Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
39 changes: 28 additions & 11 deletions .github/workflows/sca-self.yml
Original file line number Diff line number Diff line change
Expand Up @@ -78,17 +78,34 @@ jobs:
FETCH_LICENSE: "true"
run: cdxgen -r --no-validate -o sbom.cdx.json .

# Trivy is bundled into the worker image at apps/backend/Dockerfile.worker;
# for this workflow we install the standalone CLI via the official
# setup-trivy action (smaller, faster than spinning up the worker
# image just to run trivy sbom, and more reliable than the curl |
# sh installer which started returning non-zero on a clean fetch
# in May 2026).
- name: Install Trivy
uses: aquasecurity/setup-trivy@v0.2.6
with:
version: v0.58.0
cache: true
# Install the SAME pinned Trivy the worker image ships
# (apps/backend/Dockerfile.worker), from the upstream per-arch .deb with the
# SHA-256 that file already vets. Deliberately NOT `curl | sh` and NOT
# `aquasecurity/setup-trivy`: both resolve Trivy at RUNTIME and this step
# has broken twice on that —
# * 2026-05 — the `curl | sh` installer began returning non-zero on a
# clean fetch (we then switched to setup-trivy).
# * 2026-07 — setup-trivy@v0.2.6 pinned Trivy v0.58.0, whose GitHub
# *release* was later removed upstream (assets 404, though the git tag
# remains). The action "found version 0.58.0" via the tags API then
# failed downloading the vanished asset — red every nightly, no CVE
# involved.
# A pinned .deb + `sha256sum -c` has no moving ref and no version-resolution
# step, and dog-foods the EXACT scanner end users get. ubuntu-2x runners are
# amd64 → Linux-64bit. Keep TRIVY_VERSION and the SHA in lockstep with
# Dockerfile.worker when bumping (the image-scan gate drives those bumps).
- name: Install Trivy (pinned deb, checksum-verified — matches worker image)
env:
TRIVY_VERSION: "0.72.0"
TRIVY_SHA256_AMD64: 9bf8aba92f524b74f8e83d53b298a7dfc6b4d60aca779217e7817e5433c73eeb
run: |
set -euo pipefail
url="https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.deb"
curl -fsSL -o /tmp/trivy.deb "$url"
echo "${TRIVY_SHA256_AMD64} /tmp/trivy.deb" | sha256sum -c -
sudo dpkg -i /tmp/trivy.deb
rm -f /tmp/trivy.deb
trivy --version

- name: Trivy SBOM scan (CRITICAL + HIGH)
# --exit-code 0 — never fail the JOB on findings; the parse step
Expand Down
Loading