Fix/trivy docker scan#249
Conversation
|
@palakjaiswal16 is attempting to deploy a commit to the rishabhmishra0510-5147's projects Team on Vercel. A member of the Team first needs to authorize it. |
|
Warning Review limit reached
More reviews will be available in 50 minutes and 29 seconds. Learn how PR review limits work. Your organization has run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (5)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Pull request overview
This PR updates the GitHub Release workflow to add a Trivy vulnerability scan step before pushing the backend Docker image to GHCR, and also introduces backend-side LLM provider fallback orchestration (plus config and unit tests) to support multi-provider retries.
Changes:
- Split the backend Docker publish process in
release.ymlinto build → Trivy scan → push. - Added
ENVFORGE_LLM_PROVIDER_FALLBACKSsupport and implemented aFallbackProviderthat tries multiple LLM providers in order. - Updated AI troubleshoot service logging/audit fields to capture the effective provider/model after fallback resolution, and added unit tests for the fallback chain.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
.github/workflows/release.yml |
Builds backend image locally, scans it with Trivy, then pushes tags to GHCR. |
backend/app/ai/providers/__init__.py |
Adds provider fallback orchestration and provider-chain parsing/builder logic. |
backend/app/ai/service.py |
Records provider/model after completion to reflect the actual provider used after fallback. |
backend/app/config.py |
Adds a new settings field for fallback provider ordering. |
backend/tests/unit/ai/test_fallback_provider.py |
Adds unit tests covering fallback behavior and provider-chain parsing. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| primary_index = DEFAULT_FALLBACK_ORDER.index(primary) | ||
| chain = list(DEFAULT_FALLBACK_ORDER[primary_index:]) |
| - name: Build Backend Docker image | ||
| uses: docker/build-push-action@v5 | ||
| with: | ||
| context: ./backend | ||
| file: ./backend/Dockerfile | ||
| push: true | ||
| load: true | ||
| tags: | | ||
| ghcr.io/${{ env.REPO_LC }}/backend:latest | ||
| ghcr.io/${{ env.REPO_LC }}/backend:${{ github.ref_name }} | ||
|
|
||
| - name: Scan Backend Docker image with Trivy | ||
| uses: aquasecurity/trivy-action@v0.36.0 | ||
| with: | ||
| image-ref: ghcr.io/${{ env.REPO_LC }}/backend:${{ github.ref_name }} | ||
| scan-type: image | ||
| vuln-type: os,library | ||
| severity: CRITICAL,HIGH | ||
| exit-code: "1" | ||
|
|
|
hey @palakjaiswal16 please consider copilot review and make sure all checks are successful currently some checks have failed |
Description
Integrated Trivy into the release workflow to scan the backend Docker image for vulnerabilities before it is pushed to GHCR. This ensures releases fail when HIGH or CRITICAL OS/library vulnerabilities are detected.
Related Issues
Fixes #189
Changes Made
aquasecurity/trivy-action@v0.36.0to scan the built backend image.HIGHandCRITICALvulnerabilities before pushing the image.Verification
pytest tests/successfullySafetyFilter.github/workflows/release.ymlparses successfully as YAMLDocumentation
docs/FEATURES.md(if adding a feature/profile)CHANGELOG.md