ci: scheduled trivy image scan for webapp (OS, summary-only)

nicktrn · nicktrn · commit 3b2a9b36f8fe · 2026-06-04T17:34:32.000+01:00
diff --git a/.github/workflows/trivy-image-webapp.yml b/.github/workflows/trivy-image-webapp.yml
@@ -0,0 +1,80 @@
+name: Trivy Image Scan (webapp)
+
+# Scheduled OS-level CVE drift scan of the published webapp image, pulled from
+# GHCR. The image is a heavy multi-stage build, so we scan the published
+# artifact rather than rebuilding per-PR.
+#
+# Report-only: writes a table to the job run summary. No SARIF upload, no PR
+# gate (for now). Library/dependency CVEs are covered by Dependabot; this scan
+# is restricted to OS packages (`vuln-type: os`) so the two don't double-report.
+
+on:
+  schedule:
+    - cron: "0 6 * * 1" # Mondays 06:00 UTC
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: "Image tag to scan (blank = newest stable vX.Y.Z)"
+        required: false
+        default: ""
+
+permissions: {}
+
+concurrency:
+  group: trivy-image-webapp
+  cancel-in-progress: true
+
+jobs:
+  scan:
+    name: Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Resolve image tag
+        id: resolve
+        env:
+          INPUT_TAG: ${{ github.event.inputs.tag }}
+        run: |
+          set -euo pipefail
+          if [ -n "$INPUT_TAG" ]; then
+            tag="$INPUT_TAG"
+          else
+            # Newest stable release tag (exclude -rc/-beta). Public GHCR repo,
+            # so an anonymous pull token is enough to list tags.
+            token="$(curl -fsSL "https://ghcr.io/token?scope=repository:triggerdotdev/trigger.dev:pull" | jq -r .token)"
+            tag="$(curl -fsSL -H "Authorization: Bearer $token" \
+              "https://ghcr.io/v2/triggerdotdev/trigger.dev/tags/list?n=1000" \
+              | jq -r '.tags[]' \
+              | grep -E '^v[0-9]+\.[0-9]+\.[0-9]+$' | sort -V | tail -1)"
+          fi
+          if [ -z "$tag" ]; then
+            echo "Could not resolve an image tag to scan" >&2
+            exit 1
+          fi
+          echo "tag=$tag" >> "$GITHUB_OUTPUT"
+          echo "Scanning ghcr.io/triggerdotdev/trigger.dev:$tag"
+
+      - name: Run Trivy image scan
+        uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
+        with:
+          scan-type: image
+          image-ref: ghcr.io/triggerdotdev/trigger.dev:${{ steps.resolve.outputs.tag }}
+          # vuln-type maps to --pkg-types: OS packages only (library deps are
+          # Dependabot's job). ignore-unfixed drops vulns with no patch yet.
+          vuln-type: os
+          ignore-unfixed: true
+          severity: HIGH,CRITICAL
+          format: table
+          output: trivy-image-webapp.txt
+
+      - name: Job summary
+        if: always()
+        env:
+          TAG: ${{ steps.resolve.outputs.tag }}
+        run: |
+          {
+            echo "## Trivy Image Scan (webapp) — \`${TAG:-unknown}\`"
+            echo '```'
+            # GitHub step summary is capped at 1 MiB; truncate large reports.
+            head -c 900000 trivy-image-webapp.txt 2>/dev/null || echo "(no report produced)"
+            echo '```'
+          } >> "$GITHUB_STEP_SUMMARY"
