OWASP · arkid15r · Feb 5, 2026 · Jan 30, 2026 · Jan 30, 2026 · Jan 30, 2026
@@ -45,6 +45,11 @@ updates:
     schedule:
       interval: daily
 
+  - package-ecosystem: docker
+    directory: /docker/trivy
+    schedule:
+      interval: daily
+
   - package-ecosystem: github-actions
     directory: /
     schedule:

@@ -137,25 +137,15 @@ jobs:
       - name: Run Semgrep security scan
         run: make security-scan-code-semgrep
 
-      - name: Upload Semgrep report
-        if: always()
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
-        with:
-          name: semgrep-results-run-${{ github.run_number }}
-          path: semgrep-security-report.txt
-          retention-days: 14
-
-      - name: Setup Trivy
-        uses: aquasecurity/setup-trivy@3fb12ec12f41e471780db15c232d5dd185dcb514
+      - name: Cache Trivy DB
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306
         with:
-          cache: true
+          path: .trivy-cache
+          key: trivy-${{ runner.os }}-${{ hashFiles('docker/trivy/Dockerfile') }}
+          restore-keys: trivy-${{ runner.os }}-
 
       - name: Run Trivy security scan
-        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8
-        with:
-          scan-type: fs
-          skip-setup-trivy: true
-          trivy-config: trivy.yaml
+        run: make security-scan-code-trivy SCANNERS=misconfig,secret,vuln
     timeout-minutes: 5
 
   run-backend-tests:
@@ -551,28 +541,17 @@ jobs:
       - name: Check out repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
 
-      - name: Setup Trivy
-        uses: aquasecurity/setup-trivy@3fb12ec12f41e471780db15c232d5dd185dcb514
+      - name: Cache Trivy DB
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306
         with:
-          cache: true
+          path: .trivy-cache
+          key: trivy-${{ runner.os }}-${{ hashFiles('docker/trivy/Dockerfile') }}
+          restore-keys: trivy-${{ runner.os }}-
 
-      - name: Scan backend image
-        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8
-        with:
-          exit-code: 1
-          image-ref: owasp/nest:backend-staging
-          scan-type: image
-          skip-setup-trivy: true
-          trivy-config: trivy.yaml
-
-      - name: Scan frontend image
-        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8
-        with:
-          exit-code: 1
-          image-ref: owasp/nest:frontend-staging
-          scan-type: image
-          skip-setup-trivy: true
-          trivy-config: trivy.yaml
+      - name: Run Trivy security scan via Makefile
+        run: |
+          make security-scan-backend-image BACKEND_IMAGE_NAME=owasp/nest:backend-staging
+          make security-scan-frontend-image FRONTEND_IMAGE_NAME=owasp/nest:frontend-staging
     timeout-minutes: 5
 
   deploy-staging-nest:
@@ -921,28 +900,17 @@ jobs:
       - name: Check out repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
 
-      - name: Setup Trivy
-        uses: aquasecurity/setup-trivy@3fb12ec12f41e471780db15c232d5dd185dcb514
+      - name: Cache Trivy DB
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306
         with:
-          cache: true
+          path: .trivy-cache
+          key: trivy-${{ runner.os }}-${{ hashFiles('docker/trivy/Dockerfile') }}
+          restore-keys: trivy-${{ runner.os }}-
 
-      - name: Scan backend image
-        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8
-        with:
-          exit-code: 1
-          image-ref: owasp/nest:backend-production
-          scan-type: image
-          skip-setup-trivy: true
-          trivy-config: trivy.yaml
-
-      - name: Scan frontend image
-        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8
-        with:
-          exit-code: 1
-          image-ref: owasp/nest:frontend-production
-          scan-type: image
-          skip-setup-trivy: true
-          trivy-config: trivy.yaml
+      - name: Run Trivy security scan via Makefile
+        run: |
+          make security-scan-backend-image BACKEND_IMAGE_NAME=owasp/nest:backend-production
+          make security-scan-frontend-image FRONTEND_IMAGE_NAME=owasp/nest:frontend-production
     timeout-minutes: 5
 
   deploy-production-nest:

@@ -22,6 +22,7 @@ backend/fuzzing_results/
 .python_history
 .python-version
 .ruff_cache
+.trivy-cache
 .venv/
 .vscode
 *.bak

@@ -3,7 +3,10 @@ include cspell/Makefile
 include docs/Makefile
 include frontend/Makefile
 
-.PHONY: build clean check pre-commit prune run scan-images security-scan test update
+.PHONY: build clean check pre-commit prune run scan-images security-scan security-scan-code \
+	security-scan-code-semgrep security-scan-code-trivy security-scan-images \
+	security-scan-backend-image security-scan-frontend-image test update \
+	clean-trivy-cache
 
 MAKEFLAGS += --no-print-directory
 
@@ -12,7 +15,8 @@ build:
 
 clean: \
 	clean-dependencies \
-	clean-docker
+	clean-docker \
+	clean-trivy-cache
 
 clean-dependencies: \
 	clean-backend-dependencies \
@@ -23,6 +27,9 @@ clean-docker: \
 	clean-docs-docker \
 	clean-frontend-docker
 
+clean-trivy-cache:
+	@rm -rf $(CURDIR)/.trivy-cache
+
 check: \
 	check-spelling \
 	check-backend \
@@ -70,7 +77,8 @@ security-scan-images: \
 
 security-scan-code-semgrep:
 	@echo "Running Semgrep security scan..."
-	@docker run --rm \
+	@docker run \
+		--rm \
 		-v "$(PWD):/src" \
 		-w /src \
 		$$(grep -E '^FROM semgrep/semgrep:' docker/semgrep/Dockerfile | sed 's/^FROM //') \
@@ -104,17 +112,21 @@ security-scan-code-semgrep:
 			--timeout-threshold 3 \
 			--text \
 			--text-output=semgrep-security-report.txt \
-			.
+	.
+
+SCANNERS ?= misconfig,vuln
 
 security-scan-code-trivy:
 	@echo "Running Trivy security scan..."
 	@docker run \
 		--rm \
-		-v "$(PWD):/src" \
-		-w /src \
-		aquasec/trivy fs \
-			--config trivy.yaml \
-			.
+		-e TRIVY_SCANNERS="$(SCANNERS)" \
+		-v $(CURDIR):/src \
+		-v $(CURDIR)/trivyignore.yaml:/trivyignore.yaml:ro \
+		-v $(CURDIR)/trivy.yaml:/trivy.yaml:ro \
+		-v $(CURDIR)/.trivy-cache:/root/.cache/trivy \
+		$$(grep -E '^FROM aquasec/trivy:' docker/trivy/Dockerfile | sed 's/^FROM //') \
+		fs --config /trivy.yaml /src
 
 test: \
 	test-nest-app

@@ -157,13 +157,24 @@ save-backup:
 	@CMD="python manage.py dumpdata --natural-primary --natural-foreign --indent=2" $(MAKE) exec-backend-command > backend/data/backup.json
 	@gzip backend/data/backup.json
 
-security-scan-backend-image: build-backend-local-image
-	@trivy image \
-		--config trivy.yaml \
-		--docker-host $$(docker context inspect --format '{{.Endpoints.docker.Host}}' 2>/dev/null) \
-		--exit-code 1 \
-		--severity CRITICAL,HIGH \
-		nest-backend-local
+# vars (defaults for local dev)
+BACKEND_IMAGE_NAME ?= nest-backend-local
+IMAGE_SCANNERS ?= misconfig,secret,vuln
+
+security-scan-backend-image:
+	@if [ "$(BACKEND_IMAGE_NAME)" = "nest-backend-local" ]; then \
+		$(MAKE) build-backend-local-image; \
+	fi
+	@echo "Scanning image: $(BACKEND_IMAGE_NAME)..."
+	@docker run \
+		--rm \
+		-e TRIVY_SCANNERS="$(IMAGE_SCANNERS)" \
+		-v $(CURDIR)/trivyignore.yaml:/trivyignore.yaml:ro \
+	    -v /var/run/docker.sock:/var/run/docker.sock \
+	    -v $(CURDIR)/trivy.yaml:/trivy.yaml:ro \
+	    -v $(CURDIR)/.trivy-cache:/root/.cache/trivy \
+	    $$(grep -E '^FROM aquasec/trivy:' docker/trivy/Dockerfile | sed 's/^FROM //') \
+	    image --config /trivy.yaml $(BACKEND_IMAGE_NAME)
 
 shell-backend:
 	@CMD="/bin/sh" $(MAKE) exec-backend-command-it

@@ -41,7 +41,7 @@ owasp-generate-community-snapshot-video:
 	@mkdir -p backend/generated_videos
 	@docker run \
 		--env-file backend/.env \
-		--mount type=bind,src="$(PWD)/backend/generated_videos",dst=/home/owasp/generated_videos \
+		--mount type=bind,src="$(CURDIR)/backend/generated_videos",dst=/home/owasp/generated_videos \
 		--network nest-local_nest-network \
 		--rm \
 		nest-snapshot-video \

@@ -11,15 +11,16 @@ cspell-check: cspell-install cspell-run
 
 cspell-run:
 	@docker run \
-		--mount type=bind,src="$(PWD)",dst=/nest \
+		--mount type=bind,src="$(CURDIR)",dst=/nest \
 		--rm \
 		cspell -c cspell/cspell.json "$(CMD)"
 
 update-cspell-dependencies: cspell-install
 	@-docker run \
-		-it \
-		--mount type=bind,src="$(PWD)",dst=/nest \
 		--entrypoint=/bin/sh \
-		--workdir=/nest/cspell \
+		--interactive \
+		--mount type=bind,src="$(CURDIR)",dst=/nest \
 		--rm \
+		--tty \
+		--workdir=/nest/cspell \
 		cspell -c "pnpm install && pnpm upgrade && rm -rf ./node_modules"
@@ -1,3 +1,4 @@
+AVD
 Agentic
 Agsoc
 Aichi
@@ -127,6 +128,7 @@ menteemodule_set
 mentees
 mern
 millify
+misconfig
 mkv
 mpim
 navlink

@@ -33,6 +33,9 @@ COPY --chmod=444 .env .pnpmrc next.config.ts postcss.config.js tailwind.config.m
 COPY --chmod=555 public public
 COPY --chmod=555 src src
 
+ARG FORCE_STANDALONE
+ENV FORCE_STANDALONE=$FORCE_STANDALONE
+
 # Next.js collects completely anonymous telemetry data about general usage.
 # Learn more here: https://nextjs.org/telemetry
 ENV NEXT_TELEMETRY_DISABLED=1

@@ -0,0 +1 @@
+FROM aquasec/trivy:0.58.0
@@ -2,6 +2,7 @@ SHELL := /bin/bash
 
 build-frontend-local-image:
 	@DOCKER_BUILDKIT=1 NEXT_PUBLIC_ENVIRONMENT=local docker build \
+	    --build-arg FORCE_STANDALONE=yes \
 		--no-cache \
 		-f docker/frontend/Dockerfile \
 		-t nest-frontend-local \
@@ -56,13 +57,23 @@ generate-graphql-types:
 	|| (printf "pnpm run graphql-codegen"; for i in $$(seq 1 49); do printf "."; done; printf "\033[37;41mFailed\033[0m\n" \
 		&& pnpm run graphql-codegen))
 
-security-scan-frontend-image: build-frontend-local-image
-	@trivy image \
-		--config trivy.yaml \
-		--docker-host $$(docker context inspect --format '{{.Endpoints.docker.Host}}' 2>/dev/null) \
-		--exit-code 1 \
-		--severity CRITICAL,HIGH \
-		nest-frontend-local
+FRONTEND_IMAGE_NAME ?= nest-frontend-local
+IMAGE_SCANNERS ?= misconfig,secret,vuln
+
+security-scan-frontend-image:
+	@if [ "$(FRONTEND_IMAGE_NAME)" = "nest-frontend-local" ]; then \
+		$(MAKE) build-frontend-local-image; \
+	fi
+	@echo "Scanning image: $(FRONTEND_IMAGE_NAME)..."
+	@docker run \
+		--rm \
+		-e TRIVY_SCANNERS="$(IMAGE_SCANNERS)" \
+		-v /var/run/docker.sock:/var/run/docker.sock \
+		-v $(CURDIR)/trivy.yaml:/trivy.yaml:ro \
+		-v $(CURDIR)/trivyignore.yaml:/trivyignore.yaml:ro \
+		-v $(CURDIR)/.trivy-cache:/root/.cache/trivy \
+		$$(grep -E '^FROM aquasec/trivy:' docker/trivy/Dockerfile | sed 's/^FROM //') \
+		image --config /trivy.yaml $(FRONTEND_IMAGE_NAME)
 
 shell-frontend:
 	@CMD="/bin/sh" $(MAKE) exec-frontend-command-it

@@ -1,6 +1,7 @@
 import { withSentryConfig } from '@sentry/nextjs'
 import type { NextConfig } from 'next'
 
+const forceStandalone = process.env.FORCE_STANDALONE === 'yes'
 const isLocal = process.env.NEXT_PUBLIC_ENVIRONMENT === 'local'
 
 const nextConfig: NextConfig = {
@@ -33,7 +34,7 @@ const nextConfig: NextConfig = {
   productionBrowserSourceMaps: true,
   serverExternalPackages: ['import-in-the-middle', 'require-in-the-middle'],
   transpilePackages: ['@react-leaflet/core', 'leaflet', 'react-leaflet', 'react-leaflet-cluster'],
-  ...(isLocal ? {} : { output: 'standalone' }),
+  ...(isLocal && !forceStandalone ? {} : { output: 'standalone' }),
 }
 
 export default withSentryConfig(nextConfig, {

@@ -1,9 +1,14 @@
+exit-code: 1
+
 filesystem:
   skip-files:
 
-ignorefile: trivyignore.yaml
+ignorefile: /trivyignore.yaml
+
+report: all
 
 scan:
+  show-suppressed: true
   skip-files:
 
 severity:
@@ -15,7 +20,3 @@ timeout: 10m
 
 vulnerability:
   ignore-unfixed: true
-  security-checks:
-    - config
-    - secret
-    - vuln
@@ -1,3 +1,9 @@
+misconfigurations:
+  - id: AVD-DS-0002  # Require non-root USER in Dockerfile.
+    paths:
+      - docker/semgrep/Dockerfile
+      - docker/trivy/Dockerfile
+
 vulnerabilities:
   # TODO(arkid15r): Remove when v5.9.3 is no longer current.
   - id: CVE-2025-64756  # glob: Command Injection Vulnerability via Malicious Filenames.
-Original file line number
+Diff line change
@@ -1,3 +1,4 @@
+    AVD
     Agentic
     Agsoc
     Aichi
@@ Expand Down Expand Up / @@ -127,6 +128,7 @@ menteemodule_set @@
     mentees
     mern
     millify
+    misconfig
     mkv
     mpim
     navlink
@@ Expand Down @@