Skip to content

ci: upload scan results to security agent #681

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 6 commits into
base: main
Choose a base branch
from
Draft

ci: upload scan results to security agent #681

wants to merge 6 commits into from

Conversation

scriptnull
Copy link
Member

This PR does the following:

  • Replaces GitHub CodeQL with the security agent.
  • Fails the CI job if a high or critical vulnerability is found in ddn workspace image.

scriptnull
scriptnull commented Oct 3, 2025
View reviewed changes
.github/workflows/ddn-workspace-testing.yaml
Comment on lines 465 to 489
- name: Run Trivy vulnerability scan
uses: aquasecurity/trivy-action@master
with:
image-ref: "ddn-workspace:test"
format: "sarif"
output: "trivy-results.sarif"

- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: "trivy-results.sarif"

- name: Print Trivy vulnerability scan results
uses: aquasecurity/trivy-action@master
with:
image-ref: "ddn-workspace:test"
format: "table"
exit-code: 0
ignore-unfixed: true
vuln-type: "os,library"
severity: "CRITICAL,HIGH"


Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@codingkarthik I have two questions for you:

  • Running the scan in the build-ddn-workspace leads to a "no space left on disk" error like this. Was it the reason we chose to run the trivy scan as part of test-connectors job?
  • Right now test-connectors job is failing like this - it might be valid test failure or a flake (I will let you determine). But do you think it is okay to run this CI job on all PRs and in the main branch to keep the tests passing always?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Running the scan in the build-ddn-workspace leads to a "no space left on disk" error like this. Was it the reason we chose to run the trivy scan as part of test-connectors job?

No, I just wanted the testing bit to be separate from the building ddn workspace bit. I have never seen the no space left on disk error.

Right now test-connectors job is failing like this - it might be valid test failure or a flake (I will let you determine). But do you think it is okay to run this CI job on all PRs and in the main branch to keep the tests passing always?

I think this is a bug in the DDN workspace testing framework, the test is now picking up the wrong version of the connector. I will fix this in this PR itself.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added a patch to revert to run the scan after the tests. I think tests are still failing - could you check once?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@codingkarthik codingkarthik codingkarthik left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

connector-staging-deploy-success

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@scriptnull @codingkarthik @hasura-ci