fix(security): replace deprecated trivy --vuln-type flag and ignore lodash CVE

.claude/skills/security-check/skill.md

@@ -0,0 +1,24 @@
+---
+name: security-check
+description: Run Trivy vulnerability scan on Docker images (API and Workers). Builds images, scans for CRITICAL/HIGH CVEs, and reports findings.
+user_invocable: true
+---
+
+Run a local Trivy security scan matching the CI pipeline configuration.
+
+## Steps
+
+1. Run `make trivy-scan` from the repo root using the Bash tool. This will:
+   - Build the Docker images (`caseai-connect/api:local` and `caseai-connect/workers:local`)
+   - Scan both images with Trivy for CRITICAL and HIGH vulnerabilities
+   - Apply `.trivyignore.yaml` exclusions
+
+2. If the scan **passes** (exit code 0): report that no unignored CRITICAL/HIGH vulnerabilities were found.
+
+3. If the scan **fails** (exit code 1): parse the Trivy output and for each CVE found:
+   - List the CVE ID, severity, package name, installed version, and fixed version (if available)
+   - Indicate whether a fix is available upstream
+   - Suggest next steps:
+     - If a direct dependency can be updated: suggest the `npm update` or `npm install` command
+     - If blocked on a transitive dependency with no fix: suggest using the `/trivy-ignore` skill to add it to `.trivyignore.yaml`
+     - If a major version bump is needed: flag it for manual review

.github/workflows/security.yml

@@ -36,7 +36,7 @@ jobs:
           format: 'table'
           exit-code: '1'
           ignore-unfixed: true
-          vuln-type: 'os,library'
+          pkg-types: 'os,library'
           severity: 'CRITICAL,HIGH'
           trivyignores: '.trivyignore.yaml'
           output: 'trivy-api-results.txt'
@@ -48,7 +48,7 @@ jobs:
           format: 'table'
           exit-code: '1'
           ignore-unfixed: true
-          vuln-type: 'os,library'
+          pkg-types: 'os,library'
           severity: 'CRITICAL,HIGH'
           trivyignores: '.trivyignore.yaml'
           output: 'trivy-workers-results.txt'

.trivyignore.yaml

@@ -20,3 +20,6 @@ vulnerabilities:
   - id: CVE-2025-32434
     expired_at: 2026-05-01
     reason: "torch 2.5.1+cu121 — fix requires 2.6.0+, blocked by docling compatibility"
+  - id: CVE-2026-4800
+    expired_at: 2026-05-02
+    reason: "lodash 4.17.23 — fix in 4.18.1, blocked by @nestjs/config, llamaindex, @auth0/auth0-spa-js"

Makefile

@@ -61,8 +61,8 @@ check-web-changes:
 # ==============================================================================
 
 trivy-scan: docker-build
-	trivy image --ignore-unfixed --vuln-type os,library --severity CRITICAL,HIGH --ignorefile .trivyignore.yaml ${localApiImage}
-	trivy image --ignore-unfixed --vuln-type os,library --severity CRITICAL,HIGH --ignorefile .trivyignore.yaml ${localWorkersImage}
+	trivy image --ignore-unfixed --pkg-types os,library --severity CRITICAL,HIGH --ignorefile .trivyignore.yaml ${localApiImage}
+	trivy image --ignore-unfixed --pkg-types os,library --severity CRITICAL,HIGH --ignorefile .trivyignore.yaml ${localWorkersImage}
 
 docker-build: docker-build-api docker-build-workers
 

docs/monthly-dependency-check.md

@@ -83,7 +83,7 @@ make trivy-scan
 
 `make trivy-scan` runs trivy against both `caseai-connect/api:local` and `caseai-connect/workers:local` images with:
 - `--ignore-unfixed` — only report CVEs that have a fix available
-- `--vuln-type os,library` — scan OS packages and language libraries
+- `--pkg-types os,library` — scan OS packages and language libraries
 - `--severity CRITICAL,HIGH` — ignore low/medium findings
 - `--ignorefile .trivyignore.yaml` — skip acknowledged upstream CVEs