From 43f5916a1d3ba4043091ba02e30efcac53e1478a Mon Sep 17 00:00:00 2001
From: Chris Lu <chrislusf@users.noreply.github.com>
Date: Sat, 28 Mar 2026 21:10:57 -0700
Subject: [PATCH] ci: add Trivy CVE scan to container release workflow (#8820)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* ci: add Trivy CVE scan to container release workflow

* ci: pin trivy-action version and fail on HIGH/CRITICAL CVEs

Address review feedback:
- Pin aquasecurity/trivy-action to v0.28.0 instead of @master
- Add exit-code: '1' so the scan fails the job on findings
- Add comment explaining why only amd64 is scanned

* ci: pin trivy-action to SHA for v0.35.0

Tags ≤0.34.2 were compromised (GHSA-69fq-xp46-6x23). Pin to the full
commit SHA of v0.35.0 to avoid mutable tag risks.
---
 .github/workflows/container_latest.yml | 42 +++++++++++++++++++++++++-
 1 file changed, 41 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/container_latest.yml b/.github/workflows/container_latest.yml
index 27e131a52..f385ed200 100644
--- a/.github/workflows/container_latest.yml
+++ b/.github/workflows/container_latest.yml
@@ -26,6 +26,7 @@ on:
 
 permissions:
   contents: read
+  security-events: write
 
 jobs:
   setup:
@@ -149,9 +150,48 @@ jobs:
           # Remove Go build cache
           sudo rm -rf /tmp/go-build*
 
-  create-manifest:
+  trivy-scan:
     runs-on: ubuntu-latest
     needs: [setup, build]
+    strategy:
+      matrix:
+        variant: ${{ fromJSON(needs.setup.outputs.variants) }}
+    steps:
+      - name: Configure variant
+        id: config
+        run: |
+          if [ "${{ matrix.variant }}" == "large_disk" ]; then
+            echo "tag_suffix=_large_disk" >> $GITHUB_OUTPUT
+          else
+            echo "tag_suffix=" >> $GITHUB_OUTPUT
+          fi
+      - name: Login to GHCR
+        uses: docker/login-action@v4
+        with:
+          registry: ghcr.io
+          username: ${{ secrets.GHCR_USERNAME }}
+          password: ${{ secrets.GHCR_TOKEN }}
+      - name: Run Trivy vulnerability scanner
+        # Pin to SHA — mutable tags were compromised (GHSA-69fq-xp46-6x23)
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
+        with:
+          # Scan amd64 only — OS packages are identical across architectures
+          # since they all use the same alpine base, so a single-arch scan
+          # provides sufficient coverage without multiplying CI time.
+          image-ref: ghcr.io/chrislusf/seaweedfs:${{ github.event_name == 'workflow_dispatch' && github.event.inputs.image_tag || 'latest' }}${{ steps.config.outputs.tag_suffix }}-amd64
+          format: sarif
+          output: trivy-results.sarif
+          severity: HIGH,CRITICAL
+          exit-code: '1'
+      - name: Upload Trivy scan results to GitHub Security
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: trivy-results.sarif
+
+  create-manifest:
+    runs-on: ubuntu-latest
+    needs: [setup, build, trivy-scan]
     if: github.event_name != 'pull_request'
     strategy:
       matrix: