Skip to content

investigate(security): evaluate safe container image scanning in public pipelines #2761

Description

@DerekRoberts

We need to evaluate the security and operational impact of running container image scanning (e.g., Trivy in image mode) within our public GitHub Actions workflows.

Concerns:

  1. Information Disclosure / Reconnaissance: Dumping raw CVE vulnerability reports (containing library versions and specific CVE IDs) to public job logs creates an easy reconnaissance vector for attackers targeting public preview deployments.
  2. Build Blockages vs. Upstream Fixes: Standard image scans block builds on unpatched base image packages (e.g. Alpine/Debian system libraries). This can bottleneck developer workflows when no upstream patch is available unless scanning is non-blocking.
  3. Build Performance: Image scanning adds build-time overhead to PR pipelines.

Proposed Solutions to Investigate:

  • Private SARIF uploads: Configure Trivy to generate SARIF output and use github/codeql-action/upload-sarif to upload results privately to the GitHub Security tab (restricting view to repository maintainers).
  • Cluster-side scanning: Offload container scanning entirely to Red Hat Advanced Cluster Security (RHACS) inside the OpenShift namespace rather than scanning in the public CI runner.
  scan-images:
    name: Scan Images
    needs: [builds]
    runs-on: ubuntu-24.04
    strategy:
      matrix:
        package: [backend, frontend, migrations]
    permissions:
      contents: read
      packages: read
    steps:
      - name: Run Trivy in image mode
        uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
        with:
          image-ref: 'ghcr.io/${{ github.repository }}/${{ matrix.package }}:${{ github.event.number }}'
          format: 'table'
          exit-code: '0'
          ignore-unfixed: true
          severity: 'CRITICAL,HIGH'

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Fields

No fields configured for issues without a type.

Projects

Status
Backlog

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions