We need to evaluate the security and operational impact of running container image scanning (e.g., Trivy in image mode) within our public GitHub Actions workflows.
Concerns:
- Information Disclosure / Reconnaissance: Dumping raw CVE vulnerability reports (containing library versions and specific CVE IDs) to public job logs creates an easy reconnaissance vector for attackers targeting public preview deployments.
- Build Blockages vs. Upstream Fixes: Standard image scans block builds on unpatched base image packages (e.g. Alpine/Debian system libraries). This can bottleneck developer workflows when no upstream patch is available unless scanning is non-blocking.
- Build Performance: Image scanning adds build-time overhead to PR pipelines.
Proposed Solutions to Investigate:
- Private SARIF uploads: Configure Trivy to generate SARIF output and use
github/codeql-action/upload-sarif to upload results privately to the GitHub Security tab (restricting view to repository maintainers).
- Cluster-side scanning: Offload container scanning entirely to Red Hat Advanced Cluster Security (RHACS) inside the OpenShift namespace rather than scanning in the public CI runner.
scan-images:
name: Scan Images
needs: [builds]
runs-on: ubuntu-24.04
strategy:
matrix:
package: [backend, frontend, migrations]
permissions:
contents: read
packages: read
steps:
- name: Run Trivy in image mode
uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
with:
image-ref: 'ghcr.io/${{ github.repository }}/${{ matrix.package }}:${{ github.event.number }}'
format: 'table'
exit-code: '0'
ignore-unfixed: true
severity: 'CRITICAL,HIGH'
We need to evaluate the security and operational impact of running container image scanning (e.g., Trivy in image mode) within our public GitHub Actions workflows.
Concerns:
Proposed Solutions to Investigate:
github/codeql-action/upload-sarifto upload results privately to the GitHub Security tab (restricting view to repository maintainers).