[SAR] APPENG-5140: Add CVE scanning to CI pipeline#188
Open
yuvalk wants to merge 2 commits into
Open
Conversation
Add a security scanning job to the CI pipeline that runs pip-audit for Python dependency vulnerabilities and Trivy for container image CVE scanning. This provides automated supply chain security checks. - Add 'scan' job to CI workflow with pip-audit and Trivy steps - Add pip-audit to dev dependencies in pyproject.toml - Gate CI on scan job results alongside lint, test, and build Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
luis5tb
reviewed
May 6, 2026
|
|
||
| - name: Build image for scanning | ||
| run: | | ||
| docker build -t lightspeed-agent:scan -f Containerfile . |
Collaborator
There was a problem hiding this comment.
use podman as in the other build in this file?
Aligns with the existing CI build step which uses podman. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Collaborator
Author
|
Fixed - changed |
luis5tb
reviewed
May 7, 2026
Collaborator
luis5tb
left a comment
luis5tb
left a comment
There was a problem hiding this comment.
LGTM but it seems it cannot fine the image: unable to find the specified image "lightspeed-agent:scan"
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Addresses APPENG-5140.
Add automated security scanning to the CI pipeline using pip-audit for Python dependency vulnerabilities and Trivy for container image CVE scanning.
Changes
scanjob to.github/workflows/ci.ymlthat runs pip-audit and Trivypip-audit>=2.7.0to dev dependencies inpyproject.tomlci-gatejob to include scan results in the gate checkSAR Reference
Co-Authored-By: Claude Opus 4.6 (1M context) noreply@anthropic.com