wip on trivy triage

brendan-kellam · brendan-kellam · commit ff91fbe4f0b2 · 2026-04-14T14:31:39.000-07:00
diff --git a/.github/workflows/trivy-vulnerability-triage.yml b/.github/workflows/trivy-vulnerability-triage.yml
@@ -64,3 +64,37 @@ jobs:
           name: trivy-results
           path: trivy-results.txt
           retention-days: 30
+  triage:
+    name: Claude Analysis & Linear Triage
+    needs: scan
+    if: needs.scan.outputs.has_vulnerabilities == 'true'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          submodules: recursive
+ 
+      - name: Download scan results
+        uses: actions/download-artifact@v4
+        with:
+          name: trivy-results
+ 
+      - name: Analyze and create Linear issues
+        uses: anthropics/claude-code-action@v1
+        with:
+          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
+          claude_args: |
+            --allowed_tools Bash,Read,Write,Edit,Glob,Grep
+            --model claude-sonnet-4-6
+          prompt: |
+            You are a security engineer triaging a Trivy vulnerability scan for the Sourcebot Docker image.
+ 
+            ## Your Task
+ 
+            Your task is to read and analyze the Trivy scan results in `trivy-results.txt`. You should group
+            CVEs into the minimum set of actionable remidation items. Many CVEs can share a signle remidation
+            item. Read files such as `Dockerfile`, `package.json` and `go.mod` to gather information about
+            dependencies within Sourcebot. Use `yarn why <package> --recursive` to determine why a given
+            npm package is being included. Report your findings in a concise and readible format for a engineer
+            to review.
