Harden dependency automation and remediate Trivy action supply-chain exposure#113
Draft
Harden dependency automation and remediate Trivy action supply-chain exposure#113
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR strengthens dependency maintenance and CI security reporting by introducing Dependabot configuration, adding a Dependabot auto-approval/auto-merge workflow, and integrating a Trivy filesystem scan with SARIF upload into CI.
Changes:
- Added
.github/dependabot.ymlto standardize daily npm updates with grouping, labels, and commit message prefixes. - Added a Dependabot PR auto-approve/auto-merge workflow for patch/minor updates and labeling for major updates.
- Extended CI with a Trivy FS scan and SARIF upload, along with tightened workflow permissions.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
.github/workflows/dependabot-automerge.yml |
Introduces bot-gated auto-approval/auto-merge and labeling logic for Dependabot PRs. |
.github/workflows/ci.yml |
Adds Trivy scan + SARIF upload and sets explicit workflow permissions for security event reporting. |
.github/dependabot.yml |
Configures Dependabot cadence, grouping, labeling, and commit message conventions for npm updates. |
Comment on lines
+3
to
+6
| on: | ||
| pull_request: | ||
| types: [opened, synchronize, reopened] | ||
|
|
Comment on lines
+28
to
+35
| if: (steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor') && github.event.pull_request.mergeable_state == 'clean' | ||
| run: gh pr review --approve "$PR_URL" | ||
| env: | ||
| PR_URL: ${{ github.event.pull_request.html_url }} | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
||
| - name: Auto-merge patch & minor | ||
| if: (steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor') && github.event.pull_request.mergeable_state == 'clean' |
|
|
||
| - name: Flag major updates for review | ||
| if: steps.metadata.outputs.update-type == 'version-update:semver-major' | ||
| run: gh pr edit "$PR_URL" --add-label "major-update,needs-review" |
Comment on lines
+28
to
+40
| - name: Dependency Security Scan | ||
| uses: aquasecurity/trivy-action@0.35.0 | ||
| with: | ||
| scan-type: 'fs' | ||
| ignore-unfixed: true | ||
| format: 'sarif' | ||
| output: 'trivy-results.sarif' | ||
|
|
||
| - name: Upload Trivy results | ||
| if: success() || failure() | ||
| uses: github/codeql-action/upload-sarif@v3 | ||
| with: | ||
| sarif_file: 'trivy-results.sarif' |
Member
|
@copilot apply changes based on the comments in this thread |
Contributor
Author
Applied the requested thread fixes in commit |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR tightens dependency update automation and CI security reporting while addressing the flagged Trivy action compromise window. It adds structured Dependabot policies, constrains bot-driven merge behavior, and upgrades Trivy action usage to a patched release line.
Dependabot update policy
.github/dependabot.ymlwith daily npm updates, grouped by dependency type and semver level.Dependabot auto-merge controls
.github/workflows/dependabot-automerge.yml.pull_request_target(still gated togithub.actor == 'dependabot[bot]') and removed PR checkout for safer token usage.mergeable_stategating;gh pr merge --autohandles readiness.major-update,needs-review) instead of merged.CI dependency security scan + advisory remediation
.github/workflows/ci.ymlwith Trivy filesystem scan and SARIF upload.aquasecurity/trivy-actionfrom0.28.0to0.35.0to move out of vulnerable ranges.