Added trivy.yaml (#1289)

* Added trivy.yaml separately

* fix

* Added Trivy config, ignore, undo ci-cd

* fixes

* Update code

---------

Co-authored-by: Arkadii Yakovets <[email protected]>

Author: Naveen-Pal

.github/workflows/run-ci-cd.yaml

@@ -182,8 +182,8 @@ jobs:
       - name: Run Trivy Repository Scan
         uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5
         with:
+          config: trivy.yaml
           scan-type: repo
-          severity: HIGH,CRITICAL
 
   scan-ci-dependencies:
     name: Run CI Denendencies Scan
@@ -197,8 +197,8 @@ jobs:
       - name: Run Trivy Filesystem Scan
         uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5
         with:
+          config: trivy.yaml
           scan-type: fs
-          severity: HIGH,CRITICAL
 
   build-staging-images:
     name: Build Staging Images
@@ -269,16 +269,16 @@ jobs:
       - name: Scan backend image
         uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5
         with:
+          config: trivy.yaml
           exit-code: 1
           image-ref: ${{ env.DOCKERHUB_USERNAME }}/owasp-nest-backend:staging
-          severity: HIGH,CRITICAL
 
       - name: Scan frontend image
         uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5
         with:
+          config: trivy.yaml
           exit-code: 1
           image-ref: ${{ env.DOCKERHUB_USERNAME }}/owasp-nest-frontend:staging
-          severity: HIGH,CRITICAL
 
   deploy-staging-nest:
     name: Deploy Nest Staging
@@ -433,16 +433,16 @@ jobs:
       - name: Scan backend image
         uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5
         with:
+          config: trivy.yaml
           exit-code: 1
           image-ref: ${{ env.DOCKERHUB_USERNAME }}/owasp-nest-backend:production
-          severity: HIGH,CRITICAL
 
       - name: Scan frontend image
         uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5
         with:
+          config: trivy.yaml
           exit-code: 1
           image-ref: ${{ env.DOCKERHUB_USERNAME }}/owasp-nest-frontend:production
-          severity: HIGH,CRITICAL
 
   deploy-production-nest:
     name: Deploy Nest to Production

.trivyignore

@@ -0,0 +1,7 @@
+CVE-2024-55549  # libxslt use-after-free
+CVE-2024-56171  # libxml2 use-after-free
+CVE-2024-8176   # libexpat stack overflow
+CVE-2025-24855  # libxslt use-after-free
+CVE-2025-24928  # libxml2 buffer overflow
+CVE-2025-27113  # libxml2 null dereference
+CVE-2025-31115  # xz heap use-after-free

trivy.yaml

@@ -0,0 +1,17 @@
+filesystem:
+  skip-dirs:
+    - backend/.venv/
+    - frontend/node_modules/
+
+timeout: 10m
+
+vulnerability:
+  ignore-unfixed: true
+  ignorefile: .trivyignore
+  security-checks:
+    - config
+    - secret
+    - vuln
+  severity:
+    - CRITICAL
+    - HIGH