microsoft · PabloZaiden · May 26, 2026 · May 21, 2026 · May 21, 2026 · May 22, 2026
@@ -3,6 +3,7 @@ set -euo pipefail
 
 ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
 GITLEAKS_VERSION="8.30.0"
+TRIVY_VERSION="0.70.0"
 
 install_gitleaks() {
   local os arch archive url install_dir
@@ -30,12 +31,57 @@ install_gitleaks() {
   export PATH="${install_dir}:${PATH}"
 }
 
+install_trivy() {
+  local os arch archive url install_dir
+
+  os="$(uname -s)"
+  case "${os}" in
+    Linux | Darwin) ;;
+    *)
+      echo "Unsupported OS for automatic Trivy install: ${os}" >&2
+      exit 1
+      ;;
+  esac
+
+  arch="$(uname -m)"
+  case "${arch}" in
+    x86_64 | amd64) arch="64bit" ;;
+    aarch64 | arm64) arch="ARM64" ;;
+    *)
+      echo "Unsupported architecture for automatic Trivy install: ${arch}" >&2
+      exit 1
+      ;;
+  esac
+
+  install_dir="${HOME}/.local/bin"
+  mkdir -p "${install_dir}"
+
+  archive="$(mktemp)"
+  url="https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_${os}-${arch}.tar.gz"
+  curl --location --fail --silent --show-error --output "${archive}" "${url}"
+  tar -xzf "${archive}" -C "${install_dir}" trivy
+  rm -f "${archive}"
+  chmod +x "${install_dir}/trivy"
+  export PATH="${install_dir}:${PATH}"
+}
+
 if ! command -v gitleaks >/dev/null 2>&1; then
   install_gitleaks
 fi
 
+if ! command -v trivy >/dev/null 2>&1; then
+  install_trivy
+fi
+
 gitleaks detect \
   --config "${ROOT_DIR}/.github/linters/.gitleaks.toml" \
   --redact=90 \
   --source "${ROOT_DIR}" \
   --no-banner
+
+trivy fs \
+  --scanners vuln,secret,misconfig \
+  --severity HIGH,CRITICAL \
+  --exit-code 1 \
+  --ignore-unfixed \
+  "${ROOT_DIR}"
@@ -2,16 +2,63 @@
 set -euo pipefail
 
 ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+TRIVY_VERSION="0.70.0"
+
+install_trivy() {
+	local os arch archive url install_dir
+
+	os="$(uname -s)"
+	case "${os}" in
+		Linux | Darwin) ;;
+		*)
+			echo "Unsupported OS for automatic Trivy install: ${os}" >&2
+			exit 1
+			;;
+	esac
+
+	arch="$(uname -m)"
+	case "${arch}" in
+		x86_64 | amd64) arch="64bit" ;;
+		aarch64 | arm64) arch="ARM64" ;;
+		*)
+			echo "Unsupported architecture for automatic Trivy install: ${arch}" >&2
+			exit 1
+			;;
+	esac
+
+	install_dir="${HOME}/.local/bin"
+	mkdir -p "${install_dir}"
+
+	archive="$(mktemp)"
+	url="https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_${os}-${arch}.tar.gz"
+	curl --location --fail --silent --show-error --output "${archive}" "${url}"
+	tar -xzf "${archive}" -C "${install_dir}" trivy
+	rm -f "${archive}"
+	chmod +x "${install_dir}/trivy"
+	export PATH="${install_dir}:${PATH}"
+}
+
+if ! command -v trivy >/dev/null 2>&1; then
+	install_trivy
+fi
 
 build_container() {
 	local name="$1"
 	local dir="$2"
+	local image="$3"
 
 	echo "Building ${name} container..."
-	docker build --quiet "${dir}" >/dev/null
+	docker build --quiet --tag "${image}" "${dir}" >/dev/null
+
+	echo "Scanning ${name} container..."
+	trivy image \
+		--severity HIGH,CRITICAL \
+		--exit-code 1 \
+		--ignore-unfixed \
+		"${image}"
 }
 
-build_container "OpenAI Agents SDK API" "${ROOT_DIR}/reference-architectures/app/api/typescript/openai-agents-sdk"
-build_container "Foundry Agent Service API" "${ROOT_DIR}/reference-architectures/app/api/typescript/foundry-agent-service"
-build_container "React frontend" "${ROOT_DIR}/reference-architectures/app/frontend/typescript/react"
-build_container "Microsoft Agent Framework API" "${ROOT_DIR}/reference-architectures/app/api/csharp/microsoft-agent-framework"
+build_container "OpenAI Agents SDK API" "${ROOT_DIR}/reference-architectures/app/api/typescript/openai-agents-sdk" "caira/openai-agents-sdk-api:validation"
+build_container "Foundry Agent Service API" "${ROOT_DIR}/reference-architectures/app/api/typescript/foundry-agent-service" "caira/foundry-agent-service-api:validation"
+build_container "React frontend" "${ROOT_DIR}/reference-architectures/app/frontend/typescript/react" "caira/react-frontend:validation"
+build_container "Microsoft Agent Framework API" "${ROOT_DIR}/reference-architectures/app/api/csharp/microsoft-agent-framework" "caira/microsoft-agent-framework-api:validation"
@@ -27,6 +27,8 @@ Ask only what is needed to choose components:
 - Prefer small component references over full-stack copying.
 - For scenarios that need OpenAI-compatible endpoints, prefer the Foundry IaC reference unless the user already has endpoints or asks for a different approach.
 - Determine what the user already has before proposing new infrastructure.
+- When possible, prefer managed identities or other passwordless identity patterns over API keys, static credentials, or secrets, unless the user explicitly asks for an API-key- or secret-based approach.
+- Before proposing repository security scans, check whether the target repository already uses or has configured Gitleaks, Trivy, or similar tools for secret, dependency, container, or IaC scanning. If similar scanning is missing, ask whether the user wants to add Gitleaks and/or Trivy scans before implementing them.
 - Keep recommendations focused on the current reference components listed below.
 - Explain which CAIRA paths influenced the recommendation or generated files.
 - Always ask follow-up questions to narrow down the user's needs and avoid unnecessary copying of reference code.