Skip to content

ci(security): Trivy misconfig + fs scan gate — report-only (#1796)#1823

Draft
ktursunov wants to merge 1 commit into
constructorfabric:mainfrom
ktursunov:trivy-scanner
Draft

ci(security): Trivy misconfig + fs scan gate — report-only (#1796)#1823
ktursunov wants to merge 1 commit into
constructorfabric:mainfrom
ktursunov:trivy-scanner

Conversation

@ktursunov

Copy link
Copy Markdown
Contributor

Implements #1796 (part of security-scanner umbrella #1478; split from closed PR #1463).

What

  • .github/workflows/security-trivy.yml — two jobs, CRITICAL,HIGH, on PR→main + nightly schedule + workflow_dispatch, findings in the job summary:
    • trivy-config — IaC + Dockerfile misconfiguration (scan-type: config, scan-ref: .).
    • trivy-fs — filesystem vulnerabilities (scan-type: fs, ignore-unfixed: true).
    • aquasecurity/trivy-action pinned by SHA (@ed142fd…c25 # v0.36.0).
  • .trivyignore — 4 documented, tracked waivers → Security: trivy-config HIGH misconfigurations — root containers + frontend Deployment securityContext (waivers) #1340: AVD-DS-0002, AVD-DS-0029, AVD-KSV-0118, AVD-KSV-0014.

Report-only first (the ratchet)

Both jobs run exit-code: "0" — surfaced, non-blocking. A local baseline (Trivy v0.72.0) found:

  • config: 8 HIGH, all covered by the 4 waivers → 0 actionable.
  • fs: 0 CRITICAL/HIGH — but only src/backend/Cargo.lock is scanned; Python (pyproject-only) and .NET (.csproj-only) deps have no committed lockfiles, so they are currently unscanned.

Follow-ups

  • Flip to exit-code: "1" + add both jobs as required status checks on main, once the team agrees the baseline.
  • Widen trivy fs coverage — commit lockfiles (uv/poetry, packages.lock.json) or scan built images.

Acceptance criteria (#1796)

  • config + fs on PR→main + nightly, in the job summary
  • .trivyignore with documented, tracked waivers only
  • baseline triaged
  • gate threshold agreed + flip to blocking (follow-up)

…uctorfabric#1796)

New .github/workflows/security-trivy.yml runs trivy config (IaC + Dockerfile
misconfig) and trivy fs (filesystem vulns, ignore-unfixed) at CRITICAL,HIGH on
PRs to main + a nightly schedule + workflow_dispatch, aquasecurity/trivy-action
pinned by SHA (v0.36.0), findings in the job summary. New .trivyignore carries 4
documented, tracked waivers (AVD-DS-0002, AVD-DS-0029, AVD-KSV-0118, AVD-KSV-0014)
per constructorfabric#1340. Report-only first per the constructorfabric#1796 ratchet; a local baseline triage found
all config misconfigs waived and the fs scan clean, so a follow-up flip to
blocking + required checks is expected to be zero-disruption.

Part of constructorfabric#1478; split from closed PR constructorfabric#1463.

Signed-off-by: Konstantin Tursunov <Konstantin.Tursunov@constructor.tech>
Co-authored-by: Constructor Studio <291158726+constructor-studio[bot]@users.noreply.github.com>
Studio-Generated-By: Constructor Studio
Studio-Source-Repo: https://github.com/constructorfabric/studio
Constructor-Fabric: https://github.com/constructorfabric
Studio-Version: skill=1.5.9, cli=1.5.9
Studio-Workflows: cf-plan,cf-analyze,cf-write-skills
@coderabbitai

coderabbitai Bot commented Jul 17, 2026

Copy link
Copy Markdown

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 220b79f1-b40c-490b-9b47-5732a4ae7526

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant