add Trivy IaC security scanning workflow#285
Merged
EmmanuelNwa247 merged 5 commits intomainfrom May 5, 2026
Merged
Conversation
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
EmmanuelNwa247
requested review from
cmansky,
jolson490,
mww59,
rin-skylight and
szamfir-skylight
as code owners
szamfir-skylight
previously approved these changes
May 1, 2026
Contributor
szamfir-skylight
left a comment
szamfir-skylight
left a comment
There was a problem hiding this comment.
Looks good, thanks!
jolson490
previously approved these changes
May 4, 2026
EmmanuelNwa247
dismissed stale reviews from jolson490 and szamfir-skylight
via
5918087
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
szamfir-skylight
approved these changes
May 5, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a Trivy IaC security scanning workflow to NEDSS-Infrastructure (DEV-328). This scans Terraform files for misconfigurations, embedded secrets, and dependency vulnerabilities on PRs and pushes to main, with results uploaded to the GitHub Security tab via SARIF.
Details
Scan scope:
terraform/aws/modules/andterraform/azure/modules/— scoped to our reusable modules to keep findings actionable and avoid noise from external third-party module referencesScanners: vuln, secret, misconfig
Severity: CRITICAL, HIGH
Exit code set to 0 (report-only) for initial rollout — can be changed to 1 to enforce as a PR gate
Trivy action pinned to SHA per org convention (supply chain mitigation)