CVE Scan workflow (yuzutech/kroki)
The CVE Scan workflow from yuzutech/kroki, explained and optimized by Latchkey.
CI health: B - good
Point runs-on at Latchkey and get job timeouts, SHA-pinned actions, self-healing for flaky steps, and up to 58% lower cost, applied automatically.
What it does
This is the CVE Scan workflow from the yuzutech/kroki repository, a real project running GitHub Actions. It is shown here with attribution under its MIT license.
Below, Latchkey shows a faster, safer version produced by its optimization engine.
The workflow
name: "CVE Scan"
on:
schedule:
- cron: '0 0 * * *'
workflow_dispatch: { }
jobs:
scan-images:
name: Scan latest public image
runs-on: ubuntu-latest
continue-on-error: true
strategy:
matrix:
image: [ kroki, kroki-mermaid, kroki-bpmn, kroki-excalidraw, kroki-diagramsnet ]
tag: [ latest ]
steps:
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'docker.io/yuzutech/${{ matrix.image }}:${{ matrix.tag }}'
severity: 'CRITICAL,HIGH'
format: 'table'
# we can set to 0 to avoid breaking the pipeline
exit-code: '0'
The same workflow, on Latchkey
Removes redundant runs and caps runaway jobs. Added and changed lines are highlighted.
name: "CVE Scan" on: schedule: - cron: '0 0 * * *' workflow_dispatch: { } jobs: scan-images: timeout-minutes: 30 name: Scan latest public image runs-on: latchkey-small continue-on-error: true strategy: matrix: image: [ kroki, kroki-mermaid, kroki-bpmn, kroki-excalidraw, kroki-diagramsnet ] tag: [ latest ] steps: - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master with: image-ref: 'docker.io/yuzutech/${{ matrix.image }}:${{ matrix.tag }}' severity: 'CRITICAL,HIGH' format: 'table' # we can set to 0 to avoid breaking the pipeline exit-code: '0'
What changed
- Run on Latchkey managed runners with one line (
runs-on), which apply the fixes below automatically and self-heal transient failures. This example useslatchkey-small; pick the runner size that fits the job. - Add a job timeout so a hung step cannot burn hours of runner time.
1 third-party action is referenced by a movable tag. Pin it to the commit SHA (Latchkey resolves and applies this automatically) so a repointed tag cannot change what runs.
This workflow runs 1 job (5 with the matrix expanded) per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.