ci: add CodeQL and Trivy container scanning#58
Conversation
- Add CodeQL workflow for JavaScript/TypeScript code scanning on push, PR, and weekly schedule - Add Trivy scan step to docker-build job, uploading SARIF results to GitHub Security tab
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
There was a problem hiding this comment.
Pull request overview
Adds automated security scanning in CI by introducing a CodeQL workflow for JS/TS analysis and extending the Docker build workflow to run a Trivy container vulnerability scan, with SARIF uploads to GitHub’s Security tab.
Changes:
- Add a new
.github/workflows/codeql.ymlworkflow for CodeQL JS/TS analysis on push/PR and a weekly schedule. - Extend
.github/workflows/build.ymldocker-build job to run Trivy on a built container image and upload SARIF results. - Update workflow permissions to allow SARIF uploads (
security-events: write).
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| .github/workflows/codeql.yml | Introduces CodeQL workflow and SARIF upload permissions for JS/TS code scanning. |
| .github/workflows/build.yml | Adds Trivy image scanning + SARIF upload and expands job permissions to support security reporting. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
Fixes Node.js 20 deprecation warnings.
- Pin trivy-action to 0.35.0 instead of @master - Use trivy fs scan instead of rebuilding the Docker image - Skip CodeQL on fork PRs (no security-events: write token) - Gate Trivy SARIF upload on non-fork PRs
There was a problem hiding this comment.
Pull request overview
Adds automated security scanning to the repository’s CI so findings show up in GitHub’s Security tab (CodeQL for JS/TS and Trivy SARIF upload).
Changes:
- Introduces a new CodeQL workflow for JavaScript/TypeScript analysis on push/PR and a weekly schedule.
- Extends the Docker build workflow with a Trivy scan step and SARIF upload permissions.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| .github/workflows/codeql.yml | New CodeQL workflow to analyze JS/TS and publish results to GitHub Security. |
| .github/workflows/build.yml | Adds security-events: write, runs Trivy, and uploads Trivy SARIF output. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
| - name: Trivy container scan | ||
| uses: aquasecurity/trivy-action@0.35.0 | ||
| with: | ||
| scan-type: fs | ||
| scan-ref: . | ||
| format: sarif |
|
|
||
| - name: Upload Trivy results to GitHub Security tab | ||
| uses: github/codeql-action/upload-sarif@v4 | ||
| if: always() && github.event.pull_request.head.repo.full_name == github.repository |
Summary
Both are free for public repositories.
Test plan