Add Security & License Scanning Workflow to CI

[bupd]

Description

• Add Trivy license scanner job to PR validation workflow to catch license issues early

CI Workflow

• Added check-licenses job to .github/workflows/pr.yaml
• Scans for HIGH, and CRITICAL severity license issues, and other security issues.
• Uses pinned trivy-action v0.33.1

Linked issues

• Fixes Might be a license issue #1038

AI-Assisted Code

• This PR contains AI-generated code that I have reviewed and tested
• I take full responsibility for all code in this PR, regardless of how it was created

[Copilot]

Pull request overview

This pull request adds automated security and license scanning to the CI pipeline using Trivy, and includes Docker security improvements by switching containers to run as non-root users. The changes address issue #1038 regarding potential license issues discovered when running SBOM analysis.

Changes:

• Added a check-security job to the PR validation workflow that scans for vulnerabilities, secrets, misconfigurations, and license issues using Trivy
• Modified two Dockerfiles to run containers as the nobody user instead of root for improved security posture

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.

File	Description
.github/workflows/pr.yaml	Adds new check-security job with Trivy scanner to detect HIGH and CRITICAL security and license issues during PR validation
build/dockerfiles/init/Dockerfile	Switches container to run as nobody user for security hardening
build/ci/Dockerfile	Switches container to run as nobody user with proper permission handling for the test directory

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Switching to USER nobody without adjusting file permissions may cause runtime failures. The base image (KIT_BASE_IMAGE) creates /home/user/ owned by the kit user (UID 1001), but the entrypoint.sh script defaults to unpacking to /home/user/modelkit/. The nobody user won't have write permissions to this directory.

Consider adding a RUN command before USER nobody to ensure the nobody user can write to necessary directories, similar to the approach used in build/ci/Dockerfile:11 where permissions are set with chown -R nobody:nogroup /app before switching users. Alternatively, you could create and set permissions on the default unpack path:

RUN mkdir -p /home/user/modelkit && chown -R nobody:nogroup /home/user

Suggested change

	RUN mkdir -p /home/user/modelkit && chown -R nobody:nogroup /home/user

[gorkem]

@bupd this sounds like a valid concern

[Copilot]

The PR description states that a "check-licenses" job was added, but the actual job name in the workflow is "check-security". While this is a minor discrepancy and the broader name "check-security" is arguably more accurate given that the job scans for vulnerabilities, secrets, misconfigurations, and licenses (not just licenses), the PR description should be updated to match the actual implementation.

[Copilot]

The PR description does not mention the Docker USER changes in this file. This is a significant security-related change that switches the container to run as the nobody user instead of root (or the kit user from the base image). While this aligns with security best practices, such changes should be documented in the PR description, especially since this change has potential implications for container permissions and runtime behavior.

[Copilot]

The PR description does not mention the Docker USER changes in this file. This is a significant security-related change that switches the container to run as the nobody user. While this aligns with security best practices, such changes should be documented in the PR description.

[amisevsk]

I'm hesitant to add a license scanner "just because". Why are we choosing Trivy over another option? What will the Trivy scanner give the project -- i.e. what deficiency is it addressing?

[amisevsk]

The listed issue appears to be a false positive -- I'm not sure how adding another scanner would avoid this.