Skip to content

feat: pip-audit + trivy reusable workflows #18

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
roleme merged 1 commit into from
Jun 26, 2026
+80 −0
Merged

feat: pip-audit + trivy reusable workflows #18

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 33 additions & 0 deletions .github/workflows/pip-audit-reusable.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
# Reusable Python dependency vulnerability audit (the pip equivalent of npm
# audit). Scans a requirements file against the PyPI Advisory DB + OSV via
# pypa/gh-action-pip-audit. Callers delegate here:
#
# jobs:
# pip-audit:
# uses: roleme/workflows/.github/workflows/pip-audit-reusable.yml@<sha>
# with:
# inputs: requirements.txt # file(s) to audit
name: pip-audit (reusable)

on:
workflow_call:
inputs:
inputs:
description: Requirements file (or path) to audit
required: false
type: string
default: requirements.txt

permissions:
contents: read

jobs:
pip-audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
persist-credentials: false
- uses: pypa/gh-action-pip-audit@1220774d901786e6f652ae159f7b6bc8fea6d266 # v1.1.0
with:
inputs: ${{ inputs.inputs }}
47 changes: 47 additions & 0 deletions .github/workflows/trivy-reusable.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
# Reusable Trivy image vulnerability scan — the CVE-audit counterpart to KICS
# (which only checks compose *configuration*, not image contents). Scans a
# container image for known OS/library CVEs. Callers delegate here, typically
# once per image discovered in the changed compose files:
#
# jobs:
# trivy:
# uses: roleme/workflows/.github/workflows/trivy-reusable.yml@<sha>
# with:
# image: ghcr.io/owner/repo:tag
# severity: HIGH,CRITICAL
name: trivy (reusable)

on:
workflow_call:
inputs:
image:
description: Container image reference to scan (name:tag)
required: true
type: string
severity:
description: Comma-separated severities to report/fail on
required: false
type: string
default: HIGH,CRITICAL
exit-code:
description: Exit code when vulnerabilities are found (1 = fail, 0 = report only)
required: false
type: string
default: "1"

permissions:
contents: read

jobs:
trivy:
runs-on: ubuntu-latest
steps:
- name: Trivy image scan
uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
with:
scan-type: image
image-ref: ${{ inputs.image }}
severity: ${{ inputs.severity }}
exit-code: ${{ inputs.exit-code }}
ignore-unfixed: true
format: table