Skip to content

Add Security & License Scanning Workflow to CI #1067

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
bupd wants to merge 3 commits into
base: main
Choose a base branch
from
+24 −3
Open

Add Security & License Scanning Workflow to CI #1067

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
caee3ea
feat: add check-licenses workflow using trivy
bupd Jan 20, 2026
c84c119
feat: update to check-security using trivy.
bupd Jan 21, 2026
95f4e96
fix: use non-root user in dockerfile
bupd Jan 21, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions .github/workflows/pr.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -102,6 +102,22 @@ jobs:
path: |
./kit*

check-security:
name: Security and license scan
Comment on lines +105 to +106
Copy link

Copilot AI Feb 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR description states that a "check-licenses" job was added, but the actual job name in the workflow is "check-security". While this is a minor discrepancy and the broader name "check-security" is arguably more accurate given that the job scans for vulnerabilities, secrets, misconfigurations, and licenses (not just licenses), the PR description should be updated to match the actual implementation.

Copilot uses AI. Check for mistakes.
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

- name: Run Trivy scanner
uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1
with:
scan-type: 'fs'
scan-ref: '.'
scanners: 'vuln,secret,misconfig,license'
severity: 'HIGH,CRITICAL'
exit-code: '1'

check-container-build:
runs-on: ubuntu-latest
steps:
Expand Down
9 changes: 6 additions & 3 deletions build/ci/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,10 @@ WORKDIR /app
COPY ./dockerfiles/KServe/entrypoint.sh ./entrypoint.sh
COPY tests ./tests

# ensure entrypoint is executable
RUN chmod +x entrypoint.sh
# ensure entrypoint is executable and tests dir is writable
RUN chmod +x entrypoint.sh && \
chown -R nobody:nogroup /app

ENTRYPOINT ["bats", "tests"]
USER nobody
Copy link

Copilot AI Feb 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR description does not mention the Docker USER changes in this file. This is a significant security-related change that switches the container to run as the nobody user. While this aligns with security best practices, such changes should be documented in the PR description.

Copilot uses AI. Check for mistakes.

ENTRYPOINT ["bats", "tests"]
2 changes: 2 additions & 0 deletions build/dockerfiles/init/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,8 @@ FROM $KIT_BASE_IMAGE
COPY entrypoint.sh /usr/local/bin/entrypoint.sh
COPY --from=cosign-install /ko-app/cosign /usr/local/bin/cosign

Copy link

Copilot AI Feb 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Switching to USER nobody without adjusting file permissions may cause runtime failures. The base image (KIT_BASE_IMAGE) creates /home/user/ owned by the kit user (UID 1001), but the entrypoint.sh script defaults to unpacking to /home/user/modelkit/. The nobody user won't have write permissions to this directory.

Consider adding a RUN command before USER nobody to ensure the nobody user can write to necessary directories, similar to the approach used in build/ci/Dockerfile:11 where permissions are set with chown -R nobody:nogroup /app before switching users. Alternatively, you could create and set permissions on the default unpack path:

RUN mkdir -p /home/user/modelkit && chown -R nobody:nogroup /home/user

Suggested change
RUN mkdir -p /home/user/modelkit && chown -R nobody:nogroup /home/user

Copilot uses AI. Check for mistakes.
USER nobody
Copy link

Copilot AI Feb 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR description does not mention the Docker USER changes in this file. This is a significant security-related change that switches the container to run as the nobody user instead of root (or the kit user from the base image). While this aligns with security best practices, such changes should be documented in the PR description, especially since this change has potential implications for container permissions and runtime behavior.

Copilot uses AI. Check for mistakes.

ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]

LABEL org.opencontainers.image.description="Kit CLI init container"
Expand Down