Skip to content

feat: enable image scanning with Trivy#1

Open
nicolas-goudry wants to merge 12 commits intomainfrom
feat/add-trivy
Open

feat: enable image scanning with Trivy#1
nicolas-goudry wants to merge 12 commits intomainfrom
feat/add-trivy

Conversation

@nicolas-goudry
Copy link
Owner

@nicolas-goudry nicolas-goudry commented Aug 4, 2025
edited
Loading

This PR introduces a code scanning workflow using Trivy to scan container images for vulnerabilities and uploads SARIF reports to GitHub Code Scanning.

🚀 Features

  • add scripts directory, containing runnable scripts which are added to the packages Flake output as well as automatically loaded in development shell
  • scripts: add Trivy image scanning

✨ Changes

  • lib/mkImage: return an attribute set composed of image and tag attributes, respectively containing the image derivation (which was previously returned in place of the attrset) and the image tag which matches the derivation in image
  • all related code which needs to use the image derivation has been updated according to the above change
  • lib/mkImage: build fromImage attribute with lib.optionalString instead of an if ... then ... else condition
  • shell: add scripts outputs to environment
  • flake: rename nix2container input to n2c
  • flake: update eachSystem to send an attribute set containing pkgs, xpkgs (local packages) as well as nix2container to callers (previously only sending pkgs)
  • flake: update development shell definition according to changes to shell.nix
  • pkgs: update GeoLite2 to 2025-08-04

🤖 CI

  • add a new code-scanning workflow to trigger Trivy scanning on pull requests as well as on a successful release and upload SARIF results to GitHub Code Scanning
  • repository_dispatch trigger is removed from other workflows.
  • release: ignore updates done to the scripts directory
  • update-geolite2: adjust commit message and PR title on update

@nicolas-goudry nicolas-goudry self-assigned this Aug 4, 2025
@nicolas-goudry
feat: enable image scanning with Trivy
8e9d078
@nicolas-goudry
ci: add code scanning workflow
ed47bc0
@nicolas-goudry
refactor(scripts): improve trivy-scan
6b9a23d 
- add error handling with trap
- add input validation
- add better error reporting
- move code to functions
- use readonly vars for config
- add colored logging
- add progress indicators
- report successful vs failed scans
- validate files before processing
- add comprehensive comments and function documentation
@nicolas-goudry
ci(code-scanning): upload multiple SARIF files
095c231
@nicolas-goudry
ci(update-geolite): update commit message and PR title
81fe6a5
@nicolas-goudry
ci(code-scanning): fix invalid matrix fromJson
94a770d
@nicolas-goudry
ci(code-scanning): add missing outputs to trivy-scan job
1e26441
@nicolas-goudry
ci(code-scanning): upload SARIF as artifacts for sharing between jobs
588f784
@nicolas-goudry
ci(code-scanning): update artifact upload source path
27fdfe3
@nicolas-goudry
ci(code-scanning): set SARIF category from report filename
53f2757
@github-advanced-security
Copy link

github-advanced-security bot commented Aug 4, 2025

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@nicolas-goudry nicolas-goudry

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@nicolas-goudry