From 046c3172808f20a85c45c183d8bc5cf75cd8df0c Mon Sep 17 00:00:00 2001 From: fyzanshaik-atlan Date: Tue, 10 Feb 2026 13:04:02 +0530 Subject: [PATCH] chore(ci): add security scans, pr build check and dependency upgrades --- .github/workflows/mcp-build.yml | 30 ++++++++++++++++++++++++ .github/workflows/mcp-scheduled-scan.yml | 22 +++++++++++++++++ .github/workflows/mcp-trivy.yml | 27 +++++++++++++++++++++ .github/workflows/verify-snyk-status.yml | 11 +++++++++ 4 files changed, 90 insertions(+) create mode 100644 .github/workflows/mcp-build.yml create mode 100644 .github/workflows/mcp-scheduled-scan.yml create mode 100644 .github/workflows/mcp-trivy.yml create mode 100644 .github/workflows/verify-snyk-status.yml diff --git a/.github/workflows/mcp-build.yml b/.github/workflows/mcp-build.yml new file mode 100644 index 0000000..8a564dc --- /dev/null +++ b/.github/workflows/mcp-build.yml @@ -0,0 +1,30 @@ +name: MCP Build Check + +on: + pull_request: + types: [opened, synchronize, reopened] + branches: [main] + paths: + - "modelcontextprotocol/**" + - ".github/workflows/mcp-server-release.yml" + - ".github/workflows/mcp-build.yml" + +jobs: + build-mcp-image: + runs-on: ubuntu-latest + timeout-minutes: 20 + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Build MCP image + uses: docker/build-push-action@v5 + with: + context: ./modelcontextprotocol/ + file: ./modelcontextprotocol/Dockerfile + push: false + load: true + tags: mcp-build-check:latest diff --git a/.github/workflows/mcp-scheduled-scan.yml b/.github/workflows/mcp-scheduled-scan.yml new file mode 100644 index 0000000..7b8f94b --- /dev/null +++ b/.github/workflows/mcp-scheduled-scan.yml @@ -0,0 +1,22 @@ +name: MCP Scheduled Security Scan + +on: + schedule: + # Every Monday at 09:00 UTC + - cron: '0 9 * * 1' + workflow_dispatch: # Allow manual trigger + +jobs: + scan: + uses: atlanhq/.github/.github/workflows/reusable-trivy-scan-scheduled.yml@main + with: + image_context: './modelcontextprotocol/' + dockerfile: './modelcontextprotocol/Dockerfile' + image_tag: 'mcp-scheduled-scan:latest' + scan_uv_lock: true + uv_lock_path: 'modelcontextprotocol/uv.lock' + service_name: 'MCP Server' + linear_team_id: ${{ vars.LINEAR_TEAM_ID }} + linear_priority: 2 + secrets: + LINEAR_API_KEY: ${{ secrets.LINEAR_API_KEY }} diff --git a/.github/workflows/mcp-trivy.yml b/.github/workflows/mcp-trivy.yml new file mode 100644 index 0000000..5ec0f33 --- /dev/null +++ b/.github/workflows/mcp-trivy.yml @@ -0,0 +1,27 @@ +name: MCP Trivy Scan + +on: + pull_request: + types: [opened, synchronize, reopened] + branches: [main] + paths: + - "modelcontextprotocol/**" + - ".github/workflows/mcp-trivy.yml" + +permissions: + contents: read + pull-requests: write + actions: read + security-events: write + +jobs: + trivy: + uses: atlanhq/.github/.github/workflows/reusable-trivy-scan.yml@main + with: + image_context: './modelcontextprotocol/' + dockerfile: './modelcontextprotocol/Dockerfile' + image_tag: 'mcp-trivy:latest' + scan_uv_lock: true + uv_lock_path: 'modelcontextprotocol/uv.lock' + add_pr_comment: true + comment_title: 'MCP Trivy Scan Results' diff --git a/.github/workflows/verify-snyk-status.yml b/.github/workflows/verify-snyk-status.yml new file mode 100644 index 0000000..473068b --- /dev/null +++ b/.github/workflows/verify-snyk-status.yml @@ -0,0 +1,11 @@ +name: Verify Snyk Status + +on: + pull_request: + types: [opened, synchronize, reopened] + branches: [main] + +jobs: + verify-snyk: + uses: atlanhq/.github/.github/workflows/verify-snyk-status.yml@main + secrets: inherit