You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Previous fix hard-coded vuln-only + 20m timeout for every Trivy run,
which downgrades scans for small helper images that don't need it.
Add scripts/ci-trivy-profile.sh: inspects the loaded image's .Size
and emits scanner/timeout outputs:
> TRIVY_LARGE_IMAGE_BYTES (default 2 GiB)
scanners=vuln timeout=20m
otherwise
scanners=vuln,secret timeout=10m
Threshold is overridable via the TRIVY_LARGE_IMAGE_BYTES repo variable.
Wire it into all three scan paths (pr-build-scan, merge-and-scan,
rescan-latest). Document in AGENTS.md.
Copy file name to clipboardExpand all lines: AGENTS.md
+7Lines changed: 7 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -173,6 +173,13 @@ Both `.trivyignore` and `.trivy-ignore-policy.rego` paths are hardcoded in `dock
173
173
174
174
Trivy runs twice per image: once as a build gate (table format, `exit-code: 1`), once as SARIF upload to `Security → Code scanning` under category `trivy-<image>`. The weekly cron rescans `:latest` of every image without rebuilding, surfacing newly published CVE data.
175
175
176
+
**Scan profile is auto-chosen by image size.**`scripts/ci-trivy-profile.sh` inspects the loaded image's `.Size` and picks:
177
+
178
+
-**Large image** (over `TRIVY_LARGE_IMAGE_BYTES`, default `2147483648` = 2 GiB) — `scanners: vuln`, `timeout: 20m`. Drops the secret scanner, which is too slow on multi-GB scientific containers (it walks every text-ish file and chokes on huge reference DBs / model weights / generated headers) and is intended for source repositories with API keys anyway.
179
+
-**Small image** (≤ threshold) — `scanners: vuln,secret`, `timeout: 10m`. Full default scan; small helper images aren't downgraded.
180
+
181
+
Override the threshold per repo via the `TRIVY_LARGE_IMAGE_BYTES` GitHub Actions repository variable.
182
+
176
183
## WDL validation
177
184
178
185
The `miniwdl check --strict` pre-commit hook is the **only** WDL gate. There is no CI safety net. If a contributor commits without running pre-commit (`git commit -n`), broken WDLs land on `main`.
0 commit comments