chore(ci): replace pnpm audit with Trivy setup and filesystem scan for vulnerability assessment

2026-05-25 12:04:48 +00:00 · 2026-04-14 20:11:46 -05:00
parent d880dc2c03
commit fc711ce94a
4 changed files with 28 additions and 22 deletions
@@ -52,10 +52,10 @@ jobs:
              run: |
                  . scripts/ci/ci-node-path.sh
                  task deps:fe
-            - name: pnpm audit
-              run: |
-                  . scripts/ci/ci-node-path.sh
-                  pnpm audit --audit-level=high
+            - name: Setup Trivy
+              run: sh scripts/ci/setup-trivy.sh
+            - name: Trivy filesystem scan (Node deps)
+              run: sh scripts/ci/trivy-fs-scan.sh
            - name: Lint
              run: |
                  . scripts/ci/ci-node-path.sh
@@ -90,10 +90,10 @@ jobs:
              run: |
                  . scripts/ci/ci-node-path.sh
                  task deps:fe
-            - name: pnpm audit
-              run: |
-                  . scripts/ci/ci-node-path.sh
-                  pnpm audit --audit-level=high
+            - name: Setup Trivy
+              run: sh scripts/ci/setup-trivy.sh
+            - name: Trivy filesystem scan (Node deps)
+              run: sh scripts/ci/trivy-fs-scan.sh
            - name: Determine version
              id: version
              run: |
@@ -170,10 +170,10 @@ jobs:
              run: |
                  poetry run pip install --upgrade "pip>=26.0" pip-audit
                  poetry run pip-audit
-            - name: pnpm audit
-              run: |
-                  . scripts/ci/ci-node-path.sh
-                  pnpm audit --audit-level=high
+            - name: Setup Trivy
+              run: sh scripts/ci/setup-trivy.sh
+            - name: Trivy filesystem scan (Node deps)
+              run: sh scripts/ci/trivy-fs-scan.sh
            - name: Run language tests
              run: |
                  . scripts/ci/ci-node-path.sh
@@ -44,18 +44,11 @@ jobs:
                  . scripts/ci/ci-node-path.sh
                  task deps:fe

-            - name: pnpm audit
-              run: |
-                  . scripts/ci/ci-node-path.sh
-                  pnpm audit --audit-level=high
-
-            - name: Download Trivy
-              run: |
-                  curl -L -o /tmp/trivy.deb https://git.quad4.io/Quad4-Software/Trivy-Assets/raw/commit/fdfe96b77d2f7b7f5a90cea00af5024c9f728f17/trivy_0.69.3_Linux-64bit.deb
-                  sh scripts/ci/exec-priv.sh dpkg -i /tmp/trivy.deb || sh scripts/ci/exec-priv.sh apt-get install -f -y
+            - name: Setup Trivy
+              run: sh scripts/ci/setup-trivy.sh

            - name: Trivy FS scan
-              run: trivy fs --exit-code 1 --skip-dirs .pnpm-store .
+              run: sh scripts/ci/trivy-fs-scan.sh

            - name: Trivy Dockerfile misconfiguration
              run: trivy config --exit-code 1 Dockerfile
@@ -0,0 +1,7 @@
+#!/bin/sh
+# Install Trivy .deb for CI (same package as scan / docker workflows).
+set -eu
+
+curl -fsSL -o /tmp/trivy.deb https://git.quad4.io/Quad4-Software/Trivy-Assets/raw/commit/fdfe96b77d2f7b7f5a90cea00af5024c9f728f17/trivy_0.69.3_Linux-64bit.deb
+sh scripts/ci/exec-priv.sh dpkg -i /tmp/trivy.deb || sh scripts/ci/exec-priv.sh apt-get install -f -y
+trivy --version
@@ -0,0 +1,6 @@
+#!/bin/sh
+# Filesystem vulnerability scan for Node (lockfiles, manifests). Replaces pnpm audit
+# while the npm registry legacy audit endpoints are unavailable to pnpm (HTTP 410).
+set -eu
+
+exec trivy fs --exit-code 1 --severity HIGH,CRITICAL --skip-dirs .pnpm-store .