fix(ci): reduce Trivy scan noise

[SudipSinha]

Summary

Tune Trivy CI scan configuration to reduce noise from OS-level and unfixable CVEs. Builds on top of PR #146 (UBI9 minimal multi-stage image).

• Scope Trivy to library dependencies only (vuln-type: 'library'): OS-level CVEs (glibc, openssl, etc.) are Red Hat's responsibility via UBI9 base image updates
• Skip unfixed CVEs (ignore-unfixed: true): hides CVEs with no available patch to reduce noise
• Skip uv/uvx binaries (skip-files): Rust crate CVEs inside uv are Astral's supply chain responsibility, tracked via Dependabot
• Add SARIF upload categories (category: 'trivy-ci-scan' / 'trivy-release-scan'): prevents duplicate alert entries across scan runs

Workflows modified

Workflow	Purpose
build-and-push.yaml	Release scan
ci-publish.yaml	CI/PR scan

Test plan

• CI workflows pass (YAML syntax valid)
• Next Trivy scan uploads reduced findings
• Security tab alert count stabilizes

🤖 Generated with Claude Code

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e3ebcb05-0837-40fd-a041-a0c8bd62c31b

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/trivy-scan-noise

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Configures Trivy scanning in CI and release workflows to only report fixable library vulnerabilities and uploads them to distinct SARIF categories to reduce duplicated and non-actionable alerts.

Sequence diagram for updated Trivy scan and SARIF upload in CI workflow

sequenceDiagram
    actor Developer
    participant GitHubActions_ci_publish as GitHubActions_ci_publish_workflow
    participant TrivyScanner as Trivy_scanner
    participant SARIFUploader_ci as SARIF_uploader_ci
    participant GitHubSecurity as GitHub_Code_Scanning

    Developer->>GitHubActions_ci_publish: Push commit or open PR
    GitHubActions_ci_publish->>TrivyScanner: Run scan with ignore_unfixed true
    TrivyScanner-->>GitHubActions_ci_publish: trivy-results.sarif (library_only)
    GitHubActions_ci_publish->>SARIFUploader_ci: Upload SARIF with category trivy_ci_scan
    SARIFUploader_ci->>GitHubSecurity: Store alerts under category trivy_ci_scan
    GitHubSecurity-->>Developer: Show actionable library alerts from CI scan

Loading

Sequence diagram for updated Trivy scan and SARIF upload in release workflow

sequenceDiagram
    actor ReleaseEngineer
    participant GitHubActions_build_push as GitHubActions_build_and_push_workflow
    participant TrivyScanner as Trivy_scanner
    participant SARIFUploader_release as SARIF_uploader_release
    participant GitHubSecurity as GitHub_Code_Scanning

    ReleaseEngineer->>GitHubActions_build_push: Trigger release build and push
    GitHubActions_build_push->>TrivyScanner: Run scan with ignore_unfixed true
    TrivyScanner-->>GitHubActions_build_push: trivy-results.sarif (library_only)
    GitHubActions_build_push->>SARIFUploader_release: Upload SARIF with category trivy_release_scan
    SARIFUploader_release->>GitHubSecurity: Store alerts under category trivy_release_scan
    GitHubSecurity-->>ReleaseEngineer: Show actionable library alerts from release scan only

Loading

File-Level Changes

Change	Details	Files
Tighten Trivy scan configuration to only include fixable library vulnerabilities and ignore unfixed/OS-level issues in both release and CI pipelines.	Set Trivy ignore-unfixed flag to true so unfixed CVEs do not fail or clutter scans. Restrict Trivy vuln-type to library to stop reporting OS-level/base-image vulnerabilities. Keep severity and exit-code behavior unchanged to preserve existing gating semantics.	.github/workflows/build-and-push.yaml .github/workflows/ci-publish.yaml
Tag SARIF uploads from Trivy with distinct categories for release and CI scans to avoid duplicate alerts in GitHub Security.	Add a trivy-release-scan category to SARIF uploads in the release workflow. Add a trivy-ci-scan category to SARIF uploads in the CI workflow. Retain always() conditional on CI SARIF upload to ensure results are pushed even on failure.	.github/workflows/build-and-push.yaml .github/workflows/ci-publish.yaml

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've left some high level feedback:

• Consider adding brief inline comments in the workflow YAML explaining why vuln-type: 'library' and ignore-unfixed: true are intentional, so future maintainers don’t revert them thinking they’re loosening security by mistake.
• If you expect to reuse these Trivy settings elsewhere, you might want to extract the common configuration (severity, exit-code, ignore-unfixed, vuln-type) into a shared reusable workflow or composite action to keep behavior consistent across pipelines.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- Consider adding brief inline comments in the workflow YAML explaining why `vuln-type: 'library'` and `ignore-unfixed: true` are intentional, so future maintainers don’t revert them thinking they’re loosening security by mistake.
- If you expect to reuse these Trivy settings elsewhere, you might want to extract the common configuration (severity, exit-code, ignore-unfixed, vuln-type) into a shared reusable workflow or composite action to keep behavior consistent across pipelines.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[github-actions]

PR image build and manifest generation completed successfully!

📦 PR image: quay.io/trustyai/trustyai-service-python-ci:522fe3489540fac2c37002bdddd610f5311e0e2e

🗂️ CI manifests

devFlags:
  manifests:
    - contextDir: config
      sourcePath: ''
      uri: https://api.github.com/repos/trustyai-explainability/trustyai-service-operator-ci/tarball/service-python-522fe3489540fac2c37002bdddd610f5311e0e2e