Skip to content

ci: update trivy scan workflow with VEX support#278

Merged
Vicente-Cheng merged 1 commit into
masterfrom
fix/trivy-action-vex-dco
May 28, 2026
Merged

ci: update trivy scan workflow with VEX support#278
Vicente-Cheng merged 1 commit into
masterfrom
fix/trivy-action-vex-dco

Conversation

@pohanhuang
Copy link
Copy Markdown
Contributor

@pohanhuang pohanhuang commented May 28, 2026

Summary

  • update the Trivy GitHub Actions workflow
  • download Rancher VEX Hub report before scanning
  • pass VEX data to Trivy and show suppressed findings
  • add DCO signoff to the commit

Testing

  • not run (GitHub Actions change only)

@pohanhuang
ci: update trivy scan workflow with VEX support
a243972 
Signed-off-by: pohanhuang <pohan.huang@suse.com>
Copilot AI review requested due to automatic review settings May 28, 2026 05:43
@pohanhuang pohanhuang requested review from a team, Vicente-Cheng, Yu-Jack and tserong as code owners May 28, 2026 05:43
@pohanhuang pohanhuang mentioned this pull request May 28, 2026
Closed
Copilot AI reviewed May 28, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the Trivy GitHub Actions scanning workflow to incorporate Rancher VEX Hub data so Trivy can suppress/annotate findings based on VEX, and refreshes a few workflow details (runner/branch patterns/action annotations).

Changes:

  • Adjust workflow triggers (release-branch glob) and runner selection.
  • Download Rancher VEX Hub report prior to scanning and provide it to Trivy (with suppressed findings shown).
  • Minor workflow hygiene updates (action version comments / formatting).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/scan.yml
Comment on lines 9 to 13
jobs:
build:
name: Build
runs-on: ubuntu-24.04
runs-on: ubuntu-latest
steps:
Comment thread .github/workflows/scan.yml
Comment on lines 17 to +21
- name: Download Rancher's VEX Hub report
run: curl -fsSO https://raw.githubusercontent.com/rancher/vexhub/refs/heads/main/reports/rancher.openvex.json
run: |
curl -fsSL -H "Accept: application/vnd.git-lfs+json" \
"https://media.githubusercontent.com/media/rancher/vexhub/main/reports/rancher.openvex.json" \
-o rancher.openvex.json
@pohanhuang
Copy link
Copy Markdown
Contributor Author

pohanhuang commented May 28, 2026

@mergify backport v1.8 v1.7

@mergify
Copy link
Copy Markdown

mergify Bot commented May 28, 2026
edited
Loading

backport v1.8 v1.7

✅ Backports have been created

Details

@Vicente-Cheng Vicente-Cheng merged commit 225e9a3 into master May 28, 2026
8 of 9 checks passed
@Vicente-Cheng Vicente-Cheng deleted the fix/trivy-action-vex-dco branch May 28, 2026 08:53
This was referenced May 28, 2026
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@Vicente-Cheng Vicente-Cheng Vicente-Cheng approved these changes

@bk201 bk201 bk201 approved these changes

@wheatdog wheatdog wheatdog approved these changes

@tserong tserong Awaiting requested review from tserong tserong is a code owner

@Yu-Jack Yu-Jack Awaiting requested review from Yu-Jack Yu-Jack is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@pohanhuang @Vicente-Cheng @bk201 @wheatdog