GitHub CI Security Gap: Trivy Workflow Update Reveals Python CVE Scanning Was Silently Failing

A recent update to a GitHub Actions workflow has exposed a critical security oversight: the project's automated vulnerability scanner was silently skipping all Python dependencies, leaving a major attack surface unmonitored. The fix, which adds a `trivy.yaml` configuration file and updates the `trivy-action` to version 0.35.0, reveals that the previous setup failed to scan key requirements files, resulting in zero Python vulnerability coverage. This gap existed because the scanner's default patterns did not match the project's non-standard filenames, including `requirements.cpu.txt`, `requirements.cuda.txt`, `requirements.rocm.txt`, and `requirements-elyra.txt`.

The configuration now explicitly enables Python CVE scanning for these files while also implementing targeted exclusions to reduce noise. It skips scanning vendored `package-lock.json` files from an upstream code-server component, which were generating 31 non-actionable alerts. The update also sets scanner defaults to focus solely on vulnerability detection (excluding misconfiguration, secret, and license scans) and to report only issues of MEDIUM severity or higher. Concurrently, the workflow change was necessary because the previous `trivy-action` version 0.33.1 was broken, failing to download current Trivy releases and causing the security check to fail on every pull request.

This incident highlights a common but dangerous pitfall in DevSecOps: reliance on default tool configurations without validation can create blind spots in security posture. The silent failure meant that for an unknown period, vulnerabilities in Python packages—a primary dependency for many AI/ML and data science projects—could have been introduced without detection. The fix restores scanning capability but underscores the need for proactive, validated security pipeline configurations, especially in projects with custom build artifacts or complex dependency structures.