo
approved these changes
Jul 7, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add a new GitHub Actions workflow
.github/workflows/trivy.yamlthat builds thegpu-provisionercontainer image and scans it with Trivy for OS and library CVEs on every push tomainand every pull request.What the workflow does
env.GO_VERSIONintests.yml).docker-buildMakefile target:OUTPUT_TYPE=type=dockerkeeps the image on the runner — nothing is pushed to any registry.aquasecurity/trivy-actionagainsttest/gpu-provisioner:latestwith:vuln-type: os,libraryseverity: CRITICAL,HIGH,MEDIUM,LOW,UNKNOWNignore-unfixed: true(only fail on fixable CVEs)exit-code: 1(fail the check when any qualifying CVE is found)Differences from the azuredisk-csi-driver reference
mastermain1.25.111.26.4(matchestests.yml)make container+REGISTRY=test IMAGE_VERSION=latestmake docker-build REGISTRY=test IMG_NAME=gpu-provisioner IMG_TAG=latest OUTPUT_TYPE=type=docker ARCH=amd64test/azuredisk-csi:latesttest/gpu-provisioner:latestTrivy version, action SHAs, DB mirror (
public.ecr.aws/aquasecurity/trivy-db:2), severity set andignore-unfixedbehavior are kept identical to the reference workflow.Notes / open questions
permissions:block is set on the job. The reference workflow doesn't set one either. Happy to addpermissions: contents: readon the workflow to align with the other workflows in this repo if reviewers prefer.ARCH=amd64is too restrictive, we can dropARCHand let the Makefile default (amd64,arm64) run — but multi-arch buildx would requireOUTPUT_TYPE=type=registryor a local buildx loader tweak, so keeping single-arch here for CI speed and simplicity.Verification
Once merged, the workflow will run automatically on this PR's target branch and on subsequent PRs. Locally the equivalent flow reproduces via: