TehRiehlDeal/TehRiehlIncremental
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
TehRiehlIncremental/.trivyignore
T
TehRiehlDeal efd073ebe1
CI / secrets-scan (push) Successful in 6s
Details
CI / sast (push) Successful in 13s
Details
CI / vuln-scan (push) Successful in 15s
Details
CI / build-images (push) Successful in 3m22s
Details
CI / test (push) Successful in 26s
Details
CI / lint (push) Successful in 28s
Details
CI / push (push) Has been skipped
Details
CI / image-scan (push) Failing after 16s
Details
fix(ci): pass trivy image scans 
Three independent issues caused 35 + 15 HIGH/CRITICAL findings:

1. Client base — nginx:1.27-alpine pulled Alpine 3.21.3, which
   carries old libcrypto3/libssl3/libpng/libxml2/musl/nghttp2/zlib.
   Bumped to nginx:1.29-alpine and added `apk update && apk
   upgrade --no-cache` so the layer pulls every available patch
   in the current Alpine repo. Verified: 0 findings.

2. Server runtime — npm/yarn/corepack ship bundled inside the
   node:20-alpine image at /usr/local/lib/node_modules/npm/...
   They drag in cross-spawn, glob, minimatch, tar, and friends —
   all of which had HIGH CVEs. We never invoke them at runtime
   (CMD is `node dist/main.js`); deleting them in the runtime
   stage cuts 11 of the 15 findings. Also added `apk upgrade`
   for parity with the client.

3. Multer transitive — @nestjs/platform-express pulls in
   multer 2.0.2 which has three HIGH CVEs (fixed in 2.1.1).
   Added a pnpm `overrides` entry to pin it.

For the remaining lodash CVE-2026-4800: Trivy lists 4.18.0 as
the fixed version, but that release isn't published on npm. Added
.trivyignore + wired --ignorefile into the trivy invocations,
with a comment explaining why and when to re-evaluate.

Verification (local builds + trivy scans):
- teh-riehl-server: 0 HIGH/CRITICAL across all targets.
- teh-riehl-client: 0 vulnerabilities (alpine 3.23.4).
- Server boots, /api/health returns ok.
- Client serves /config.js with APP_API_BASE_URL override.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-17 16:54:28 -07:00

12 lines
557 B
Plaintext
Raw Permalink Blame History

# Trivy CVE allowlist.
# Format: one CVE ID per line, comments allowed. Used by both fs and image scans.
#
# Each entry below MUST cite why we can't simply upgrade. Re-evaluate quarterly
# (or whenever the fixed version actually publishes to npm).
# lodash CVE-2026-4800: Trivy lists 4.18.0 as the fixed version, but that
# release does not exist on npm (latest stable is still 4.17.21). lodash is
# pulled in transitively via @nestjs's dependency chain; nothing in our code
# imports it directly. Re-check when 4.18.0 is actually published.
CVE-2026-4800
Reference in New Issue View Git Blame Copy Permalink