feat: add Trivy security scanning and SBOM generation

jmcombs · jmcombs · commit c6287d93b90e · 2025-12-21T15:06:11.000-05:00
- Add security-scan job with matrix strategy for all 3 images (base-ubuntu, node, python)
- Generate SBOM in CycloneDX format and store as workflow artifacts
- Scan for CRITICAL, HIGH, and MEDIUM vulnerabilities
- Upload SARIF results to GitHub Security tab with separate categories
- Add scheduled weekly scans (Sundays 00:00 UTC) to catch new CVEs
- Add workflow_dispatch for manual triggering
- Add security badges and documentation to README
diff --git a/.github/workflows/build-and-publish.yml b/.github/workflows/build-and-publish.yml
@@ -7,6 +7,11 @@ on:
   pull_request:
     branches:
       - main
+  schedule:
+    # Run weekly on Sundays at 00:00 UTC to catch new vulnerabilities
+    - cron: "0 0 * * 0"
+  workflow_dispatch:
+    # Allow manual triggering
 
 env:
   REGISTRY: ghcr.io
@@ -85,3 +90,57 @@ jobs:
             --platform linux/arm64,linux/amd64 \
             --output type=registry \
             ${{ env.LABEL_ARGS }}
+
+  # Security scanning job - runs after successful build
+  security-scan:
+    needs: build-and-publish
+    runs-on: ubuntu-latest
+    # Only run on push to main or scheduled runs (not on PRs to avoid duplicate scans)
+    if: github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
+    permissions:
+      contents: read
+      packages: read
+      security-events: write
+    strategy:
+      fail-fast: false
+      matrix:
+        image: [base-ubuntu, node, python]
+
+    steps:
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Pull container image
+        run: docker pull ghcr.io/${{ github.repository }}:${{ matrix.image }}
+
+      - name: Generate SBOM with Trivy
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: "ghcr.io/${{ github.repository }}:${{ matrix.image }}"
+          format: "cyclonedx"
+          output: "sbom-${{ matrix.image }}.json"
+
+      - name: Upload SBOM as artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: sbom-${{ matrix.image }}
+          path: sbom-${{ matrix.image }}.json
+          retention-days: 90
+
+      - name: Scan for vulnerabilities with Trivy
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: "ghcr.io/${{ github.repository }}:${{ matrix.image }}"
+          format: "sarif"
+          output: "trivy-${{ matrix.image }}.sarif"
+          severity: "CRITICAL,HIGH,MEDIUM"
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: "trivy-${{ matrix.image }}.sarif"
+          category: "container-${{ matrix.image }}"
diff --git a/README.md b/README.md
@@ -1,8 +1,19 @@
 # Devcontainer
 
-[![GitHub stars](https://img.shields.io/github/stars/jmcombs/devcontainer)](https://github.com/jmcombs/devcontainer/stargazers) ![GitHub Workflow Status](https://img.shields.io/github/actions/workflow/status/jmcombs/devcontainer/build-and-publish.yml?logo=github)
+[![GitHub stars](https://img.shields.io/github/stars/jmcombs/devcontainer)](https://github.com/jmcombs/devcontainer/stargazers)
+[![Build and Publish](https://img.shields.io/github/actions/workflow/status/jmcombs/devcontainer/build-and-publish.yml?label=build&logo=github)](https://github.com/jmcombs/devcontainer/actions/workflows/build-and-publish.yml)
+[![Security Scan](https://img.shields.io/github/actions/workflow/status/jmcombs/devcontainer/build-and-publish.yml?label=security%20scan&logo=trivy&logoColor=white)](https://github.com/jmcombs/devcontainer/security/code-scanning)
 [![GitHub issues](https://img.shields.io/github/issues/jmcombs/devcontainer)](https://github.com/jmcombs/devcontainer/issues)
 
+## Security
+
+This repository implements automated security scanning for all container images:
+
+- 🔍 **Vulnerability Scanning**: All images are scanned with [Trivy](https://trivy.dev/) for CVEs
+- 📋 **SBOM Generation**: Software Bill of Materials generated in CycloneDX format
+- 🔄 **Scheduled Scans**: Weekly security scans catch newly discovered vulnerabilities
+- 📊 **Security Dashboard**: View results in the [Security tab](https://github.com/jmcombs/devcontainer/security/code-scanning)
+
 A collection of [Development Container](https://containers.dev/) definitions for creating consistent, reproducible development environments. This repository provides pre-configured `devcontainer` images to streamline setting up development environments in tools like Visual Studio Code, GitHub Codespaces, or other container-based IDEs.
 
 ## About
@@ -20,10 +31,10 @@ This repository contains a set of **dev container images** which are Docker imag
 
 Below is a list of available Dev Container definitions in this repository:
 
-| Name          | Description                                                  | Base Image                            | Documentation                              |
-| --------      | ------------------------------------------------------------ | ------------------------------------- | ------------------------------------------ |
-| `python`      | Python 3.x environment with common tools (e.g., pip, pylint) | `ghcr.io/jmcombs/devcontainer:python` | [Python Docs](src/python/README.md)        |
-| `node`        | Node.js environment with npm/yarn and VS Code extensions     | `ghcr.io/jmcombs/devcontainer:node`   | [Node Docs](src/node/README.md)            |
+| Name          | Description                                                  | Base Image                                 | Documentation                                 |
+| ------------- | ------------------------------------------------------------ | ------------------------------------------ | --------------------------------------------- |
+| `python`      | Python 3.x environment with common tools (e.g., pip, pylint) | `ghcr.io/jmcombs/devcontainer:python`      | [Python Docs](src/python/README.md)           |
+| `node`        | Node.js environment with npm/yarn and VS Code extensions     | `ghcr.io/jmcombs/devcontainer:node`        | [Node Docs](src/node/README.md)               |
 | `base-ubuntu` | Base Ubuntu 22.04 image with essential tools                 | `ghcr.io/jmcombs/devcontainer:base-ubuntu` | [Base Ubuntu Docs](src/base-ubuntu/README.md) |
 
 ## Usage
