Skip to content

Added trivy.yaml #1289

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
Apr 6, 2025
Merged

Added trivy.yaml #1289

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
5f0b5f7
Added trivy.yaml separately
Naveen-Pal Apr 5, 2025
323e14b
fix
Naveen-Pal Apr 5, 2025
6231c82
Added Trivy config, ignore, undo ci-cd
Naveen-Pal Apr 6, 2025
53afc99
fixes
Naveen-Pal Apr 6, 2025
00a42bf
Merge branch 'main' into pr/Naveen-Pal/1289
arkid15r Apr 6, 2025
e515ffb
Update code
arkid15r Apr 6, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
70 changes: 0 additions & 70 deletions .github/workflows/run-ci-cd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -170,36 +170,6 @@ jobs:
run: |
docker run --env-file frontend/.env.example ${{ env.DOCKERHUB_USERNAME }}/owasp-nest-test-frontend-e2e:latest pnpm run test:e2e

scan-code:
name: Run Code Scan
needs:
- pre-commit
runs-on: ubuntu-latest
steps:
- name: Check out repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683

- name: Run Trivy Repository Scan
uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5
with:
scan-type: repo
severity: HIGH,CRITICAL

scan-ci-dependencies:
name: Run CI Denendencies Scan
needs:
- pre-commit
runs-on: ubuntu-latest
steps:
- name: Check out repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683

- name: Run Trivy Filesystem Scan
uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5
with:
scan-type: fs
severity: HIGH,CRITICAL

build-staging-images:
name: Build Staging Images
environment: staging
Expand Down Expand Up @@ -260,26 +230,6 @@ jobs:
push: true
tags: ${{ env.DOCKERHUB_USERNAME }}/owasp-nest-frontend:staging

scan-staging-images:
name: Scan Staging Images
needs:
- build-staging-images
runs-on: ubuntu-latest
steps:
- name: Scan backend image
uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5
with:
exit-code: 1
image-ref: ${{ env.DOCKERHUB_USERNAME }}/owasp-nest-backend:staging
severity: HIGH,CRITICAL

- name: Scan frontend image
uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5
with:
exit-code: 1
image-ref: ${{ env.DOCKERHUB_USERNAME }}/owasp-nest-frontend:staging
severity: HIGH,CRITICAL

deploy-staging-nest:
name: Deploy Nest Staging
env:
Expand Down Expand Up @@ -424,26 +374,6 @@ jobs:
push: true
tags: ${{ env.DOCKERHUB_USERNAME }}/owasp-nest-frontend:production

scan-production-images:
name: Scan Production Images
needs:
- build-docker-production-images
runs-on: ubuntu-latest
steps:
- name: Scan backend image
uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5
with:
exit-code: 1
image-ref: ${{ env.DOCKERHUB_USERNAME }}/owasp-nest-backend:production
severity: HIGH,CRITICAL

- name: Scan frontend image
uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5
with:
exit-code: 1
image-ref: ${{ env.DOCKERHUB_USERNAME }}/owasp-nest-frontend:production
severity: HIGH,CRITICAL

deploy-production-nest:
name: Deploy Nest to Production
env:
Expand Down
105 changes: 105 additions & 0 deletions .github/workflows/trivy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,105 @@
name: Security Scans
Copy link
Collaborator

@arkid15r arkid15r Apr 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why moving this out of the CI/CD scope? I think this way we won't be able to use them in needs sections.


on:
workflow_run:
workflows: ["Run CI/CD"]
branches:
- main
types:
- completed

env:
DOCKERHUB_USERNAME: arkid15r

jobs:
scan-repository:
name: Repository Scan
runs-on: ubuntu-latest
if: github.event.workflow_run.conclusion == 'success'
steps:
- name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: Run Trivy repository scan
uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5
with:
scan-type: 'repo'
severity: 'HIGH,CRITICAL'
ignore-unfixed: true

scan-filesystem:
name: Filesystem Scan
runs-on: ubuntu-latest
if: github.event.workflow_run.conclusion == 'success'
steps:
- name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: Run Trivy filesystem scan
uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5
with:
scan-type: 'fs'
severity: 'HIGH,CRITICAL'
ignore-unfixed: true

scan-staging-images:
name: Scan Staging Images
runs-on: ubuntu-latest
if: |
github.event.workflow_run.conclusion == 'success' &&
(github.event.workflow_run.event == 'push' || github.event.workflow_run.event == 'pull_request')
steps:
- name: Scan frontend image
uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5
with:
image-ref: ${{ env.DOCKERHUB_USERNAME }}/owasp-nest-frontend:staging
severity: 'HIGH,CRITICAL'
ignore-unfixed: true
ignore-cves:
- CVE-2024-56171
- CVE-2024-55549
- CVE-2024-8176
- CVE-2025-24855
- CVE-2025-24928
- CVE-2025-27113
exit-code: 1

- name: Scan backend image
uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5
with:
image-ref: ${{ env.DOCKERHUB_USERNAME }}/owasp-nest-backend:staging
severity: 'HIGH,CRITICAL'
ignore-unfixed: true
ignore-cves:
- CVE-2025-31115
exit-code: 1
Copy link
Contributor

@coderabbitai coderabbitai bot Apr 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

YAML Scalar Issue for 'ignore-cves' in Backend Staging Image Scan
Similarly, in the backend image scan step (lines 71–73), the ignore-cves field is defined as a sequence with a single item. Converting it to a scalar string will resolve the static analysis warning.

Proposed change:

-          ignore-cves:
-            - CVE-2025-31115
+          ignore-cves: "CVE-2025-31115"
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
ignore-cves:
- CVE-2025-31115
exit-code: 1
ignore-cves: "CVE-2025-31115"
exit-code: 1
🧰 Tools
🪛 actionlint (1.7.4)

72-72: expected scalar node for string value but found sequence node with "!!seq" tag

(syntax-check)


scan-production-images:
name: Scan Production Images
runs-on: ubuntu-latest
if: |
github.event.workflow_run.conclusion == 'success' &&
github.event.workflow_run.event == 'release'
steps:
- name: Scan frontend image
uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5
with:
image-ref: ${{ env.DOCKERHUB_USERNAME }}/owasp-nest-frontend:production
severity: 'HIGH,CRITICAL'
ignore-unfixed: true
ignore-cves:
- CVE-2024-56171
- CVE-2024-55549
- CVE-2024-8176
- CVE-2025-24855
- CVE-2025-24928
- CVE-2025-27113
exit-code: 1

- name: Scan backend image
uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5
with:
image-ref: ${{ env.DOCKERHUB_USERNAME }}/owasp-nest-backend:production
severity: 'HIGH,CRITICAL'
ignore-unfixed: true
ignore-cves:
- CVE-2025-31115
exit-code: 1
Copy link
Contributor

@coderabbitai coderabbitai bot Apr 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

YAML Scalar Issue for 'ignore-cves' in Production Backend Image Scan
For the production backend image scan (lines 103–105), the ignore-cves parameter should also be a scalar string rather than a list.

Proposed change:

-          ignore-cves:
-            - CVE-2025-31115
+          ignore-cves: "CVE-2025-31115"
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
ignore-cves:
- CVE-2025-31115
exit-code: 1
ignore-cves: "CVE-2025-31115"
exit-code: 1
🧰 Tools
🪛 actionlint (1.7.4)

104-104: expected scalar node for string value but found sequence node with "!!seq" tag

(syntax-check)