Skip to content

ci: update trivy scan workflow with VEX support#277

Closed
pohanhuang wants to merge 1 commit into
masterfrom
fix/trivy-action-vex
Closed

ci: update trivy scan workflow with VEX support#277
pohanhuang wants to merge 1 commit into
masterfrom
fix/trivy-action-vex

Conversation

@pohanhuang
Copy link
Copy Markdown
Contributor

@pohanhuang pohanhuang commented May 28, 2026

Summary

  • update the Trivy GitHub Actions workflow
  • download Rancher VEX Hub report before scanning
  • pass VEX data to Trivy and show suppressed findings

Testing

  • not run (GitHub Actions change only)

Copilot AI review requested due to automatic review settings May 28, 2026 05:33
@pohanhuang pohanhuang requested review from a team, Vicente-Cheng, Yu-Jack and tserong as code owners May 28, 2026 05:33
Copilot AI reviewed May 28, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the repository’s Trivy GitHub Actions workflow to incorporate Rancher VEX data during filesystem scans and ensure suppressed findings are visible in results uploaded to GitHub’s Security tab.

Changes:

  • Adjusts scan workflow triggers (version-branch pattern) and runner selection.
  • Downloads the Rancher VEX Hub OpenVEX report via media.githubusercontent.com and passes it to Trivy via TRIVY_VEX.
  • Refreshes inline version comments for pinned GitHub Actions steps.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/scan.yml
branches:
- master
- 'v**'
- 'v*'
Comment thread .github/workflows/scan.yml
steps:
- name: Checkout code
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
@pohanhuang
Copy link
Copy Markdown
Contributor Author

pohanhuang commented May 28, 2026

Superseded by #278 because branch rules blocked force-pushing the original PR branch to add DCO signoff.

@pohanhuang pohanhuang closed this May 28, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@Vicente-Cheng Vicente-Cheng Awaiting requested review from Vicente-Cheng Vicente-Cheng is a code owner

@tserong tserong Awaiting requested review from tserong tserong is a code owner

@Yu-Jack Yu-Jack Awaiting requested review from Yu-Jack Yu-Jack is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pohanhuang