ci: add reusable container scan workflow (Trivy)#14
Conversation
Adds a reusable workflow for scanning container images against known CVEs using Trivy. Covers OS packages and application-level dependencies in the built image — the layer that Semgrep (SAST) and Socket (SCA) don't reach. Supports ECR images via OIDC role assumption. Results upload to GitHub Security tab as SARIF for unified visibility alongside Semgrep findings. Uses Trivy directly because Socket Basics' pre-built GitHub Action image temporarily ships without Trivy (as of v2.0.3). Comment in the file documents the swap path when Socket re-enables it. Satisfies SOC 2 VPM-2 (quarterly vulnerability scans on external-facing systems) with every-deploy cadence. Co-authored-by: Cursor <cursoragent@cursor.com>
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
|
Created a monitoring plan for this PR. What this PR does: Adds automated container image vulnerability scanning (Trivy) to every deploy, with findings surfaced in the GitHub Security tab — satisfying the SOC 2 VPM-2 quarterly scan requirement at every-deploy cadence. Intended effect:
Risks:
Status updates will be posted automatically on this PR as monitoring progresses. |
Co-authored-by: Cursor <cursoragent@cursor.com>
GitHub Code Security license required for SARIF upload to the Security tab on private repos. Replace with: - Table output in workflow logs (human-readable) - JSON artifact (machine-readable, audit evidence) - Step summary with severity counts (visible on the PR) Also removes actions:read and security-events:write permissions since they're no longer needed without the codeql-action. Co-authored-by: Cursor <cursoragent@cursor.com>
| with: | ||
| name: container-scan-report | ||
| path: trivy-results.json | ||
| if: always() |
There was a problem hiding this comment.
Missing SARIF Security tab upload
Medium Severity
The reusable workflow only emits JSON (trivy-results.json) and a workflow artifact, but the PR promises SARIF upload to the GitHub Security tab. There is no format: sarif scan step or github/codeql-action/upload-sarif, and the job lacks security-events: write, so unified code scanning findings never appear.
Reviewed by Cursor Bugbot for commit 8e51fc9. Configure here.
Replace standalone Trivy + SARIF upload with Socket Basics action. Results flow to Socket Dashboard — single pane of glass alongside the existing SCA and SAST findings. Socket Basics handles Trivy internally. If their pre-built action doesn't have container scanning ready yet, the run will surface the issue and we can iterate. Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Adds a triage job that runs after the scan when findings exist on PRs. Uses Claude Code to evaluate each CVE for relevance (runtime applicability, fix availability, ownership) and posts a single actionable PR comment with prioritized remediation steps. Modeled after the semgrep-triage-prompt.md pattern: filters noise (Windows CVEs, vendor binaries, unfixed vulns), surfaces what matters, provides exact fix commands. Co-authored-by: Cursor <cursoragent@cursor.com>
…ion (weekly) container-scan.yml: scan-only, runs every build for audit evidence. No triage, no PR comments. Just Trivy table + JSON artifact + summary. container-remediation.yml (new): weekly scheduled workflow that scans the production image, triages findings with Claude, and applies fixes via Cursor agent. Creates/updates an evergreen security/container-remediation PR — same pattern as vuln-remediation.yml for Socket SCA. Prompts updated: - triage-prompt.md: outputs structured triage-result.json (not PR comments) - fix-prompt.md (new): applies safe Go dep bumps and base image patches Co-authored-by: Cursor <cursoragent@cursor.com>
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
There are 2 total unresolved issues (including 1 from previous review).
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 75b3296. Configure here.
| if: always() | ||
|
|
||
| fix: | ||
| needs: triage |
There was a problem hiding this comment.
Fix job requires triage success
Medium Severity
The fix job lists needs: triage with no if that allows triage failure, so a failed or timed-out triage skips remediation entirely. That conflicts with fix-prompt.md, which expects fixes from trivy-results.json when triage output is absent, and leaves scan artifacts unused after triage errors.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit 75b3296. Configure here.
1 participant
Summary
container-scan.ymlreusable workflow for Trivy-based container image scanningContext
Satisfies SOC 2 VPM-2 (quarterly vulnerability scans on external-facing systems) with every-deploy cadence. This is item 13 in the AWS evidence assessment.
Uses Trivy directly because Socket Basics' pre-built GitHub Action image temporarily ships without Trivy (v2.0.3). Workflow includes a comment documenting the swap path when Socket re-enables it.
Consumer usage
Test plan
kernel/kernelapi-build workflow pointing at this branchMade with Cursor