Let's add a vulnerability scanning solution.

[PratikDevlekar]

This GitHub Actions workflow will automates the process of vulnerability scanning for complete repo using Trivy. Trivy is a simple and comprehensive vulnerability scanner, which later can be super handy as we move ahead (cluster security risk handling, cloud scanning..etc).

Workflow steps :

1. Checkout Code : The workflow starts by checking out the code from the repository to make it available for subsequent steps.

2. Run Trivy Vulnerability Scanner: Trivy is used to scan the complete repo (currently). The scan is configured to include vulnerabilities of severity levels "CRITICAL" and "HIGH." The scan results are saved in a JSON file (table format).

3. Upload Trivy Scan Results as Artifact: The scan results (detailed report) is uploaded as an artifact. Artifacts can be used for sharing files between workflow jobs or for archiving purposes.

4. Send Mail: Mail will be pushed to the respective Team leads. The mail covers the scan result, vulnerability which is "Critical," and a complete table report is generated in the attachment. This provides visibility to the scan results and allows for easy access to the detailed report. On the other hand if no vulnerabilities are caught, a successful mail will be pushed.

Trigger : Tag based.

Let me know your thoughts on this workflow, this will be a small step integrating a security tool :)

[jaychia]

Hi thanks @PratikDevlekar !

I'm curious what other open-source repositories currently do? Some good comparables could be to take a look at what the Pandas, Dask, Spark and Ray projects currently adopt.