Skip to content

[devbin] Helper script to trigger trivy scans#15515

Merged
hail-ci-robot merged 4 commits into
hail-is:mainfrom
cjllanwarne:cjl_trivy_scan_trigger
Jun 5, 2026
Merged

[devbin] Helper script to trigger trivy scans#15515
hail-ci-robot merged 4 commits into
hail-is:mainfrom
cjllanwarne:cjl_trivy_scan_trigger

Conversation

@cjllanwarne
Copy link
Copy Markdown
Collaborator

@cjllanwarne cjllanwarne commented May 29, 2026

Change Description

Local script to help automate triggering the trivy scan against batch images every week.

  • Looks for the latest (complete) prod deploy batch
  • Extracts the sha attribute (for trivy to record results against)
  • Extracts the built image name (for trivy to scan)
  • Prompts the user to trigger the trivy-scan github action

Security Assessment

  • This change cannot impact the Hail Batch instance as deployed by Broad Institute in GCP

@cjllanwarne cjllanwarne requested a review from Copilot May 29, 2026 17:20
Copilot AI reviewed May 29, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a developer helper script for finding the latest completed production deploy batch, extracting the Batch image and commit SHA, and optionally triggering the Trivy scan workflow.

Changes:

  • Adds devbin/trivy-scan-trigger.py.
  • Queries Hail Batch metadata via hailctl.
  • Builds and runs a gh workflow run trivy-scan.yml command after user confirmation.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread devbin/trivy-scan-trigger.py Outdated


def find_batch_id():
batches = json.loads(run(['hailctl', 'batch', 'list', '--query', 'batch_type=ci/deploy/prod complete', '--limit', '1', '-o', 'json']))
Comment thread devbin/trivy-scan-trigger.py Outdated


def find_image(batch_id):
jobs = json.loads(run(['hailctl', 'batch', 'jobs', str(batch_id), '--name', 'batch_image', '-o', 'json']))
grohli
grohli approved these changes Jun 5, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@grohli grohli left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! Thanks Chris

@hail-ci-robot hail-ci-robot merged commit 50d11ed into hail-is:main Jun 5, 2026
13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@grohli grohli grohli approved these changes

@kush-chandra kush-chandra kush-chandra approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@cjllanwarne @grohli @kush-chandra @hail-ci-robot