Continuous Remediation Workflows

2 min read Security Testing & Tools

Continuous Remediation Workflows

Implement continuous remediation to maintain security over time:

# .github/workflows/continuous-remediation.yml
name: Continuous Vulnerability Remediation

on:
  schedule:
    - cron: '0 0 * * 0'  # Weekly on Sunday
  workflow_dispatch:

jobs:
  scan-and-remediate:
    runs-on: ubuntu-latest
    
    steps:
    - name: Checkout code
      uses: actions/checkout@v3
      
    - name: Set up remediation environment
      run: |
        pip install -r scripts/requirements.txt
        npm install -g snyk
        
    - name: Scan all images
      id: scan
      run: |
        python scripts/scan_all_images.py > scan_results.json
        
    - name: Generate remediation plan
      id: plan
      run: |
        python scripts/generate_remediation_plan.py scan_results.json > remediation_plan.json
        
        # Extract summary for PR
        echo "CRITICAL_COUNT=$(jq '.summary.critical' remediation_plan.json)" >> $GITHUB_OUTPUT
        echo "HIGH_COUNT=$(jq '.summary.high' remediation_plan.json)" >> $GITHUB_OUTPUT
        
    - name: Apply automated fixes
      id: fix
      run: |
        python scripts/apply_automated_fixes.py remediation_plan.json
        
        # Check if any files were modified
        if [ -n "$(git status --porcelain)" ]; then
          echo "CHANGES_MADE=true" >> $GITHUB_OUTPUT
        else
          echo "CHANGES_MADE=false" >> $GITHUB_OUTPUT
        fi
        
    - name: Run tests
      if: steps.fix.outputs.CHANGES_MADE == 'true'
      run: |
        make test
        make integration-test
        
    - name: Create Pull Request
      if: steps.fix.outputs.CHANGES_MADE == 'true'
      uses: peter-evans/create-pull-request@v5
      with:
        token: ${{ secrets.GITHUB_TOKEN }}
        commit-message: 'fix(security): Automated vulnerability remediation'
        title: '[Security] Automated Vulnerability Remediation'
        body: |
          ## Automated Security Fixes
          
          This PR contains automated fixes for vulnerabilities detected in our container images.
          
          ### Summary
          - **Critical vulnerabilities fixed**: ${{ steps.plan.outputs.CRITICAL_COUNT }}
          - **High vulnerabilities fixed**: ${{ steps.plan.outputs.HIGH_COUNT }}
          
          ### Changes
          - Updated base images to patched versions
          - Upgraded vulnerable dependencies
          - Applied security configurations
          
          ### Testing
          - ✅ All automated tests passed
          - ✅ Security scans show reduced vulnerabilities
          
          Please review the changes carefully before merging.
          
        branch: security/automated-remediation-${{ github.run_number }}
        delete-branch: true
        
    - name: Create issues for manual fixes
      if: steps.plan.outputs.MANUAL_FIXES_NEEDED == 'true'
      run: |
        python scripts/create_remediation_issues.py remediation_plan.json