From 5f0b5f71c8f8c4a2b3057bec3a4a3d88b3744bc2 Mon Sep 17 00:00:00 2001 From: Naveen-Pal Date: Sun, 6 Apr 2025 02:24:45 +0530 Subject: [PATCH 1/5] Added trivy.yaml separately --- .github/workflows/run-ci-cd.yaml | 70 --------------------- .github/workflows/trivy.yaml | 105 +++++++++++++++++++++++++++++++ 2 files changed, 105 insertions(+), 70 deletions(-) create mode 100644 .github/workflows/trivy.yaml diff --git a/.github/workflows/run-ci-cd.yaml b/.github/workflows/run-ci-cd.yaml index 0554ead6f6..3c4c3c6edd 100644 --- a/.github/workflows/run-ci-cd.yaml +++ b/.github/workflows/run-ci-cd.yaml @@ -170,36 +170,6 @@ jobs: run: | docker run --env-file frontend/.env.example ${{ env.DOCKERHUB_USERNAME }}/owasp-nest-test-frontend-e2e:latest pnpm run test:e2e - scan-code: - name: Run Code Scan - needs: - - pre-commit - runs-on: ubuntu-latest - steps: - - name: Check out repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 - - - name: Run Trivy Repository Scan - uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5 - with: - scan-type: repo - severity: HIGH,CRITICAL - - scan-ci-dependencies: - name: Run CI Denendencies Scan - needs: - - pre-commit - runs-on: ubuntu-latest - steps: - - name: Check out repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 - - - name: Run Trivy Filesystem Scan - uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5 - with: - scan-type: fs - severity: HIGH,CRITICAL - build-staging-images: name: Build Staging Images environment: staging @@ -260,26 +230,6 @@ jobs: push: true tags: ${{ env.DOCKERHUB_USERNAME }}/owasp-nest-frontend:staging - scan-staging-images: - name: Scan Staging Images - needs: - - build-staging-images - runs-on: ubuntu-latest - steps: - - name: Scan backend image - uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5 - with: - exit-code: 1 - image-ref: ${{ env.DOCKERHUB_USERNAME }}/owasp-nest-backend:staging - severity: HIGH,CRITICAL - - - name: Scan frontend image - uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5 - with: - exit-code: 1 - image-ref: ${{ env.DOCKERHUB_USERNAME }}/owasp-nest-frontend:staging - severity: HIGH,CRITICAL - deploy-staging-nest: name: Deploy Nest Staging env: @@ -424,26 +374,6 @@ jobs: push: true tags: ${{ env.DOCKERHUB_USERNAME }}/owasp-nest-frontend:production - scan-production-images: - name: Scan Production Images - needs: - - build-docker-production-images - runs-on: ubuntu-latest - steps: - - name: Scan backend image - uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5 - with: - exit-code: 1 - image-ref: ${{ env.DOCKERHUB_USERNAME }}/owasp-nest-backend:production - severity: HIGH,CRITICAL - - - name: Scan frontend image - uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5 - with: - exit-code: 1 - image-ref: ${{ env.DOCKERHUB_USERNAME }}/owasp-nest-frontend:production - severity: HIGH,CRITICAL - deploy-production-nest: name: Deploy Nest to Production env: diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml new file mode 100644 index 0000000000..c3ac94fcd1 --- /dev/null +++ b/.github/workflows/trivy.yaml @@ -0,0 +1,105 @@ +name: Security Scans + +on: + workflow_run: + workflows: ["Run CI/CD"] + branches: + - main + types: + - completed + +env: + DOCKERHUB_USERNAME: arkid15r + +jobs: + scan-repository: + name: Repository Scan + runs-on: ubuntu-latest + if: github.event.workflow_run.conclusion == 'success' + steps: + - name: Checkout code + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + - name: Run Trivy repository scan + uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5 + with: + scan-type: 'repo' + severity: 'HIGH,CRITICAL' + ignore-unfixed: true + + scan-filesystem: + name: Filesystem Scan + runs-on: ubuntu-latest + if: github.event.workflow_run.conclusion == 'success' + steps: + - name: Checkout code + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + - name: Run Trivy filesystem scan + uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5 + with: + scan-type: 'fs' + severity: 'HIGH,CRITICAL' + ignore-unfixed: true + + scan-staging-images: + name: Scan Staging Images + runs-on: ubuntu-latest + if: | + github.event.workflow_run.conclusion == 'success' && + (github.event.workflow_run.event == 'push' || github.event.workflow_run.event == 'pull_request') + steps: + - name: Scan frontend image + uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5 + with: + image-ref: ${{ env.DOCKERHUB_USERNAME }}/owasp-nest-frontend:staging + severity: 'HIGH,CRITICAL' + ignore-unfixed: true + ignore-cves: + - CVE-2024-56171 + - CVE-2024-55549 + - CVE-2024-8176 + - CVE-2025-24855 + - CVE-2025-24928 + - CVE-2025-27113 + exit-code: 1 + + - name: Scan backend image + uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5 + with: + image-ref: ${{ env.DOCKERHUB_USERNAME }}/owasp-nest-backend:staging + severity: 'HIGH,CRITICAL' + ignore-unfixed: true + ignore-cves: + - CVE-2025-31115 + exit-code: 1 + + scan-production-images: + name: Scan Production Images + runs-on: ubuntu-latest + if: | + github.event.workflow_run.conclusion == 'success' && + github.event.workflow_run.event == 'release' + steps: + - name: Scan frontend image + uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5 + with: + image-ref: ${{ env.DOCKERHUB_USERNAME }}/owasp-nest-frontend:production + severity: 'HIGH,CRITICAL' + ignore-unfixed: true + ignore-cves: + - CVE-2024-56171 + - CVE-2024-55549 + - CVE-2024-8176 + - CVE-2025-24855 + - CVE-2025-24928 + - CVE-2025-27113 + exit-code: 1 + + - name: Scan backend image + uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5 + with: + image-ref: ${{ env.DOCKERHUB_USERNAME }}/owasp-nest-backend:production + severity: 'HIGH,CRITICAL' + ignore-unfixed: true + ignore-cves: + - CVE-2025-31115 + exit-code: 1 \ No newline at end of file From 323e14b42ce3182b224d9b209f58b46b5e514b99 Mon Sep 17 00:00:00 2001 From: Naveen-Pal Date: Sun, 6 Apr 2025 02:27:37 +0530 Subject: [PATCH 2/5] fix --- .github/workflows/trivy.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml index c3ac94fcd1..f689bc652a 100644 --- a/.github/workflows/trivy.yaml +++ b/.github/workflows/trivy.yaml @@ -102,4 +102,4 @@ jobs: ignore-unfixed: true ignore-cves: - CVE-2025-31115 - exit-code: 1 \ No newline at end of file + exit-code: 1 From 6231c820dd2a6b1dfe85a868730cea5bb0869eaa Mon Sep 17 00:00:00 2001 From: Naveen-Pal Date: Sun, 6 Apr 2025 20:12:14 +0530 Subject: [PATCH 3/5] Added Trivy config, ignore, undo ci-cd --- .github/workflows/run-ci-cd.yaml | 70 +++++++++++++++++++++ .github/workflows/trivy.yaml | 105 ------------------------------- .trivyignore | 7 +++ trivy.yaml | 12 ++++ 4 files changed, 89 insertions(+), 105 deletions(-) delete mode 100644 .github/workflows/trivy.yaml create mode 100644 .trivyignore create mode 100644 trivy.yaml diff --git a/.github/workflows/run-ci-cd.yaml b/.github/workflows/run-ci-cd.yaml index 3c4c3c6edd..a3e7ae7ae7 100644 --- a/.github/workflows/run-ci-cd.yaml +++ b/.github/workflows/run-ci-cd.yaml @@ -170,6 +170,36 @@ jobs: run: | docker run --env-file frontend/.env.example ${{ env.DOCKERHUB_USERNAME }}/owasp-nest-test-frontend-e2e:latest pnpm run test:e2e + scan-code: + name: Run Code Scan + needs: + - pre-commit + runs-on: ubuntu-latest + steps: + - name: Check out repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + + - name: Run Trivy Repository Scan + uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5 + with: + scan-type: repo + config: ./trivy.yaml + + scan-ci-dependencies: + name: Run CI Denendencies Scan + needs: + - pre-commit + runs-on: ubuntu-latest + steps: + - name: Check out repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + + - name: Run Trivy Filesystem Scan + uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5 + with: + scan-type: fs + config: ./trivy.yaml + build-staging-images: name: Build Staging Images environment: staging @@ -230,6 +260,26 @@ jobs: push: true tags: ${{ env.DOCKERHUB_USERNAME }}/owasp-nest-frontend:staging + scan-staging-images: + name: Scan Staging Images + needs: + - build-staging-images + runs-on: ubuntu-latest + steps: + - name: Scan backend image + uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5 + with: + exit-code: 1 + image-ref: ${{ env.DOCKERHUB_USERNAME }}/owasp-nest-backend:staging + config: ./trivy.yaml + + - name: Scan frontend image + uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5 + with: + exit-code: 1 + image-ref: ${{ env.DOCKERHUB_USERNAME }}/owasp-nest-frontend:staging + config: ./trivy.yaml + deploy-staging-nest: name: Deploy Nest Staging env: @@ -374,6 +424,26 @@ jobs: push: true tags: ${{ env.DOCKERHUB_USERNAME }}/owasp-nest-frontend:production + scan-production-images: + name: Scan Production Images + needs: + - build-docker-production-images + runs-on: ubuntu-latest + steps: + - name: Scan backend image + uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5 + with: + exit-code: 1 + image-ref: ${{ env.DOCKERHUB_USERNAME }}/owasp-nest-backend:production + config: ./trivy.yaml + + - name: Scan frontend image + uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5 + with: + exit-code: 1 + image-ref: ${{ env.DOCKERHUB_USERNAME }}/owasp-nest-frontend:production + config: ./trivy.yaml + deploy-production-nest: name: Deploy Nest to Production env: diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml deleted file mode 100644 index f689bc652a..0000000000 --- a/.github/workflows/trivy.yaml +++ /dev/null @@ -1,105 +0,0 @@ -name: Security Scans - -on: - workflow_run: - workflows: ["Run CI/CD"] - branches: - - main - types: - - completed - -env: - DOCKERHUB_USERNAME: arkid15r - -jobs: - scan-repository: - name: Repository Scan - runs-on: ubuntu-latest - if: github.event.workflow_run.conclusion == 'success' - steps: - - name: Checkout code - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 - - name: Run Trivy repository scan - uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5 - with: - scan-type: 'repo' - severity: 'HIGH,CRITICAL' - ignore-unfixed: true - - scan-filesystem: - name: Filesystem Scan - runs-on: ubuntu-latest - if: github.event.workflow_run.conclusion == 'success' - steps: - - name: Checkout code - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 - - name: Run Trivy filesystem scan - uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5 - with: - scan-type: 'fs' - severity: 'HIGH,CRITICAL' - ignore-unfixed: true - - scan-staging-images: - name: Scan Staging Images - runs-on: ubuntu-latest - if: | - github.event.workflow_run.conclusion == 'success' && - (github.event.workflow_run.event == 'push' || github.event.workflow_run.event == 'pull_request') - steps: - - name: Scan frontend image - uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5 - with: - image-ref: ${{ env.DOCKERHUB_USERNAME }}/owasp-nest-frontend:staging - severity: 'HIGH,CRITICAL' - ignore-unfixed: true - ignore-cves: - - CVE-2024-56171 - - CVE-2024-55549 - - CVE-2024-8176 - - CVE-2025-24855 - - CVE-2025-24928 - - CVE-2025-27113 - exit-code: 1 - - - name: Scan backend image - uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5 - with: - image-ref: ${{ env.DOCKERHUB_USERNAME }}/owasp-nest-backend:staging - severity: 'HIGH,CRITICAL' - ignore-unfixed: true - ignore-cves: - - CVE-2025-31115 - exit-code: 1 - - scan-production-images: - name: Scan Production Images - runs-on: ubuntu-latest - if: | - github.event.workflow_run.conclusion == 'success' && - github.event.workflow_run.event == 'release' - steps: - - name: Scan frontend image - uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5 - with: - image-ref: ${{ env.DOCKERHUB_USERNAME }}/owasp-nest-frontend:production - severity: 'HIGH,CRITICAL' - ignore-unfixed: true - ignore-cves: - - CVE-2024-56171 - - CVE-2024-55549 - - CVE-2024-8176 - - CVE-2025-24855 - - CVE-2025-24928 - - CVE-2025-27113 - exit-code: 1 - - - name: Scan backend image - uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5 - with: - image-ref: ${{ env.DOCKERHUB_USERNAME }}/owasp-nest-backend:production - severity: 'HIGH,CRITICAL' - ignore-unfixed: true - ignore-cves: - - CVE-2025-31115 - exit-code: 1 diff --git a/.trivyignore b/.trivyignore new file mode 100644 index 0000000000..55da52a572 --- /dev/null +++ b/.trivyignore @@ -0,0 +1,7 @@ +CVE-2024-56171 +CVE-2024-55549 +CVE-2024-8176 +CVE-2025-24855 +CVE-2025-24928 +CVE-2025-27113 +CVE-2025-31115 \ No newline at end of file diff --git a/trivy.yaml b/trivy.yaml new file mode 100644 index 0000000000..27efc3e91d --- /dev/null +++ b/trivy.yaml @@ -0,0 +1,12 @@ +vulnerability: + ignorefile: .trivyignore + ignore-unfixed: true + security-checks: [vuln, config, secret] + severity: [HIGH, CRITICAL] + +filesystem: + skip-dirs: + - frontend/node_modules/ + - backend/.venv/ + +timeout: 10m \ No newline at end of file From 53afc996b80f2101d76d5c39cc2354827dbec818 Mon Sep 17 00:00:00 2001 From: Naveen-Pal Date: Sun, 6 Apr 2025 20:14:35 +0530 Subject: [PATCH 4/5] fixes --- .trivyignore | 2 +- trivy.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.trivyignore b/.trivyignore index 55da52a572..bd1bc7707c 100644 --- a/.trivyignore +++ b/.trivyignore @@ -4,4 +4,4 @@ CVE-2024-8176 CVE-2025-24855 CVE-2025-24928 CVE-2025-27113 -CVE-2025-31115 \ No newline at end of file +CVE-2025-31115 diff --git a/trivy.yaml b/trivy.yaml index 27efc3e91d..7a1dce89d9 100644 --- a/trivy.yaml +++ b/trivy.yaml @@ -9,4 +9,4 @@ filesystem: - frontend/node_modules/ - backend/.venv/ -timeout: 10m \ No newline at end of file +timeout: 10m From e515ffb5896227d66e3563462c6a41220f80a4fa Mon Sep 17 00:00:00 2001 From: Arkadii Yakovets Date: Sun, 6 Apr 2025 09:25:57 -0700 Subject: [PATCH 5/5] Update code --- .github/workflows/run-ci-cd.yaml | 12 ++++++------ .trivyignore | 14 +++++++------- trivy.yaml | 19 ++++++++++++------- 3 files changed, 25 insertions(+), 20 deletions(-) diff --git a/.github/workflows/run-ci-cd.yaml b/.github/workflows/run-ci-cd.yaml index a3e7ae7ae7..fabd409d20 100644 --- a/.github/workflows/run-ci-cd.yaml +++ b/.github/workflows/run-ci-cd.yaml @@ -182,8 +182,8 @@ jobs: - name: Run Trivy Repository Scan uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5 with: + config: trivy.yaml scan-type: repo - config: ./trivy.yaml scan-ci-dependencies: name: Run CI Denendencies Scan @@ -197,8 +197,8 @@ jobs: - name: Run Trivy Filesystem Scan uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5 with: + config: trivy.yaml scan-type: fs - config: ./trivy.yaml build-staging-images: name: Build Staging Images @@ -269,16 +269,16 @@ jobs: - name: Scan backend image uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5 with: + config: trivy.yaml exit-code: 1 image-ref: ${{ env.DOCKERHUB_USERNAME }}/owasp-nest-backend:staging - config: ./trivy.yaml - name: Scan frontend image uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5 with: + config: trivy.yaml exit-code: 1 image-ref: ${{ env.DOCKERHUB_USERNAME }}/owasp-nest-frontend:staging - config: ./trivy.yaml deploy-staging-nest: name: Deploy Nest Staging @@ -433,16 +433,16 @@ jobs: - name: Scan backend image uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5 with: + config: trivy.yaml exit-code: 1 image-ref: ${{ env.DOCKERHUB_USERNAME }}/owasp-nest-backend:production - config: ./trivy.yaml - name: Scan frontend image uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5 with: + config: trivy.yaml exit-code: 1 image-ref: ${{ env.DOCKERHUB_USERNAME }}/owasp-nest-frontend:production - config: ./trivy.yaml deploy-production-nest: name: Deploy Nest to Production diff --git a/.trivyignore b/.trivyignore index bd1bc7707c..c2f79ff670 100644 --- a/.trivyignore +++ b/.trivyignore @@ -1,7 +1,7 @@ -CVE-2024-56171 -CVE-2024-55549 -CVE-2024-8176 -CVE-2025-24855 -CVE-2025-24928 -CVE-2025-27113 -CVE-2025-31115 +CVE-2024-55549 # libxslt use-after-free +CVE-2024-56171 # libxml2 use-after-free +CVE-2024-8176 # libexpat stack overflow +CVE-2025-24855 # libxslt use-after-free +CVE-2025-24928 # libxml2 buffer overflow +CVE-2025-27113 # libxml2 null dereference +CVE-2025-31115 # xz heap use-after-free diff --git a/trivy.yaml b/trivy.yaml index 7a1dce89d9..f22b180e13 100644 --- a/trivy.yaml +++ b/trivy.yaml @@ -1,12 +1,17 @@ -vulnerability: - ignorefile: .trivyignore - ignore-unfixed: true - security-checks: [vuln, config, secret] - severity: [HIGH, CRITICAL] - filesystem: skip-dirs: - - frontend/node_modules/ - backend/.venv/ + - frontend/node_modules/ timeout: 10m + +vulnerability: + ignore-unfixed: true + ignorefile: .trivyignore + security-checks: + - config + - secret + - vuln + severity: + - CRITICAL + - HIGH