From 096f0e3838f9fd8f0da69c0d07457da101065414 Mon Sep 17 00:00:00 2001 From: Harsh Srivastava Date: Sat, 30 May 2026 20:49:29 +0530 Subject: [PATCH 1/4] =?UTF-8?q?chore:=20bump=20Trivy=200.69.3=E2=86=920.70?= =?UTF-8?q?.0,=20auto-close=20stale=20vuln=20PRs,=20restrict=20push=20to?= =?UTF-8?q?=20main?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/security-scan.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml index 643bcd5..083d301 100644 --- a/.github/workflows/security-scan.yml +++ b/.github/workflows/security-scan.yml @@ -81,6 +81,17 @@ jobs: base: ${{ github.ref_name }} delete-branch: true + - name: Close Stale Vulnerability PR (if clean) + if: ${{ github.event_name == 'push' && steps.scan.outputs.bandit_high_found == 'false' }} + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + BRANCH="auto/bandit-scan/${{ env.SAFE_REF_NAME }}" + PR_NUMBER=$(gh pr list --repo "${{ github.repository }}" --head "$BRANCH" --state open --json number --jq '.[0].number') + if [[ -n "$PR_NUMBER" ]]; then + gh pr close "$PR_NUMBER" --repo "${{ github.repository }}" --comment "No HIGH/CRITICAL vulnerabilities found in latest scan on \`${{ github.ref_name }}\`. Closing report." + fi + - name: Fail Job If Vulnerabilities Found if: ${{ steps.scan.outputs.bandit_high_found == 'true' }} run: exit 1 From 0fc58551f079149672f726864eb12d6046128fac Mon Sep 17 00:00:00 2001 From: Harsh Srivastava Date: Sat, 30 May 2026 21:00:25 +0530 Subject: [PATCH 2/4] fix: add trivy auto-close step and remove extra push branches --- .github/workflows/security-scan.yml | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml index 083d301..5a7e939 100644 --- a/.github/workflows/security-scan.yml +++ b/.github/workflows/security-scan.yml @@ -3,7 +3,6 @@ name: Python Security scan push: branches: - main - - private/harsh/soc2-scan pull_request: jobs: @@ -178,6 +177,17 @@ jobs: base: ${{ github.ref_name }} delete-branch: true + - name: Close Stale Vulnerability PR (if clean) + if: ${{ github.event_name == 'push' && steps.scan.outputs.trivy_issues_found == 'false' }} + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + BRANCH="auto/trivy-scan/${{ env.SAFE_REF_NAME }}" + PR_NUMBER=$(gh pr list --repo "${{ github.repository }}" --head "$BRANCH" --state open --json number --jq '.[0].number') + if [[ -n "$PR_NUMBER" ]]; then + gh pr close "$PR_NUMBER" --repo "${{ github.repository }}" --comment "No HIGH/CRITICAL vulnerabilities found in latest scan on \`${{ github.ref_name }}\`. Closing report." + fi + - name: Fail Job If Vulnerabilities Found if: ${{ steps.scan.outputs.trivy_issues_found == 'true' }} run: exit 1 From 4e56b6615ab078fb55604af431202e9bd96225b0 Mon Sep 17 00:00:00 2001 From: Harsh Srivastava Date: Sat, 30 May 2026 21:07:24 +0530 Subject: [PATCH 3/4] fix: bump TRIVY_VERSION env var from 0.69.3 to 0.70.0 --- .github/workflows/security-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml index 5a7e939..0ef027a 100644 --- a/.github/workflows/security-scan.yml +++ b/.github/workflows/security-scan.yml @@ -110,7 +110,7 @@ jobs: - name: Install Trivy env: - TRIVY_VERSION: 0.69.3 + TRIVY_VERSION: 0.70.0 run: | wget -qO trivy.deb "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.deb" sudo dpkg -i trivy.deb From ae7848e7c0e06c8cf4ea2791ca7832532759f524 Mon Sep 17 00:00:00 2001 From: Harsh Srivastava Date: Mon, 1 Jun 2026 15:24:51 +0530 Subject: [PATCH 4/4] fix: use '// empty' in jq to avoid closing null PR on clean scan --- .github/workflows/security-scan.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml index 0ef027a..388b4cb 100644 --- a/.github/workflows/security-scan.yml +++ b/.github/workflows/security-scan.yml @@ -86,7 +86,7 @@ jobs: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | BRANCH="auto/bandit-scan/${{ env.SAFE_REF_NAME }}" - PR_NUMBER=$(gh pr list --repo "${{ github.repository }}" --head "$BRANCH" --state open --json number --jq '.[0].number') + PR_NUMBER=$(gh pr list --repo "${{ github.repository }}" --head "$BRANCH" --state open --json number --jq '.[0].number // empty') if [[ -n "$PR_NUMBER" ]]; then gh pr close "$PR_NUMBER" --repo "${{ github.repository }}" --comment "No HIGH/CRITICAL vulnerabilities found in latest scan on \`${{ github.ref_name }}\`. Closing report." fi @@ -183,7 +183,7 @@ jobs: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | BRANCH="auto/trivy-scan/${{ env.SAFE_REF_NAME }}" - PR_NUMBER=$(gh pr list --repo "${{ github.repository }}" --head "$BRANCH" --state open --json number --jq '.[0].number') + PR_NUMBER=$(gh pr list --repo "${{ github.repository }}" --head "$BRANCH" --state open --json number --jq '.[0].number // empty') if [[ -n "$PR_NUMBER" ]]; then gh pr close "$PR_NUMBER" --repo "${{ github.repository }}" --comment "No HIGH/CRITICAL vulnerabilities found in latest scan on \`${{ github.ref_name }}\`. Closing report." fi