Skip to main content

Overview

The image CVE scanning workflow automatically scans container images for known vulnerabilities:
  • Scheduled scans: Runs daily against production images to catch newly disclosed CVEs
  • On-demand scanning: Can be triggered manually for any environment or specific images
  • Comprehensive coverage: Extracts images from rendered Kubernetes manifests plus manually-specified images
  • Detailed reporting: Generates SBOM and vulnerability reports with severity breakdowns

What’s Included

Workflow Structure

Scanning Process

1

Extract images

Collects container images from rendered Kubernetes manifests for the target environment, plus any additional images from configuration.
2

Generate SBOM

Creates a Software Bill of Materials (SBOM) for each image using Syft.
3

Scan for vulnerabilities

Analyzes each SBOM with Grype to identify known CVEs.
4

Aggregate report

Consolidates results into a summary report with vulnerability counts by severity.

Image Discovery

Images are extracted from multiple sources:
  1. Kubernetes manifests: Parses image: and imageName: fields from kubernetes/rendered/<environment>/
  2. Additional images file: Manual list in .github/security/additional-images.yaml for images not in manifests (e.g., operator-pulled images, sidecar injectors)
  3. Workflow input: Ad-hoc images passed via workflow dispatch

Vulnerability Scanning

Each image is scanned in a separate parallel job using GitHub Actions matrix strategy, enabling fast scans even with many images. The workflow uses the Anchore toolchain: The workflow handles both public images and private ECR images (via OIDC authentication).

Report Output

The workflow generates a GitHub Actions job summary with:
  • Severity breakdown: Critical, High, Medium, Low, Negligible, Unknown counts
  • Per-image results: Table showing vulnerability counts for each scanned image
  • Scan artifacts: Full Grype JSON output and SBOMs retained for 30 days

🔍 CVE Scan Report

Environment: production
Scan Date: YYYY-MM-DD HH:MM:SS UTC

Summary

Successful scans: 5
Failed scans: 0

Results by Image

Usage

The workflow runs daily at 5 AM UTC (midnight EST) against production images. It can also be triggered manually via workflow_dispatch to scan a specific environment (production, staging, or none) or ad-hoc images.

Key Design Decisions

Additional Configurability

Custom Severity Thresholds

To fail the workflow on critical vulnerabilities, modify the report job:

Slack/Email Notifications

Add a notification step after the report job to alert on scan results.

Vulnerability Suppression

Use Grype’s ignore rules for false positives or accepted risks.