Skip to content

📖 docs: document CI security scanning workflows #571

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
mrhapile wants to merge 3 commits into
base: main
Choose a base branch
from
Open

📖 docs: document CI security scanning workflows #571

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
9e305c3
📖 docs: document CI security scanning workflows
mrhapile Jan 10, 2026
dd71941
minor ai changes
mrhapile Jan 13, 2026
4a2de54
Merge branch 'main' into docs/ci-security-scanning-567
mrhapile Jan 13, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 23 additions & 8 deletions docs/content/direct/testing.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,21 +38,36 @@ go test -v -timeout 60s -run ^TestCRDHandling$ ./test/integration/controller-man

See `test/e2e/` in the GitHub repository. It has a README.

## Security scanning in CI
## CI Security Scanning

KubeStellar aims to use automated security scanning workflows as part of its CI pipeline to improve supply-chain security and provide early visibility into potential vulnerabilities.
KubeStellar will include automated security scanning workflows as part of its CI
infrastructure. These planned workflows are designed to improve supply-chain security
and provide early visibility into potential vulnerabilities.

### OpenSSF Scorecard

An OpenSSF Scorecard workflow can be used to evaluate the repository against a set of security best practices (such as branch protection, dependency management, and CI configuration).
When enabled (for example via a GitHub Actions workflow under `.github/workflows`), it typically runs on a schedule and/or on changes to the main branch and publishes its results to the GitHub **Security** tab.
KubeStellar will run an OpenSSF Scorecard workflow to evaluate the repository
against a set of security best practices, such as branch protection,
dependency management, and CI configuration.

### Trivy image scanning
The planned Scorecard workflow is expected to:
- Run on a schedule and on changes to the main branch
- Produce results in SARIF format
- Publish findings to the GitHub **Security** tab

KubeStellar can also be integrated with Trivy to scan container images built in CI for known vulnerabilities (CVEs).
A Trivy-based workflow generally reports **CRITICAL** and **HIGH** severity findings and can upload results in SARIF format, making them visible in the GitHub **Security** tab.
### Trivy Container Image Scanning

If these workflows are configured in your clone of the repository, they are part of the CI infrastructure only and do not affect the runtime behavior of KubeStellar deployments.
KubeStellar will also use Trivy to scan container images built in CI for known
vulnerabilities (CVEs).

The planned Trivy scanning workflow is expected to:
- Build container images during CI
- Scan for **CRITICAL** and **HIGH** severity vulnerabilities
- Upload results in SARIF format to the GitHub **Security** tab

These workflows are part of the project’s CI infrastructure only (and may not yet
be present in this repository) and do not affect the runtime behavior of KubeStellar
deployments.

## Testing releases

Expand Down