Setting Up Automated Vulnerability Scanning in GitHub Actions
Software supply chain security is becoming one of the most critical concerns for development teams, DevOps engineers, and security professionals—especially as vulnerabilities in open-source dependencies and build artifacts frequently lead to costly breaches and compliance violations. Integrating automated vulnerability scanning directly into your CI/CD pipeline is a best practice that greatly reduces your exposure to supply chain attacks. In this tutorial, you’ll learn how to set up automated vulnerability scanning in GitHub Actions, leveraging industry standards and robust open-source tools to secure your software supply chain, accelerate remediation, and ensure CI/CD compliance.
Why Automate Vulnerability Scanning in CI/CD?
Automated vulnerability scanning brings several benefits:
- Early detection: Identifies vulnerabilities before deployment, reducing risk and remediation cost.
- Consistent enforcement: Ensures every commit goes through security checks, decreasing human error.
- Continuous feedback loop: Alerts developers instantly, speeding up patching and making secure development the default.
- Compliance and auditability: Supports frameworks like SLSA, SSDF, and NIST by providing traceable, repeatable security controls.
GitHub Actions offers the perfect foundation, providing seamless automation with tight integration into your workflows.
Selecting a Vulnerability Scanning Tool
Several vulnerability scanners integrate with GitHub Actions, including:
- Trivy: Versatile, fast, supports containers, filesystems, SBOMs, and OSS dependencies.
- Snyk: Cloud-based, strong license and vulnerability management for dependencies.
- GitHub Advanced Security: Built-in for supported repositories; requires special licensing.
- Grype: Open-source; targets container images and SBOMs.
For this tutorial, we’ll use Trivy due to its open-source nature, wide support (including SBOMs and container images), fast performance, and easy setup.
Prerequisites
- Access to a GitHub repository with GitHub Actions enabled.
- Basic understanding of YAML and CI/CD workflow configurations.
- Your application producing artifacts or using dependencies (Node.js, Python, Go, etc.).
Step 1: Create or Edit Your GitHub Actions Workflow
If you don’t already have a workflow, create .github/workflows/security.yml in your repository. If you do, add the following steps after your build/test stage.
Step 2: Add Trivy to Scan Your Application
Below is a workflow example that scans both your file system (code and dependencies) and, if applicable, your Docker image.
name: Security - Vulnerability Scan
on:
push:
branches:
- main
pull_request:
branches:
- '*'
jobs:
vulnerability-scan:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Install Trivy
run: |
sudo apt-get update
sudo apt-get install -y wget
wget -qO- https://github.com/aquasecurity/trivy/releases/latest/download/trivy_0.50.0_Linux-64bit.deb > trivy.deb
sudo dpkg -i trivy.deb
- name: Run Trivy filesystem scan
run: trivy fs --exit-code 1 --severity HIGH,CRITICAL .
# For container-based projects, build the Docker image and scan:
- name: Build Docker image
run: docker build -t my-app:latest .
- name: Run Trivy container image scan
run: trivy image --exit-code 1 --severity HIGH,CRITICAL my-app:latest
--exit-code 1will cause the workflow to fail if HIGH or CRITICAL vulnerabilities are found, blocking merges or deployments until issues are resolved.- The workflow scans code for vulnerable dependencies and, if present, your container image for OS-level flaws.
Step 3: Output Results and Workflow Monitoring
Trivy presents vulnerability scan results in the console. Integrate with tools like GitHub Code Scanning or upload reports as artifacts if you need historical tracking:
- name: Save Trivy report
run: trivy fs --format json --output trivy-report.json .
- name: Upload Trivy report
uses: actions/upload-artifact@v3
with:
name: trivy-report
path: trivy-report.json
You can also integrate explicit alerts via GitHub Security Advisories or push notifications to development teams.
Step 4: Automate Dependency Updates and Remediation
Automated scanning is only as effective as your ability to remediate. Combine vulnerability scanning with tools like Dependabot to automatically create pull requests for vulnerable dependencies.
Example workflow step for Dependabot integration:
# Automatically triggers PRs for outdated or vulnerable dependencies
Step 5: Compliance Alignment & SBOM Integration
For regulatory frameworks like SLSA, NIST, and SSDF, consider producing Software Bill of Materials (SBOM) and scanning them for known vulnerabilities. Trivy supports SBOM generation in formats like CycloneDX and SPDX:
- name: Generate SBOM (CycloneDX)
run: trivy sbom --format cyclonedx --output sbom-cyclonedx.json .
- name: Scan SBOM for vulnerabilities
run: trivy sbom --input sbom-cyclonedx.json
Store SBOM artifacts alongside your builds to demonstrate compliance during audits and support traceability.
Step 6: Customize to Your Supply Chain
Tailor your workflow according to your technology stack, compliance needs, and risk tolerance:
- Filter vulnerability severities according to risk policy.
- Schedule periodic scans with
on: schedule. - Integrate scanning in both PR and deployment branches.
- Link scan results to issue tracking or ticketing systems.
- Use organization-wide policies with Reusable Workflows.
Real-World Example: Team Adoption
A SaaS provider recently implemented Trivy scans for their CI/CD pipelines following a supply chain attack in an upstream dependency. Within weeks, they identified several critical vulnerabilities previously undetected in transitive dependencies, patched them, and passed an additional compliance audit (SSDF). Automated alerts directly in pull requests reduced reaction time from days to near-zero, drastically lowering the risk profile.
Best Practices
- Fail fast: Block builds on critical vulnerabilities.
- Integrate with developer tools: Push actionable insights to developers’ workflow.
- Regularly update scanner versions: Ensure new CVEs are detected.
- Scan both dependencies and built artifacts: Prevent container-level exploits and malicious code.
- Generate and archive SBOMs: Meet regulatory requirements and provide audit transparency.
- Educate teams: Provide training on reacting to vulnerability alerts and remediation procedures.
Conclusion
Automated vulnerability scanning in GitHub Actions secures your software supply chain and CI/CD workflow against emerging threats, aligns with industry standards, and enables your engineering teams to move fast without sacrificing security. By making vulnerability detection part of daily development, you dramatically lower risk, increase compliance, and create a culture of secure DevOps.
For more on securing your software supply chain, check out Trivy’s documentation or SLSA’s official site to align your workflow with best practices. If you need enterprise-grade solutions and automated compliance, explore how Quaerens Software’s Perspicax and Probatus Suite can automate vulnerability management at scale.
Start protecting your code today—secure, scan, and succeed.
Comments