From 5786228548bb1cf0d96759551acd22553176d4a0 Mon Sep 17 00:00:00 2001 From: David Grieser Date: Fri, 14 Nov 2025 15:05:25 +0100 Subject: [PATCH 1/3] chore(ci): add Trivy vulnerability scan to build workflow - Integrate Aquasecurity Trivy action into the CI pipeline - Scan filesystem for critical and high severity vulnerabilities - Output results in JSON and fail the job on detected issues - Improves security posture by catching vulnerable dependencies early --- .github/workflows/build.yaml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index c63a7aa..568d78a 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -17,6 +17,15 @@ jobs: with: go-version: "1.23" + - name: Run Trivy vulnerability scan + uses: aquasecurity/trivy-action@latest + with: + scan-type: fs + ignore-unfixed: true + format: json + exit-code: "1" + severity: CRITICAL,HIGH + - name: Run GoReleaser uses: goreleaser/goreleaser-action@v5 with: From f28e37bd0889b31caa9e0db9ac2025705baef727 Mon Sep 17 00:00:00 2001 From: David Grieser Date: Fri, 14 Nov 2025 15:10:18 +0100 Subject: [PATCH 2/3] fix(ci): pin Trivy action version to 0.33.1 --- .github/workflows/build.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 568d78a..e7bbbb4 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -18,7 +18,7 @@ jobs: go-version: "1.23" - name: Run Trivy vulnerability scan - uses: aquasecurity/trivy-action@latest + uses: aquasecurity/trivy-action@0.33.1 with: scan-type: fs ignore-unfixed: true From 2e9465faf19f2ec2653c4c56f1b62a39d732402a Mon Sep 17 00:00:00 2001 From: David Grieser Date: Fri, 14 Nov 2025 15:18:12 +0100 Subject: [PATCH 3/3] fix(ci): remove ignore-unfixed flag from Trivy scan --- .github/workflows/build.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index e7bbbb4..f9c40fc 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -21,7 +21,6 @@ jobs: uses: aquasecurity/trivy-action@0.33.1 with: scan-type: fs - ignore-unfixed: true format: json exit-code: "1" severity: CRITICAL,HIGH