Autonomous, closed-loop CVE detection and remediation for containerized workloads β local CPU inference, cloud LLMs, or bring your own.
This GitHub Action detects vulnerabilities in your container images, uses an AI model to generate a Dockerfile patch, validates the fix inside an ephemeral KinD cluster, and opens a pull request with proof β all automatically.
Push β Trivy Scan β CVE Found β AI Patches Dockerfile
β Smoke Test β KinD Validates β Re-scan Confirms β PR Opened
Zero data egress with local Ollama (default), or use OpenAI-compatible API providers (like NVIDIA NIM or DeepSeek) for faster inference. Supports mono-repos out-of-the-box via dynamic build context resolution.
name: Supply Chain Guardian
on:
push:
branches: [main]
schedule:
- cron: '0 2 * * *' # Nightly CVE check
permissions:
contents: write
pull-requests: write
jobs:
guardian:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run Supply Chain Guardian
uses: barbaria888/SupplyChain-Guardian-AI-Github_Action@v2
with:
dockerfile: './Dockerfile'That's it. The action handles everything β scanning, patching, validation, and PR creation.
Choose the inference engine that fits your needs:
Create this repository secret first in GitHub Settings β Secrets and variables β Actions: NVIDIA_NIM_API_KEY (get your key from NVIDIA API Catalog: https://build.nvidia.com/).
- uses: barbaria888/SupplyChain-Guardian-AI-Github_Action@v2
with:
provider: 'openai'
model: 'deepseek-ai/deepseek-v4-flash'
openai-endpoint: 'https://integrate.api.nvidia.com/v1'
api-key: ${{ secrets.NVIDIA_NIM_API_KEY }}- uses: barbaria888/SupplyChain-Guardian-AI-Github_Action@v2
with:
provider: 'ollama'
model: 'llama3.2:1b' # ~700MB, runs on GitHub runner CPU- uses: barbaria888/SupplyChain-Guardian-AI-Github_Action@v2
with:
provider: 'openai'
model: 'deepseek-ai/deepseek-v4-flash'
api-key: ${{ secrets.OPENAI_API_KEY }}
| Layer | Tool | Role |
|---|---|---|
| Scanning | Trivy | CVE detection, SBOM generation |
| AI Reasoning | Ollama / OpenAI / NVIDIA NIM | Dockerfile patching |
| Validation | KinD | Ephemeral K8s integration test |
| Orchestration | GitHub Actions | Full pipeline coordinator |
| PR Creation | peter-evans/create-pull-request | Automated, human-reviewable PR |
| Input | Required | Default | Description |
|---|---|---|---|
dockerfile |
No | Dockerfile |
Path to the Dockerfile to scan and patch |
image-ref |
No | '' |
Pre-built image to scan (skips build step) |
severity |
No | CRITICAL,HIGH |
Trivy severity filter |
provider |
No | ollama |
LLM provider: ollama or openai |
model |
No | (auto) | Model name for the selected provider |
api-key |
No | '' |
API key for cloud providers. Falls back to step/job env API_KEY if omitted |
openai-endpoint |
No | https://integrate.api.nvidia.com/v1 |
OpenAI-compatible base URL (e.g. NVIDIA NIM or DeepSeek API) |
trivy-version |
No | 0.55.0 |
Trivy version |
kind-enabled |
No | true |
Enable KinD cluster validation |
kind-config |
No | .kind/cluster-config.yaml |
KinD cluster config path |
k8s-manifests |
No | k8s/ |
K8s manifests directory |
create-pr |
No | true |
Auto-create Pull Request |
pr-branch |
No | auto-patcher/cve-remediation |
Branch name for the PR |
pr-labels |
No | security,automated-patch,... |
PR labels |
fail-on-vulnerability |
No | true |
Fail if CVEs can't be patched |
llm-timeout |
No | 300 |
LLM inference timeout (seconds) |
policy-preset |
No | strict |
Enforcement mode: strict (fail on any issue) or lax (warn and continue) |
enforce-non-root |
No | true |
Reject patched Dockerfiles running as root. Set to false to allow root. |
healthz-port |
No | 18080 |
Host port mapped to the container for the health check |
healthz-path |
No | / |
Endpoint route path for the health check probe |
| Output | Description |
|---|---|
vulnerabilities-found |
Whether CRITICAL/HIGH CVEs were detected |
patch-applied |
Whether the AI generated a valid patch |
smoke-test-passed |
Whether the patched Dockerfile compiled |
kind-validation-passed |
Whether KinD deployment succeeded |
pr-url |
URL of the created Pull Request |
trivy-results-path |
Path to scan results JSON |
audit-log-path |
Path to the LLM audit log |
- Instruction Whitelist β Every Dockerfile line must start with a valid instruction (
FROM,RUN,COPY, etc.). Invented keywords likeCREATEGROUPorADDuserare rejected instantly. - Docker Build Smoke Test β The patched Dockerfile must compile with
docker buildbefore any artifact is uploaded. - KinD Cluster Validation β The patched image must boot, pass health probes, and show zero
CrashLoopBackOffpods.
The AI patching engine prioritizes fixing vulnerabilities at the source manifest level (package.json / requirements.txt) rather than injecting inline package installation commands into Docker RUN layers. This prevents dependency collision loops and corrupt node_modules footprints.
The enforce-non-root input controls whether the integrity gate requires a USER instruction in the patched Dockerfile:
true(default): The gate enforces that aUSERinstruction exists in the patched file (if the original had one), ensuring non-root container execution.false: Root configurations are permitted β useful for base images or build-stage containers.
The runtime stability check automatically injects dummy database URIs (MONGO_URI, DATABASE_URL, SKIP_DB) into the smoke test container. This prevents applications with mandatory database connections (Mongoose, PostgreSQL, etc.) from crashing during the 15-second stability window.
The AI writes to Dockerfile.patched β the original file is never touched until the smoke test passes. If the patch is rejected, the broken file is uploaded to a rejected-patch-forensic artifact for audit.
All Kubernetes manifests enforce:
runAsNonRoot: truereadOnlyRootFilesystem: trueallowPrivilegeEscalation: falsecapabilities.drop: [ALL]seccompProfile: RuntimeDefault
Every pipeline run uploads (90-day retention):
| Artifact | Purpose |
|---|---|
trivy-results.json |
Original vulnerability report |
patch_audit.log |
Full LLM prompt + response for audit review |
kind-test-report.txt |
KinD cluster validation evidence |
trivy-results-post-patch.json |
Proof of CVE remediation |
.
βββ action.yml # GitHub Marketplace Action definition
βββ agents.md # Agent persona definitions
βββ .agents/skills/ # Domain interaction contracts
βββ .kind/cluster-config.yaml # KinD 2-node cluster spec
βββ .trivy/ # Trivy policy & ignore files
βββ .github/workflows/ # Internal pipeline (dogfooding)
βββ k8s/ # Production-grade K8s manifests
βββ scripts/remediate_cve.py # AI patching engine (multi-provider)
βββ src/ # Demo FastAPI application
βββ tests/unit/ # 43 unit tests
βββ tests/integration/ # KinD integration test script
βββ Dockerfile # Intentionally vulnerable baseline
βββ SECURITY.md # Responsible disclosure policy
βββ README.md
# Build and scan locally
docker build -t guardian-demo:latest .
trivy image --format json --output trivy-results.json guardian-demo:latest
# Run the AI patcher locally with NVIDIA API
PROVIDER=openai \
API_KEY="<NVIDIA_NIM_API_KEY>" \
OPENAI_MODEL="deepseek-ai/deepseek-v4-flash" \
OPENAI_ENDPOINT="https://integrate.api.nvidia.com/v1" \
python scripts/remediate_cve.py
# Validate in a local KinD cluster
kind create cluster --config .kind/cluster-config.yaml
kind load docker-image guardian-demo:latest --name guardian-test
kubectl apply -f k8s/
kubectl wait --for=condition=available --timeout=120s deployment/guardian-demoMIT β See LICENSE
Autonomous, closed-loop CVE detection and remediation for containerized workloads β supports both local Ollama and cloud providers like NVIDIA API.