From fc711ce94a1acf778bed04af0e00915fcf0ff829 Mon Sep 17 00:00:00 2001 From: Ivan Date: Tue, 14 Apr 2026 20:11:46 -0500 Subject: [PATCH] chore(ci): replace pnpm audit with Trivy setup and filesystem scan for vulnerability assessment --- .gitea/workflows/ci.yml | 24 ++++++++++++------------ .gitea/workflows/scan.yml | 13 +++---------- scripts/ci/setup-trivy.sh | 7 +++++++ scripts/ci/trivy-fs-scan.sh | 6 ++++++ 4 files changed, 28 insertions(+), 22 deletions(-) create mode 100644 scripts/ci/setup-trivy.sh create mode 100644 scripts/ci/trivy-fs-scan.sh diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index b00801a..a017baa 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -52,10 +52,10 @@ jobs: run: | . scripts/ci/ci-node-path.sh task deps:fe - - name: pnpm audit - run: | - . scripts/ci/ci-node-path.sh - pnpm audit --audit-level=high + - name: Setup Trivy + run: sh scripts/ci/setup-trivy.sh + - name: Trivy filesystem scan (Node deps) + run: sh scripts/ci/trivy-fs-scan.sh - name: Lint run: | . scripts/ci/ci-node-path.sh @@ -90,10 +90,10 @@ jobs: run: | . scripts/ci/ci-node-path.sh task deps:fe - - name: pnpm audit - run: | - . scripts/ci/ci-node-path.sh - pnpm audit --audit-level=high + - name: Setup Trivy + run: sh scripts/ci/setup-trivy.sh + - name: Trivy filesystem scan (Node deps) + run: sh scripts/ci/trivy-fs-scan.sh - name: Determine version id: version run: | @@ -170,10 +170,10 @@ jobs: run: | poetry run pip install --upgrade "pip>=26.0" pip-audit poetry run pip-audit - - name: pnpm audit - run: | - . scripts/ci/ci-node-path.sh - pnpm audit --audit-level=high + - name: Setup Trivy + run: sh scripts/ci/setup-trivy.sh + - name: Trivy filesystem scan (Node deps) + run: sh scripts/ci/trivy-fs-scan.sh - name: Run language tests run: | . scripts/ci/ci-node-path.sh diff --git a/.gitea/workflows/scan.yml b/.gitea/workflows/scan.yml index 9141df1..d47c2ae 100644 --- a/.gitea/workflows/scan.yml +++ b/.gitea/workflows/scan.yml @@ -44,18 +44,11 @@ jobs: . scripts/ci/ci-node-path.sh task deps:fe - - name: pnpm audit - run: | - . scripts/ci/ci-node-path.sh - pnpm audit --audit-level=high - - - name: Download Trivy - run: | - curl -L -o /tmp/trivy.deb https://git.quad4.io/Quad4-Software/Trivy-Assets/raw/commit/fdfe96b77d2f7b7f5a90cea00af5024c9f728f17/trivy_0.69.3_Linux-64bit.deb - sh scripts/ci/exec-priv.sh dpkg -i /tmp/trivy.deb || sh scripts/ci/exec-priv.sh apt-get install -f -y + - name: Setup Trivy + run: sh scripts/ci/setup-trivy.sh - name: Trivy FS scan - run: trivy fs --exit-code 1 --skip-dirs .pnpm-store . + run: sh scripts/ci/trivy-fs-scan.sh - name: Trivy Dockerfile misconfiguration run: trivy config --exit-code 1 Dockerfile diff --git a/scripts/ci/setup-trivy.sh b/scripts/ci/setup-trivy.sh new file mode 100644 index 0000000..114fc13 --- /dev/null +++ b/scripts/ci/setup-trivy.sh @@ -0,0 +1,7 @@ +#!/bin/sh +# Install Trivy .deb for CI (same package as scan / docker workflows). +set -eu + +curl -fsSL -o /tmp/trivy.deb https://git.quad4.io/Quad4-Software/Trivy-Assets/raw/commit/fdfe96b77d2f7b7f5a90cea00af5024c9f728f17/trivy_0.69.3_Linux-64bit.deb +sh scripts/ci/exec-priv.sh dpkg -i /tmp/trivy.deb || sh scripts/ci/exec-priv.sh apt-get install -f -y +trivy --version diff --git a/scripts/ci/trivy-fs-scan.sh b/scripts/ci/trivy-fs-scan.sh new file mode 100644 index 0000000..f68dee7 --- /dev/null +++ b/scripts/ci/trivy-fs-scan.sh @@ -0,0 +1,6 @@ +#!/bin/sh +# Filesystem vulnerability scan for Node (lockfiles, manifests). Replaces pnpm audit +# while the npm registry legacy audit endpoints are unavailable to pnpm (HTTP 410). +set -eu + +exec trivy fs --exit-code 1 --severity HIGH,CRITICAL --skip-dirs .pnpm-store .