added trivy vunerability scanning to ci pipeline

[iamdeepaktiwari08]

Description

Integrated Trivy vulnerability scanning into the GitHub Actions CI workflow.

Changes Made

• Added Trivy filesystem security scanning
• Improved CI/CD security posture
• Added automated vulnerability detection

Benefits

• Early dependency vulnerability detection
• Improved DevSecOps practices
• Better repository security

Summary by CodeRabbit

• Chores
  • CI pipeline now includes automated filesystem vulnerability scanning to block builds on critical/high issues.
• Bug Fixes
  • Improved startup behavior for the tracking service to ensure it runs reliably when invoked.
• Refactor
  • Package initialization clarified to consistently expose available service modules for consumers.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a Trivy filesystem vulnerability scan to the phase3-tests GitHub Actions job and updates the services package initializer plus small tracking module import and entrypoint adjustments.

Changes

CI Workflow Security Enhancement

Layer / File(s)	Summary
Trivy filesystem vulnerability scan step .github/workflows/phase3-tests.yml	The memory test job now runs an aquasecurity/trivy-action step after pytest, configured to scan the filesystem (scan-type: fs) against the repository workspace (scan-ref: .) and fail on CRITICAL,HIGH severities.

Services package and tracking updates

Layer / File(s)	Summary
services package initializer services/__init__.py	Replaces eager subpackage import with a module docstring and an explicit __all__ listing tracking, memory, detection, and reasoning without importing them.
tracking import path and entrypoint services/tracking/tracker.py	Changes configuration import from Eagle.libs.config.settings to libs.config.settings and adjusts the __main__ guard so main() is invoked at module execution.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related issues

• Enhancement: Add Trivy vulnerability scanning to GitHub Actions CI pipeline #110: Implements the Trivy filesystem vulnerability scan in CI as proposed by the issue.

Poem

🐰 I hopped through code to guard the nest,
A Trivy check to do its best,
Services tidy, imports neat,
Tracker wakes and calls to greet,
Safe builds now hop on with zest.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'added trivy vulnerability scanning to ci pipeline' accurately describes the primary change: integration of Trivy scanning into the GitHub Actions workflow, though it contains a typo ('vunerability' instead of 'vulnerability').
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

⚔️ Resolve merge conflicts

• Resolve merge conflict in branch add-trivy-scan

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

.github/workflows/phase3-tests.yml (1)

26-30: ⚡ Quick win

Consider adding output configuration and artifact upload.

The scan results are currently only visible in workflow logs. Adding structured output and uploading results as artifacts improves tracking, enables trend analysis, and makes it easier to review findings without re-running the workflow.

📊 Suggested enhancement

       - name: Run Trivy Vulnerability Scanner
         uses: aquasecurity/trivy-action@master
         with:
           scan-type: fs
           scan-ref: .
+          format: sarif
+          output: trivy-results.sarif
+      
+      - name: Upload Trivy scan results
+        uses: actions/upload-artifact@v4
+        if: always()  # Upload even if scan fails
+        with:
+          name: trivy-scan-results
+          path: trivy-results.sarif

Alternatively, use format: table for human-readable output or format: json for programmatic processing.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/phase3-tests.yml around lines 26 - 30, Update the "Run
Trivy Vulnerability Scanner" step (uses: aquasecurity/trivy-action@master) to
emit structured output by adding a format and output file (e.g., set format:
json and output: ./trivy-results.json or format: table for human-readable), then
add a following job step that uses actions/upload-artifact to upload that output
file (e.g., trivy-results.json) as a workflow artifact for later review and
trend analysis; ensure the scan-step writes to the specified output path so the
upload step can find and attach the artifact.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/phase3-tests.yml:
- Around line 26-30: The Trivy step using "uses:
aquasecurity/trivy-action@master" currently sets scan-type and scan-ref but does
not set an exit-code, so the job won't fail on found vulnerabilities; update
that action block to include "exit-code: 1" (and optionally "severity" to
control which severities cause failure) so the workflow fails when
vulnerabilities are detected, ensuring the Trivy scan acts as a security gate.
- Line 27: The workflow currently references the Trivy action using a moving ref
("uses: aquasecurity/trivy-action@master"); change this to a fixed release tag
to make the workflow deterministic (for example replace the "`@master`" ref with a
specific version tag like "`@v0.36.0`" or another vetted release) in the uses line
so CI uses a reproducible action version and reduces
supply-chain/breaking-change risk.

---

Nitpick comments:
In @.github/workflows/phase3-tests.yml:
- Around line 26-30: Update the "Run Trivy Vulnerability Scanner" step (uses:
aquasecurity/trivy-action@master) to emit structured output by adding a format
and output file (e.g., set format: json and output: ./trivy-results.json or
format: table for human-readable), then add a following job step that uses
actions/upload-artifact to upload that output file (e.g., trivy-results.json) as
a workflow artifact for later review and trend analysis; ensure the scan-step
writes to the specified output path so the upload step can find and attach the
artifact.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: cc11e688-f241-4491-82da-b9684bde78d8

📥 Commits

Reviewing files that changed from the base of the PR and between 9490d54 and 9a691d0.

📒 Files selected for processing (1)

• .github/workflows/phase3-tests.yml

[iamdeepaktiwari08]

The failing workflow appears to be caused by an existing test/import issue (ModuleNotFoundError: No module named 'Eagle') unrelated to the Trivy integration changes. The Trivy vulnerability scanning workflow has been added successfully to the CI pipeline.

[iamdeepaktiwari08]

@Devnil434
Hi maintainers,
Just following up on this PR. The Trivy workflow integration has been added successfully, and the remaining failing check appears to be related to an existing test/import issue rather than the changes introduced in this PR.
Please let me know if any updates are needed from my side. Thank you for your time and review.

[kunal-9090]

I checked the failing Phase 3 CI for this PR. The failure is unrelated to Trivy itself: ests/test_memory.py imports services.memory, but services/init.py eagerly imports tracking, causing the memory-only CI job to load services/tracking/tracker.py and fail on unrelated tracking imports/deps.\n\nI prepared a fix branch here: https://github.com/kunal-9090/Eagle/tree/codex/fix-pr-112-ci\n\nFix included:\n- update services/tracking/tracker.py to use rom libs.config.settings import settings\n- remove eager tracking import from services/init.py so Phase 3 CI stays isolated\n\nLocal verification: python -m ruff check services/memory/ libs/schemas/memory.py services/init.py services/tracking/tracker.py passes. I could not push directly to this contributor fork; GitHub returned 403 for kunal-9090.

[iamdeepaktiwari08]

@kunal-9090
Thank you for investigating the issue and preparing a fix. I understand the CI failure is unrelated to the Trivy integration. I will review the proposed changes and apply them to my branch so the checks can be re-run. Thanks for your support.

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

services/tracking/tracker.py (1)

21-31: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Move repo-root sys.path setup before internal package imports.

Line 21 imports libs... before Line 29 inserts repo root into sys.path, so standalone execution can fail before bootstrap runs.

Proposed fix

 from __future__ import annotations
 
 import argparse
 import logging
 import time
 from pathlib import Path
+import sys
 
+# ── adjust sys.path so we can import sibling packages ──────────────────────
+sys.path.insert(0, str(Path(__file__).resolve().parents[2]))  # repo root
+
 from libs.config.settings import settings
 import cv2
 import numpy as np
 from deep_sort_realtime.deepsort_tracker import DeepSort
 
-# ── adjust sys.path so we can import sibling packages ──────────────────────
-import sys
-
-sys.path.insert(0, str(Path(__file__).resolve().parents[2]))  # repo root
-
 from libs.schemas.detection import DetectionFrameSchema

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@services/tracking/tracker.py` around lines 21 - 31, The repo-root sys.path
insertion is placed after internal package imports causing import failures when
run standalone; move the sys.path.insert(0,
str(Path(__file__).resolve().parents[2])) line (and any required Path import) to
before any imports from the libs package (e.g., before "from
libs.config.settings import settings" and "from libs.schemas.detection import
DetectionFrameSchema"), so that DeepSort, cv2, numpy can remain but all internal
libs imports resolve correctly at module import time.

.github/workflows/phase3-tests.yml (1)

13-32: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add an explicit least-privilege permissions block for this job.

GITHUB_TOKEN currently uses default permissions, which are broader than needed. Define minimal permissions (at least contents: read) to reduce workflow token blast radius.

🔐 Suggested patch

 jobs:
   test:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v4

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/phase3-tests.yml around lines 13 - 32, The workflow job
"test" currently relies on default GITHUB_TOKEN permissions; add an explicit
least-privilege permissions block for that job by inserting a permissions:
mapping (e.g., permissions: contents: read) scoped to the test job (or at
top-level) so only the minimal permission is granted for actions/checkout and
related steps; update the job definition named "test" to include this
permissions entry near the top of the job stanza.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In @.github/workflows/phase3-tests.yml:
- Around line 13-32: The workflow job "test" currently relies on default
GITHUB_TOKEN permissions; add an explicit least-privilege permissions block for
that job by inserting a permissions: mapping (e.g., permissions: contents: read)
scoped to the test job (or at top-level) so only the minimal permission is
granted for actions/checkout and related steps; update the job definition named
"test" to include this permissions entry near the top of the job stanza.

In `@services/tracking/tracker.py`:
- Around line 21-31: The repo-root sys.path insertion is placed after internal
package imports causing import failures when run standalone; move the
sys.path.insert(0, str(Path(__file__).resolve().parents[2])) line (and any
required Path import) to before any imports from the libs package (e.g., before
"from libs.config.settings import settings" and "from libs.schemas.detection
import DetectionFrameSchema"), so that DeepSort, cv2, numpy can remain but all
internal libs imports resolve correctly at module import time.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 6e9007b9-4726-4025-8589-91e41ef5a0ac

📥 Commits

Reviewing files that changed from the base of the PR and between 9a691d0 and cbb5a40.

📒 Files selected for processing (3)

• .github/workflows/phase3-tests.yml
• services/__init__.py
• services/tracking/tracker.py

[iamdeepaktiwari08]

@kunal-9090
Thank you for the earlier CI fix. After resolving the merge conflicts, the current failures appear unrelated to the Trivy workflow changes:

• Phase 3: ModuleNotFoundError: No module named 'cv2' during test collection.
• Phase 4: Ruff F821 undefined name 'json' in services/reasoning/pipeline.py.

These seem to originate from recent upstream changes. Please let me know whether you'd like me to prepare a follow-up fix.