.pr-body-trivy.md

Harden Python build pipeline with Trivy security gate, artifact normalization, and CI improvements

Summary

• Purpose: Introduce a consistent, security-aware build process for Python artifacts, with clear outputs and security reports to support automated release workflows.
• Scope: Adds Trivy scanning and a gate script, hardens Dockerfile and Makefile, normalizes artifact naming, and updates CI workflows to upload SBOM, vulnerability, and secret reports.

Changes

• Makefile:
  • Introduces normalized host artifact names including linux-<UBUNTU_VERSION>-<ARCH>.
  • Adds Trivy integration variables and gate thresholds, container runtime detection, and robust artifact extraction from the container.
  • Copies SBOM (*.sbom.json), Trivy vulnerability and secret reports, plus gate logs into python-versions/output.
  • Adds verify-gate target to print gate summary and logs.
• Dockerfile (python-versions/Dockerfile):
  • Hardens builder image: explicit SHELL, stricter compiler flags, trimmed installs, and cleanup.
  • Installs Trivy, performs pre-build secret/misconfig scans, and post-build SBOM + vulnerability + secret scans.
  • Adds trivy-gate.sh into the image and runs it, capturing trivy-gate.log and trivy-gate-result.json.
  • Recovers built Python into /opt/Python/<version>/<arch> and ensures python3/pip3 links, healthcheck on python3.
• Trivy Gate Script (python-versions/trivy-gate.sh):
  • New script to enforce severity-based gating with configurable thresholds.
  • Produces machine-readable trivy-gate-result.json and human-readable trivy-gate.log.
  • Validates inputs, handles missing dependencies, and prints clear failure reasons.
• Workflows:
  • Adjusts matrix OS/arch definitions in sample workflow.
  • In release workflows, adds contents: write, sets Python 3.13, fixes filter parsing, ensures Docker availability, and uploads all security artifacts and logs.
  • Enhances reusable release to accept a files input and improves manifest generation by robust asset parsing (handles trivy-python-* and *.json/*.log).

Context

• Ensures artifacts are consistent across CI and local builds, easing consumption by reusable workflows and release processes.
• Adds early detection of misconfigurations or secrets and records SBOMs for transparency and downstream analysis.
• Supports multi-arch builds and aligns naming with release asset expectations.

Commit History (branch-only)

• 4b2736a: feat(trivy-gate): enhance script with improved logging, help documentation, and validation checks
• 3563a26: chore(docker): harden builder image, add Trivy scans, artifact extraction & gate
• 069559a: feat(build): modernize Makefile — standardized artifacts, security gates & container extraction
• 257f554: ci(workflows): add Docker availability, upload security artifacts and robust manifest generation
• bc4b527: ci(workflows): harden workflows with quoting, matrix fixes and actionlint

Impact

• Improves supply-chain security posture with SBOMs and scanning outputs.
• Enables automated gating for critical/high issues and secret leaks.
• Standardizes artifacts to simplify downstream release and manifest updates.

Testing

• Local builds produce tar, SBOM, vulnerability/secret reports, gate JSON and log under python-versions/output.
• Healthcheck ensures python3 availability in the final image.

Risks

• Gate thresholds can block builds if set to enforce critical/high findings; defaults currently non-blocking in Dockerfile gate invocation.