From 942c98d41b4a4928aa0a1b0e4dfefdb4152fe447 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=A9r=C3=A9mie=20Doucy?= <jdoucy@gmail.com>
Date: Thu, 2 Apr 2026 17:55:51 +0200
Subject: [PATCH] fix(security): replace deprecated trivy --vuln-type flag and
 ignore lodash CVE
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- replace --vuln-type with --pkg-types in Makefile, CI workflow, and docs
- add CVE-2026-4800 (lodash 4.17.23) to .trivyignore.yaml — fix in 4.18.1, blocked on upstream deps
---
 .claude/skills/security-check/skill.md | 24 ++++++++++++++++++++++++
 .github/workflows/security.yml         |  4 ++--
 .trivyignore.yaml                      |  3 +++
 Makefile                               |  4 ++--
 docs/monthly-dependency-check.md       |  2 +-
 5 files changed, 32 insertions(+), 5 deletions(-)
 create mode 100644 .claude/skills/security-check/skill.md

diff --git a/.claude/skills/security-check/skill.md b/.claude/skills/security-check/skill.md
new file mode 100644
index 0000000..31c68ae
--- /dev/null
+++ b/.claude/skills/security-check/skill.md
@@ -0,0 +1,24 @@
+---
+name: security-check
+description: Run Trivy vulnerability scan on Docker images (API and Workers). Builds images, scans for CRITICAL/HIGH CVEs, and reports findings.
+user_invocable: true
+---
+
+Run a local Trivy security scan matching the CI pipeline configuration.
+
+## Steps
+
+1. Run `make trivy-scan` from the repo root using the Bash tool. This will:
+   - Build the Docker images (`caseai-connect/api:local` and `caseai-connect/workers:local`)
+   - Scan both images with Trivy for CRITICAL and HIGH vulnerabilities
+   - Apply `.trivyignore.yaml` exclusions
+
+2. If the scan **passes** (exit code 0): report that no unignored CRITICAL/HIGH vulnerabilities were found.
+
+3. If the scan **fails** (exit code 1): parse the Trivy output and for each CVE found:
+   - List the CVE ID, severity, package name, installed version, and fixed version (if available)
+   - Indicate whether a fix is available upstream
+   - Suggest next steps:
+     - If a direct dependency can be updated: suggest the `npm update` or `npm install` command
+     - If blocked on a transitive dependency with no fix: suggest using the `/trivy-ignore` skill to add it to `.trivyignore.yaml`
+     - If a major version bump is needed: flag it for manual review
\ No newline at end of file
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index dd0a154..b4567df 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -36,7 +36,7 @@ jobs:
           format: 'table'
           exit-code: '1'
           ignore-unfixed: true
-          vuln-type: 'os,library'
+          pkg-types: 'os,library'
           severity: 'CRITICAL,HIGH'
           trivyignores: '.trivyignore.yaml'
           output: 'trivy-api-results.txt'
@@ -48,7 +48,7 @@ jobs:
           format: 'table'
           exit-code: '1'
           ignore-unfixed: true
-          vuln-type: 'os,library'
+          pkg-types: 'os,library'
           severity: 'CRITICAL,HIGH'
           trivyignores: '.trivyignore.yaml'
           output: 'trivy-workers-results.txt'
diff --git a/.trivyignore.yaml b/.trivyignore.yaml
index d6cff6b..fac3a1a 100644
--- a/.trivyignore.yaml
+++ b/.trivyignore.yaml
@@ -20,3 +20,6 @@ vulnerabilities:
   - id: CVE-2025-32434
     expired_at: 2026-05-01
     reason: "torch 2.5.1+cu121 — fix requires 2.6.0+, blocked by docling compatibility"
+  - id: CVE-2026-4800
+    expired_at: 2026-05-02
+    reason: "lodash 4.17.23 — fix in 4.18.1, blocked by @nestjs/config, llamaindex, @auth0/auth0-spa-js"
diff --git a/Makefile b/Makefile
index baa6a67..f119747 100644
--- a/Makefile
+++ b/Makefile
@@ -61,8 +61,8 @@ check-web-changes:
 # ==============================================================================
 
 trivy-scan: docker-build
-	trivy image --ignore-unfixed --vuln-type os,library --severity CRITICAL,HIGH --ignorefile .trivyignore.yaml ${localApiImage}
-	trivy image --ignore-unfixed --vuln-type os,library --severity CRITICAL,HIGH --ignorefile .trivyignore.yaml ${localWorkersImage}
+	trivy image --ignore-unfixed --pkg-types os,library --severity CRITICAL,HIGH --ignorefile .trivyignore.yaml ${localApiImage}
+	trivy image --ignore-unfixed --pkg-types os,library --severity CRITICAL,HIGH --ignorefile .trivyignore.yaml ${localWorkersImage}
 
 docker-build: docker-build-api docker-build-workers
 
diff --git a/docs/monthly-dependency-check.md b/docs/monthly-dependency-check.md
index 4088cd3..d5c211c 100644
--- a/docs/monthly-dependency-check.md
+++ b/docs/monthly-dependency-check.md
@@ -83,7 +83,7 @@ make trivy-scan
 
 `make trivy-scan` runs trivy against both `caseai-connect/api:local` and `caseai-connect/workers:local` images with:
 - `--ignore-unfixed` — only report CVEs that have a fix available
-- `--vuln-type os,library` — scan OS packages and language libraries
+- `--pkg-types os,library` — scan OS packages and language libraries
 - `--severity CRITICAL,HIGH` — ignore low/medium findings
 - `--ignorefile .trivyignore.yaml` — skip acknowledged upstream CVEs