You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Stand up Trivy as its own security-scan CI gate for the Insight repo — misconfiguration
(IaC / Dockerfile) scanning plus filesystem vulnerability scanning. Split out of the
now-closed omnibus PR #1463 so Trivy can be triaged and ratcheted to blocking independently,
per the acceptance criteria of the security-scanner umbrella #1478 (report-only first → gate
once the baseline is agreed with the team).
Proposed approach
Lift the trivy-config job from the closed PR #1463 (.github/workflows/security-gates.yml)
into its own workflow/job, pinned to aquasecurity/trivy-action by commit SHA:
Goal
Stand up Trivy as its own security-scan CI gate for the Insight repo — misconfiguration
(IaC / Dockerfile) scanning plus filesystem vulnerability scanning. Split out of the
now-closed omnibus PR #1463 so Trivy can be triaged and ratcheted to blocking independently,
per the acceptance criteria of the security-scanner umbrella #1478 (report-only first → gate
once the baseline is agreed with the team).
Proposed approach
Lift the
trivy-configjob from the closed PR #1463 (.github/workflows/security-gates.yml)into its own workflow/job, pinned to
aquasecurity/trivy-actionby commit SHA:scan-type: config,scan-ref: .,severity: CRITICAL,HIGH(Trivy IaC +Dockerfile misconfiguration).
scan-type: fs,severity: CRITICAL,HIGH,ignore-unfixed: true..trivyignore, tracked in Security: trivy-config HIGH misconfigurations — root containers + frontend Deployment securityContext (waivers) #1340 — remove each as the underlying issue is fixed:AVD-DS-0002— container runs as root (build/test/tooling images)AVD-DS-0029— apt-get without--no-install-recommends(toolbox build image)AVD-KSV-0118— frontend Deployment missing securityContextAVD-KSV-0014— frontend Deployment root FS not read-onlyStart report-only, triage the baseline, then flip
exit-code: "1"to make CRITICAL/HIGHblock once findings are agreed with the team.
Acceptance criteria
mainand on a nightly schedule, surfaced in checks / job summary..trivyignorepresent with documented, tracked waivers only.Split from #1463 (closed). Part of #1478 (security-scanner umbrella) → Quality Framework Security vector.