Skip to content

Add Trivy vulnerability scanning to nightly dev Docker builds #21772

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Kangyan-Zhou merged 6 commits into from
Mar 31, 2026
Merged

Add Trivy vulnerability scanning to nightly dev Docker builds #21772

Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
20eab32
Add Trivy vulnerability scanning to nightly dev Docker builds
Kangyan-Zhou Mar 31, 2026
22d1c1e
Use self-hosted runner for Trivy scan to avoid disk space issues
Kangyan-Zhou Mar 31, 2026
b4f79c0
Fix trivy-action version tag (v0.35.0, not 0.33.1)
Kangyan-Zhou Mar 31, 2026
4fe5d09
Move Trivy scan to standalone workflow with vuln-only scanning
Kangyan-Zhou Mar 31, 2026
a3bc1d9
Fix shell injection, duplicate scan, and missing step guard in trivy …
Kangyan-Zhou Mar 31, 2026
4e844a5
Add scan summary to GitHub Step Summary for visibility
Kangyan-Zhou Mar 31, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
83 changes: 83 additions & 0 deletions .github/workflows/trivy-scan-dev.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,83 @@
name: Trivy Scan Dev Docker Images

on:
# Run daily after nightly dev builds (which run at midnight UTC)
schedule:
- cron: "0 6 * * *"
workflow_dispatch:
inputs:
tag:
description: "Image tag to scan (e.g., dev, dev-cu13, latest)"
required: false
default: ""

jobs:
scan:
if: github.repository == 'sgl-project/sglang'
runs-on: x64-docker-build-node
timeout-minutes: 45
permissions:
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
tag: ${{ inputs.tag && fromJSON(format('["{0}"]', inputs.tag)) || fromJSON('["dev", "dev-cu13"]') }}
steps:
- name: Checkout repository
uses: actions/checkout@v4

- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@v0.35.0
with:
image-ref: 'docker.io/lmsysorg/sglang:${{ matrix.tag }}'
scanners: 'vuln'
format: 'sarif'
output: 'trivy-results-${{ matrix.tag }}.sarif'
severity: 'CRITICAL,HIGH'
ignore-unfixed: true

- name: Upload Trivy scan results to GitHub Security
uses: github/codeql-action/upload-sarif@v4
if: always() && hashFiles(format('trivy-results-{0}.sarif', matrix.tag)) != ''
with:
sarif_file: 'trivy-results-${{ matrix.tag }}.sarif'
category: 'trivy-${{ matrix.tag }}'

- name: Run Trivy (table output for logs)
if: success()
uses: aquasecurity/trivy-action@v0.35.0
with:
image-ref: 'docker.io/lmsysorg/sglang:${{ matrix.tag }}'
scanners: 'vuln'
format: 'table'
severity: 'CRITICAL,HIGH'
ignore-unfixed: true

- name: Scan summary
if: always()
run: |
IMAGE="docker.io/lmsysorg/sglang:${{ matrix.tag }}"
SARIF="trivy-results-${{ matrix.tag }}.sarif"

echo "## Trivy Scan: \`${{ matrix.tag }}\`" >> "$GITHUB_STEP_SUMMARY"

if [ ! -f "${SARIF}" ]; then
echo "**Status:** Scan failed — no SARIF output produced" >> "$GITHUB_STEP_SUMMARY"
exit 0
fi

VULN_COUNT=$(python3 -c "
import json
data = json.load(open('${SARIF}'))
print(sum(len(run.get('results', [])) for run in data.get('runs', [])))
")

echo "- **Image**: \`${IMAGE}\`" >> "$GITHUB_STEP_SUMMARY"
echo "- **Findings**: ${VULN_COUNT}" >> "$GITHUB_STEP_SUMMARY"

if [ "${VULN_COUNT}" = "0" ]; then
echo "- **Result**: No CRITICAL/HIGH unfixed vulnerabilities found" >> "$GITHUB_STEP_SUMMARY"
else
echo "- **Result**: Found ${VULN_COUNT} finding(s) — check the Security tab for details" >> "$GITHUB_STEP_SUMMARY"
fi
Loading