diff --git a/.github/workflows/sca-self.yml b/.github/workflows/sca-self.yml index 4fffde0a..b6705c2c 100644 --- a/.github/workflows/sca-self.yml +++ b/.github/workflows/sca-self.yml @@ -78,17 +78,34 @@ jobs: FETCH_LICENSE: "true" run: cdxgen -r --no-validate -o sbom.cdx.json . - # Trivy is bundled into the worker image at apps/backend/Dockerfile.worker; - # for this workflow we install the standalone CLI via the official - # setup-trivy action (smaller, faster than spinning up the worker - # image just to run trivy sbom, and more reliable than the curl | - # sh installer which started returning non-zero on a clean fetch - # in May 2026). - - name: Install Trivy - uses: aquasecurity/setup-trivy@v0.2.6 - with: - version: v0.58.0 - cache: true + # Install the SAME pinned Trivy the worker image ships + # (apps/backend/Dockerfile.worker), from the upstream per-arch .deb with the + # SHA-256 that file already vets. Deliberately NOT `curl | sh` and NOT + # `aquasecurity/setup-trivy`: both resolve Trivy at RUNTIME and this step + # has broken twice on that — + # * 2026-05 — the `curl | sh` installer began returning non-zero on a + # clean fetch (we then switched to setup-trivy). + # * 2026-07 — setup-trivy@v0.2.6 pinned Trivy v0.58.0, whose GitHub + # *release* was later removed upstream (assets 404, though the git tag + # remains). The action "found version 0.58.0" via the tags API then + # failed downloading the vanished asset — red every nightly, no CVE + # involved. + # A pinned .deb + `sha256sum -c` has no moving ref and no version-resolution + # step, and dog-foods the EXACT scanner end users get. ubuntu-2x runners are + # amd64 → Linux-64bit. Keep TRIVY_VERSION and the SHA in lockstep with + # Dockerfile.worker when bumping (the image-scan gate drives those bumps). + - name: Install Trivy (pinned deb, checksum-verified — matches worker image) + env: + TRIVY_VERSION: "0.72.0" + TRIVY_SHA256_AMD64: 9bf8aba92f524b74f8e83d53b298a7dfc6b4d60aca779217e7817e5433c73eeb + run: | + set -euo pipefail + url="https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.deb" + curl -fsSL -o /tmp/trivy.deb "$url" + echo "${TRIVY_SHA256_AMD64} /tmp/trivy.deb" | sha256sum -c - + sudo dpkg -i /tmp/trivy.deb + rm -f /tmp/trivy.deb + trivy --version - name: Trivy SBOM scan (CRITICAL + HIGH) # --exit-code 0 — never fail the JOB on findings; the parse step