refactor(ci): standardize security scans via Makefile targets

[hassaansaleem28]

Proposed change

Resolves #3615

Description

This PR refactors the CI pipeline to use make targets for security scanning instead of inline configuration in the YAML workflow. This aligns our local development environment with CI/CD and solves the hardcoded configuration issues identified in #3615.

Key Changes

• Dependabot Tracking: Added docker/trivy/Dockerfile to allow Dependabot to track and update the Trivy version automatically.
• Performance: Implemented Docker volume caching (trivy-cache) in the Makefile targets to prevent re-downloading the vulnerability DB on every run.
• CI vs Local Logic: Updated backend/Makefile and frontend/Makefile to support:
  • Local Mode: TRIVY_EXIT_CODE=0 (Runs only misconfigs+vulns and not secrets).
  • CI Mode: TRIVY_EXIT_CODE=1 (Fails the build on Critical/High vulnerabilities, runs misconfigs + secrets + vulns).

Testing

• Verified locally that make security-scan-images runs successfully.
• Verified "Strict Mode" by running make security-scan-backend-image TRIVY_EXIT_CODE=1 (confirmed 0 critical vulnerabilities).

Checklist

• Required: I followed the contributing workflow
• Required: I verified that my code works as intended and resolves the issue as described
• Required: I ran make check-test locally: all warnings addressed, tests passed

[coderabbitai]

Summary by CodeRabbit

• Chores
  • Streamlined security scanning infrastructure with consolidated, Makefile-driven security orchestration
  • Enhanced Docker build configurations with configurable scanning parameters
  • Optimized CI/CD workflow with centralized security scan execution and improved caching mechanisms
  • Updated build artifact and cache management for more efficient deployments

Walkthrough

Replaces explicit Trivy GitHub Action steps with Makefile-driven Trivy scans across CI; adds/updates Makefile targets for code and image scanning, pins Trivy image, updates Trivy config/ignore, and tweaks several docker bind-mounts and a frontend build arg. (50 words)

Changes

Cohort / File(s)	Summary
CI workflow ​.github/workflows/run-ci-cd.yaml	Removed explicit aquasecurity/setup-trivy/trivy-action steps and replaced with Makefile invocations and Trivy DB cache steps; Semgrep step retained (upload removed).
Top-level Makefile & Trivy image Makefile, docker/trivy/Dockerfile	Added security-scan umbrella and subtargets; introduced clean-trivy-cache; switched Trivy base to aquasec/trivy:0.58.0; added SCANNERS default.
Backend scan changes backend/Makefile, backend/...	Parameterized backend image scanning via BACKEND_IMAGE_NAME and IMAGE_SCANNERS; conditional local image build and dockerized Trivy invocation; new security-scan-backend-image target.
Frontend scan & build changes frontend/Makefile, docker/frontend/Dockerfile, frontend/next.config.ts	Added FRONTEND_IMAGE_NAME, IMAGE_SCANNERS, FORCE_STANDALONE build-arg/ENV; conditional local image build and dockerized Trivy scan target; Next config toggles standalone based on FORCE_STANDALONE.
Auxiliary Makefiles backend/apps/owasp/Makefile, cspell/Makefile	Replaced $(PWD) with $(CURDIR) for docker bind-mounts; adjusted docker-run flags for cspell update.
Trivy config & ignore trivy.yaml, trivyignore.yaml	Set exit-code: 1, switched ignore file path to /trivyignore.yaml, enabled report: all and scan.show-suppressed: true; added misconfig ignore entry for Dockerfile USER requirement.
Misc .gitignore, cspell/custom-dict.txt	Ignored .trivy-cache; added AVD and misconfig to custom spell dictionary.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• Docs: add security scanning guides and Makefile targets #3525: Introduced/renamed Makefile security-scan targets that CI now invokes.
• CI: cache Trivy vulnerability database for repo and filesystem scans #3290: Changes CI Trivy setup/caching and workflow scan steps overlapping with CI Trivy refactor.
• CI security: Enforce Trivy image scan failures for staging and production #3308: Related updates to CI image-scan jobs and Trivy failure/severity handling.

Suggested labels

docker

Suggested reviewers

• kasya

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely describes the main change: refactoring CI to standardize security scans via Makefile targets, which aligns with the PR's primary objective.
Description check	✅ Passed	The description is well-structured, provides context, lists key changes, mentions testing, and links to issue #3615, clearly relating to the changeset.
Linked Issues check	✅ Passed	The PR directly addresses all objectives from issue #3615: replaced inline Trivy config with Makefile targets in CI workflow [#3615], added Dependabot tracking for docker/trivy [#3615], standardized security scans across local and CI [#3615], and implemented caching [#3615].
Out of Scope Changes check	✅ Passed	Changes to next.config.ts, Dockerfiles, and other files are directly related to centralizing Trivy configuration and supporting CI/local parity, which are within scope of issue #3615.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@Makefile`:
- Around line 116-119: The Makefile Trivy command is missing a line
continuation: add a trailing backslash to the line containing "--config
trivy.yaml" so the final "." token is passed as the scan target to the "fs"
subcommand; update the Makefile rule that builds the Trivy invocation (the lines
using "grep -E '^FROM aquasec/trivy:' ...", "fs", and "--config trivy.yaml") to
include the backslash so "." becomes the target path for the scan.

🧹 Nitpick comments (2)

backend/Makefile (1)

160-162: Typo in comment.

Minor: "defalts" should be "defaults" to match the frontend/Makefile comment.

✏️ Proposed fix

-# vars (defalts for Local dev)
+# Defaults for Local Development
 BACKEND_IMAGE_NAME ?= nest-backend-local
 TRIVY_EXIT_CODE ?= 0

docker/trivy/Dockerfile (1)

1-1: Good approach for Dependabot tracking, but version is outdated.

Using a dedicated Dockerfile to pin the Trivy version enables Dependabot to track and propose updates automatically. However, version 0.58.0 is significantly behind the latest release (0.68.2 as of December 2025). Consider updating to a more recent version or await Dependabot's automated update proposal.

[hassaansaleem28]

@SpruhaCK I’ve updated the PR with the Makefile fixes. CI checks pass (the SonarCloud failure is a known false positive requiring admin approval).

I would love your feedback! If any changes are required, please just tag me.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 90.26%. Comparing base (b8b0756) to head (3569a01).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #3678   +/-   ##
=======================================
  Coverage   90.26%   90.26%           
=======================================
  Files         463      463           
  Lines       14420    14420           
  Branches     1934     1934           
=======================================
  Hits        13016    13016           
  Misses        987      987           
  Partials      417      417           

Flag	Coverage Δ
backend	90.97% <ø> (ø)
frontend	88.27% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update b8b0756...3569a01. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[arkid15r]

A couple things I noticed:

• CI/CD still uses action for code scanning
• there is no way to disable secret scanning locally while keeping it enabled on CI/CD

[SpruhaCK]

Hi @hassaansaleem28,
Currently reviewing the code. I think we also need to add trivy section in .github/dependabot.yml so that docker images will be tracked just like semgrep example (code line 43-46)

• package-ecosystem: docker
  directory: /docker/trivy
  schedule:
  interval: daily

[arkid15r]

I don't think we need a separate target for that if we could control it via options similar to TRIVY_EXIT_CODE -- --scanners vuln depending on the env.

[arkid15r]

It looks like you deleted the configuration I pushed. Please revert.
Where possible params must be taken from trivy configuration file.

[arkid15r]

Is this related to the PR?

[hassaansaleem28]

while not part of the makefile refactor itself, this change is necessary because this pr enforces the trivy security scans.

My local frontend security scan was failing because trivy flags the current glob package (v10.4.5) as a High vulnerability. Since the goal of this PR is to enforce these checks, the pipeline effectively blocks itself without this fix.

should i remove this and do it in a separate pr depends on if you prefer, but it is currently a blocker for this one passing.

[arkid15r]

I believe this is not what we want for dev by default. You probably should set some flag during image local build process.

[hassaansaleem28]

right
I added a flag for that.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

docker/frontend/Dockerfile (1)

55-65: ⚠️ Potential issue | 🟡 Minor

The Dockerfile comment needs updating to reflect the actual version and scope.

Verification confirms tar 7.5.7 correctly addresses all three CVEs:

• CVE-2026-23745: fixed in 7.5.3
• CVE-2026-23950: fixed in 7.5.4
• CVE-2026-24842: fixed in 7.5.7

However, the comment at line 55 states "Fix CVE-2026-23745: Update npm's bundled tar to 7.5.3" while the code uses 7.5.7. Update the comment to accurately reflect that 7.5.7 is required to address all three vulnerabilities.

The atomic operation concern is acceptable since the rm -rf and cp -r sequence is within a single RUN instruction—Docker discards the entire layer on failure.

🤖 Fix all issues with AI agents

In @.github/workflows/run-ci-cd.yaml:
- Around line 147-151: Update the comment text containing the typo "shouldnot"
to "should not" so the inline comment above the "Run Trivy security scan" step
reads correctly; locate the comment string "shouldnot run again" and change it
to "should not run again" (no other behavioral changes required).

🧹 Nitpick comments (2)

trivyignore.yaml (1)

4-7: Add TODO comments with remediation timeline for new CVE suppressions.

The existing CVE-2025-64756 entry includes a TODO comment indicating when it should be removed. The new suppressions for High-severity vulnerabilities should follow the same pattern to ensure they're revisited and not permanently ignored.

Consider adding version-based or date-based TODO comments similar to line 2, e.g.:

# TODO(author): Remove when <package>@<fixed_version> is adopted.

Also, note that CVE-2026-23745, CVE-2026-23950, and CVE-2026-24842 appear to be addressed by the tar 7.5.7 patch in docker/frontend/Dockerfile. Once that patch is confirmed effective across all scanned images, these suppressions may become unnecessary.

backend/Makefile (1)

160-207: LGTM! Minor inconsistency with frontend config path.

The backend security scan targets mirror the frontend implementation correctly, with appropriate separation between local and CI modes.

One minor inconsistency: the backend uses absolute path /trivy.yaml (lines 178, 193) while the frontend uses relative path trivy.yaml (lines 77, 92 in frontend/Makefile). Both work since the file is mounted at /trivy.yaml, but consider aligning them for consistency.

📝 Optional: align with frontend's relative path

 backend-security-scan-image:
 	...
-	    --config /trivy.yaml \
+	    --config trivy.yaml \
 	...

 backend-security-scan-code:
 	...
-	   --config /trivy.yaml \
+	   --config trivy.yaml \
 	...

[cubic-dev-ai]

4 issues found across 8 files (changes from recent commits).

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name="frontend/Makefile">

<violation number="1" location="frontend/Makefile:77">
P2: The `trivy.yaml` configuration uses `vulnerability.security-checks`, which is deprecated and likely ignored in Trivy v0.58.0 (which uses `scanners`). If ignored, Trivy will fall back to default scanners (excluding `misconfig`), causing the "config" check mentioned in the echo command to be skipped.

(Based on your team's feedback about keeping CI and security scanner configuration centralized.) [FEEDBACK_USED]</violation>
</file>

<file name="trivyignore.yaml">

<violation number="1" location="trivyignore.yaml:4">
P2: High-severity CVEs are being permanently ignored without any justification or removal criteria. This can hide real vulnerabilities indefinitely. Add a TODO/issue reference and removal plan (or avoid ignoring these CVEs altogether).</violation>
</file>

<file name="backend/Makefile">

<violation number="1" location="backend/Makefile:201">
P3: The PR description states that the local scan "Warns on secrets/vulns", but `TRIVY_SCANNERS` is explicitly set to `vuln,misconfig`, which excludes the `secret` scanner.

If the intention is to scan for secrets locally, add `secret` to the list. If the intention is to skip secrets for performance, please update the PR description to match the code.</violation>
</file>

<file name=".github/workflows/run-ci-cd.yaml">

<violation number="1" location=".github/workflows/run-ci-cd.yaml:147">
P3: Typo in comment: "shouldnot" should be "should not".</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[hassaansaleem28]

@arkid15r Thanks for the detailed feedback. I've pushed updates to address all your points:

• Reverted Config Flag: I reverted the changes to --config trivy.yaml as you requested. The pipeline now correctly respects the config file precedence.

• Makefile Refactor: I removed the separate *-secrets targets. Instead, I introduced a TRIVY_SCANNERS environment variable. The Makefile now uses a single target that defaults to vuln,misconfig for local runs, and CI overrides this variable to include secret scanning. This keeps it DRY and flexible.

• Standalone Output: I removed the hardcoded output: 'standalone' from next.config.ts. I added a FORCE_STANDALONE build argument to the Dockerfile. Now, standalone mode is only enabled explicitly during the Docker build process, keeping the local dev environment standard.

• Trivy Config: I renamed security-checks to scanners and config to misconfig in trivy.yaml to resolve the deprecation warning flagged by the bot.

• Trivy Ignores: I added trivyignore.yaml to temporarily suppress specific high-severity vulnerabilities in cross-spawn and node-tar and reverted that code in frontend/Dockerfile. These are deep dependency issues that require complex package.json overrides. To keep this PR focused on fixing the CI/CD pipeline itself, I've marked them with TODO comments to be addressed in a dedicated frontend dependency PR.

Happy to make the changes if needed again. Learning alot in this.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[cubic-dev-ai]

3 issues found across 10 files (changes from recent commits).

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name="Makefile">

<violation number="1" location="Makefile:31">
P2: The `clean-trivy-cache` target will likely fail on Linux systems because the `.trivy-cache` directory is populated by the Docker container running as root.

When `security-scan-code-trivy` runs, Docker creates root-owned files in `.trivy-cache`. The subsequent `rm -rf` command running on the host as a standard user will fail with "Permission denied".

To fix this, perform the cleanup using a Docker container that mounts the directory.</violation>
</file>

<file name=".github/workflows/run-ci-cd.yaml">

<violation number="1" location=".github/workflows/run-ci-cd.yaml:148">
P2: The `Makefile` target `security-scan-code-trivy` does not pass the `TRIVY_EXIT_CODE` environment variable to the Docker container.

This prevents the "Local Mode" (exit code 0) described in the PR from working, as Trivy will fallback to the default `exit-code: 1` defined in `trivy.yaml` when issues are found.

(Based on your team's feedback about verifying changes actually fix the reported issue.) [FEEDBACK_USED]</violation>

<violation number="2" location=".github/workflows/run-ci-cd.yaml:553">
P2: The `Makefile` targets for image scanning also fail to pass `TRIVY_EXIT_CODE` to the Docker container, making the "Strict Mode" and "Local Mode" configuration dependent solely on `trivy.yaml` rather than the environment variable.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[arkid15r]

This is good but could have been better -- see 8c0cf8b

It has some room for optimization but overall should work. Feel free to improve.

[arkid15r]

You didn't run make check

[hassaansaleem28]

right, I missed that step this time. I've made a note to strictly run make check before every push from now on. Thanks for headsup.

[hassaansaleem28]

This is good but could have been better -- see 8c0cf8b

It has some room for optimization but overall should work. Feel free to improve.

Thanks for merging and for the follow up commit! I just reviewed 8c0cf8b it is a much, much cleaner approach. I appreciate you showing the optimized way.

I'll ensure the future PRs meets this standard.