kaito test: add trivy action to scan CVE

Reason for Change:

test: add trivy action to scan CVE

Requirements

[ ] added unit tests and e2e tests (if applicable).

Issue Fixed:

Notes for Reviewers:

Apr 25 '25 09:04 andyzhangx

Title

(Describe updated until commit https://github.com/kaito-project/kaito/commit/2c4d66c113b00ce32d69fc295a5f05fa7fc69088)

Add Trivy Action for Vulnerability Scanning

Description

Added Trivy action for vulnerability scanning
Configured to run on push and pull request events
Scans Docker images for OS and library vulnerabilities

Changes walkthrough 📝

Relevant files

Enhancement

trivy.yml

Added Trivy vulnerability scanning workflow

.github/workflows/trivy.yml

Created new workflow file for Trivy vulnerability scanning

Configured to run on master branch pushes and pull requests

Sets up Go environment and checks out code

Builds Docker image from Dockerfile

Runs Trivy to scan built Docker image for vulnerabilities

+40/-0

Need help?
Type /help how to ... in the comments thread for any questions about PR-Agent usage.
Check out the documentation for more information.

Apr 25 '25 09:04 kaito-pr-agent[bot]

PR Reviewer Guide 🔍

(Review updated until commit https://github.com/kaito-project/kaito/commit/2c4d66c113b00ce32d69fc295a5f05fa7fc69088)

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 2 🔵🔵⚪⚪⚪

🧪 No relevant tests

🔒 No security concerns identified

⚡ Recommended focus areas for review

Branch Name

The workflow is set to trigger on the 'master' branch. Ensure that this is the correct branch name, as some repositories use 'main' instead.

branches:
  - master

Action Version

The aquasecurity/trivy-action is using the master branch. It's recommended to use a specific version tag to avoid unexpected changes.

uses: aquasecurity/trivy-action@master

Apr 25 '25 09:04 kaito-pr-agent[bot]

PR Code Suggestions ✨

Latest suggestions up to 2c4d66c

Explore these optional code suggestions:

Category	Suggestion	Impact
General	Pin trivy-action version Pin the version of the trivy-action to a stable release instead of using `master`. .github/workflows/trivy.yml [31] `-uses: aquasecurity/trivy-action@master +uses: aquasecurity/[email protected]` Suggestion importance[1-10]: 8 __ Why: Pinning the version of the trivy-action to a stable release ensures consistency and avoids unexpected behavior due to changes in the master branch.	Medium
	Update Trivy DB URL Update the Trivy DB repository URL to the latest stable version. .github/workflows/trivy.yml [33] `-TRIVY_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-db:2" +TRIVY_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-db"` Suggestion importance[1-10]: 7 __ Why: Updating the Trivy DB repository URL to the latest stable version ensures that the vulnerability database is current, improving the effectiveness of the vulnerability scan.	Medium
	Filter lower severity vulnerabilities Consider filtering out lower severity vulnerabilities if they are not critical for your project. .github/workflows/trivy.yml [40] `-severity: 'CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN' +severity: 'CRITICAL,HIGH'` Suggestion importance[1-10]: 6 __ Why: Filtering out lower severity vulnerabilities can help focus on critical and high-severity issues, making the scan results more actionable and reducing noise.	Low

Previous suggestions

Suggestions up to commit 1be056b

Category	Suggestion	Impact
General	Pin trivy-action version Pin the version of the trivy-action to a stable release instead of using `master`. .github/workflows/trivy.yml [31] `-uses: aquasecurity/trivy-action@master +uses: aquasecurity/[email protected]` Suggestion importance[1-10]: 8 __ Why: Pinning the version of the trivy-action to a stable release ensures consistency and prevents unexpected changes due to updates in the master branch.	Medium
	Update Trivy DB URL Update the Trivy database repository URL to the latest stable version. .github/workflows/trivy.yml [33] `-TRIVY_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-db:2" +TRIVY_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-db:latest"` Suggestion importance[1-10]: 7 __ Why: Updating the Trivy database repository URL to the latest stable version ensures that the vulnerability scanner uses the most recent data, improving the accuracy of the scans.	Medium
	Filter low severity vulnerabilities Consider filtering out lower severity vulnerabilities if they are not critical for your project. .github/workflows/trivy.yml [40] `-severity: 'CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN' +severity: 'CRITICAL,HIGH'` Suggestion importance[1-10]: 6 __ Why: Filtering out lower severity vulnerabilities can help focus on the most critical issues, making the scan results more actionable. However, this depends on the project's risk tolerance.	Low

Suggestions up to commit 8a6daf3

Category	Suggestion	Impact
General	Pin trivy-action version Pin the version of the trivy-action to a stable release instead of using `master`. .github/workflows/trivy.yml [31] `-uses: aquasecurity/trivy-action@master +uses: aquasecurity/[email protected]` Suggestion importance[1-10]: 8 __ Why: Pinning the version of the trivy-action to a stable release ensures consistency and prevents unexpected behavior due to changes in the master branch.	Medium
	Update Trivy DB URL Update the Trivy database repository URL to the latest stable version. .github/workflows/trivy.yml [33] `-TRIVY_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-db:2" +TRIVY_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-db"` Suggestion importance[1-10]: 7 __ Why: Updating the Trivy database repository URL to the latest stable version ensures that the vulnerability scanner uses the most recent data, improving the accuracy of the scans.	Medium
	Filter critical and high severity Consider reducing the severity levels to focus on critical and high vulnerabilities. .github/workflows/trivy.yml [40] `-severity: 'CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN' +severity: 'CRITICAL,HIGH'` Suggestion importance[1-10]: 6 __ Why: Reducing the severity levels to focus on critical and high vulnerabilities helps prioritize fixing the most severe issues, although this might miss some lower-severity vulnerabilities.	Low

Suggestions up to commit 8a6daf3

Category	Suggestion	Impact
Security	Pin trivy-action version Pin the version of the trivy-action to a specific release instead of using `master`. .github/workflows/trivy.yml [31] `-uses: aquasecurity/trivy-action@master +uses: aquasecurity/[email protected]` Suggestion importance[1-10]: 8 __ Why: Pinning the version of the trivy-action to a specific release improves security and ensures consistency across builds.	Medium
General	Reduce severity levels Consider reducing the severity levels to focus on CRITICAL and HIGH vulnerabilities. .github/workflows/trivy.yml [40] `-severity: 'CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN' +severity: 'CRITICAL,HIGH'` Suggestion importance[1-10]: 5 __ Why: Reducing the severity levels to CRITICAL and HIGH can help focus on the most impactful vulnerabilities, but this might miss some important MEDIUM or LOW issues.	Low

Suggestions up to commit a5160e8

Category	Suggestion	Impact
General	Pin trivy-action version Pin the version of the trivy-action to a stable release instead of using `master`. .github/workflows/trivy.yml [30] `-uses: aquasecurity/trivy-action@master +uses: aquasecurity/[email protected]` Suggestion importance[1-10]: 8 __ Why: Pinning the version of the trivy-action ensures consistency and prevents unexpected changes due to updates in the master branch.	Medium
	Filter lower severity vulnerabilities Consider filtering out lower severity vulnerabilities unless necessary. .github/workflows/trivy.yml [39] `-severity: 'CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN' +severity: 'CRITICAL,HIGH'` Suggestion importance[1-10]: 6 __ Why: Filtering out lower severity vulnerabilities can reduce noise and focus on critical issues. However, the decision to do so depends on the project's security policy.	Low
	Correct Trivy DB URL Ensure the Trivy DB repository URL is correct and accessible. .github/workflows/trivy.yml [32] `-TRIVY_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-db:2" +TRIVY_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-db"` Suggestion importance[1-10]: 5 __ Why: The suggested change removes the version tag from the Trivy DB repository URL, which might not be necessary if the version is intended to be fixed. However, it's worth verifying the accessibility and correctness of the URL.	Low

Apr 25 '25 09:04 kaito-pr-agent[bot]

@Fei-Guo just let me know if this PR could be merged, and then I will add similar trivy action steps for other image build, thanks.

Apr 25 '25 09:04 andyzhangx

@Fei-Guo just let me know if this PR could be merged, and then I will add similar trivy action steps for other image build, thanks.

@Fei-Guo can you add me into this project member? This PR could not run tests in my forked branch, only project member can run those tests, I will prepare another PR later. thanks.

Apr 25 '25 09:04 andyzhangx

this trivy action error is expected, it needs this PR merge first: https://github.com/kaito-project/kaito/pull/1022

manager (gobinary)
==================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

┌──────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────┐
│     Library      │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                          Title                           │
├──────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2025-22872 │ MEDIUM   │ fixed  │ v0.36.0           │ 0.38.0        │ golang.org/x/net/html: Incorrect Neutralization of Input │
│                  │                │          │        │                   │               │ During Web Page Generation in x/net in...                │
│                  │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-22872               │
└──────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────┘

Apr 28 '25 02:04 andyzhangx

One question: do we have to do trivvy scan for every PR? can we make it an action item and triggered upon release?

Apr 28 '25 18:04 Fei-Guo

One question: do we have to do trivvy scan for every PR? can we make it an action item and triggered upon release?

@Fei-Guo yes, that's best for finding the CVE and fix CVE as early as possible. if you find CVE after image release, you need to fix it and publish new patch version. pls approve this PR, I will add trivy actions for other images in another PR. thanks.

Apr 29 '25 01:04 andyzhangx