Skip to content
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
83 changes: 83 additions & 0 deletions .github/workflows/security-trivy.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,83 @@
# Security — Trivy (issue #1796, part of security-scanner umbrella #1478).
#
# Two scans over the whole repo at CRITICAL,HIGH severity:
# - trivy-config: IaC + Dockerfile misconfiguration (Trivy `config`).
# - trivy-fs: filesystem vulnerabilities (Trivy `fs`, unfixed suppressed).
#
# STATUS: REPORT-ONLY (both jobs, exit-code "0") — findings are surfaced in the
# job summary but never fail the build. This is the first stage of the #1796
# ratchet: report-only first, then flip to blocking once the team agrees on the
# baseline. A local baseline triage (#1796) found all config misconfigs covered
# by .trivyignore waivers and the fs scan clean, so the follow-up flip to
# exit-code "1" on CRITICAL,HIGH is expected to be zero-disruption. When flipping,
# also add "Trivy config (IaC + Dockerfile misconfig)" and "Trivy fs (filesystem
# vulnerabilities)" as REQUIRED status checks on main (branch protection).
# Waivers live in .trivyignore (tracked in #1340).
name: Security — Trivy

on:
pull_request:
branches: [main]
schedule:
- cron: "0 3 * * *" # nightly, 03:00 UTC
workflow_dispatch:

# A new push obsoletes any run still in flight for the same ref — cancel it.
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

# Read-only: report-only scanning needs no write scopes. Add security-events:
# write only if a SARIF upload to code-scanning is introduced later.
permissions:
contents: read

jobs:
trivy-config:
name: Trivy config (IaC + Dockerfile misconfig)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- name: Trivy config scan (report-only)
uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
with:
scan-type: config
scan-ref: .
severity: CRITICAL,HIGH
exit-code: "0" # report-only; flip to "1" once the baseline is agreed (#1796)
format: table
output: trivy-config.txt
- name: Job summary
if: always()
run: |
{
echo "## Trivy config findings (report-only)"
echo '```'
cat trivy-config.txt 2>/dev/null || echo "(no output produced)"
echo '```'
} >> "$GITHUB_STEP_SUMMARY"

trivy-fs:
name: Trivy fs (filesystem vulnerabilities)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- name: Trivy fs scan (report-only)
uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
with:
scan-type: fs
scan-ref: .
severity: CRITICAL,HIGH
ignore-unfixed: true
exit-code: "0" # report-only; flip to "1" once the baseline is agreed (#1796)
format: table
output: trivy-fs.txt
- name: Job summary
if: always()
run: |
{
echo "## Trivy fs findings (report-only)"
echo '```'
cat trivy-fs.txt 2>/dev/null || echo "(no output produced)"
echo '```'
} >> "$GITHUB_STEP_SUMMARY"
28 changes: 28 additions & 0 deletions .trivyignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
# .trivyignore — Trivy misconfiguration waivers.
#
# POLICY: every entry below MUST be a documented, tracked waiver. No undocumented
# suppressions. Each waiver is tracked in constructorfabric/insight#1340 and MUST
# be removed as its underlying issue is fixed. See issue #1796 for context.

# AVD-DS-0002 — image runs as root (build/test/tooling images that set no USER):
# deploy/seed/Dockerfile
# src/ingestion/tools/toolbox/Dockerfile
# src/ingestion/tools/declarative-connector/Dockerfile
# src/ingestion/tests/e2e/compose/Dockerfile.runner
# Tracked: #1340. Remove once these images drop to a non-root USER.
AVD-DS-0002

# AVD-DS-0029 — apt-get install without --no-install-recommends
# (src/ingestion/tools/toolbox/Dockerfile: the `apt-get install -y nodejs` line).
# Tracked: #1340. Remove once that line adds --no-install-recommends.
AVD-DS-0029

# AVD-KSV-0118 — Deployment missing securityContext
# (src/frontend/helm/templates/deployment.yaml). Tracked: #1340.
# Remove once a securityContext is set on the pod/containers.
AVD-KSV-0118

# AVD-KSV-0014 — root filesystem not read-only
# (src/frontend/helm/templates/deployment.yaml). Tracked: #1340.
# Remove once readOnlyRootFilesystem: true is set.
AVD-KSV-0014
Loading