Skip to content

fix(ci): resolve trivy-fs misconfigs blocking every PR#233

Open
seonghobae wants to merge 1 commit into
developfrom
fix/trivy-fs-misconfig
Open

fix(ci): resolve trivy-fs misconfigs blocking every PR#233
seonghobae wants to merge 1 commit into
developfrom
fix/trivy-fs-misconfig

Conversation

@seonghobae

Copy link
Copy Markdown
Contributor

Unblocks the required trivy-fs gate for the whole repo

The org's required trivy-fs security gate (ContextualWisdomLab/.githubsecurity-scan.yml) scans the whole repo and fails on fixable CRITICAL/HIGH findings. A pre-existing set of infra misconfigs has been failing it on every PR (it fails identically on unrelated PRs, e.g. #213). Pulled the actual findings from the trivy-fs SARIF and fixed each by rule ID:

Rule File Fix
DS-0026 Dockerfile add a HEALTHCHECK (wget /)
KSV-0020 infra/k8s/deployment.yaml runAsUser 101 → 10001 (>10000)
KSV-0021 infra/k8s/deployment.yaml runAsGroup/fsGroup 101 → 10001
KSV-0110 infra/k8s/{deployment,service}.yaml add a scopeweave Namespace + set metadata.namespace

Verified

trivy 0.70.0 config scan of the changed files → 0 misconfigurations (Dockerfile + deployment.yaml), no new issues. (Local trivy's policy DB differs from CI's cached one, so I applied the exact per-rule remediations rather than relying on local repro.)

Small + focused on purpose — merging this makes trivy-fs pass across the repo, unblocking the SaaS PR stack (#212→) and every other PR.

🤖 Generated with Claude Code

The org's required trivy-fs gate scans the whole repo and fails on FIXABLE
findings, so a pre-existing set of infra misconfigs was blocking EVERY PR in
this repo (it fails identically on unrelated PRs). The 4 findings (from the
trivy-fs SARIF):

- DS-0026  Dockerfile: no HEALTHCHECK    → add a HEALTHCHECK (wget /).
- KSV-0020 k8s: runAsUser must be >10000 → 101 -> 10001.
- KSV-0021 k8s: runAsGroup must be >10000 → 101 -> 10001 (+ fsGroup).
- KSV-0110 k8s: default namespace        → add a 'scopeweave' Namespace and set
           metadata.namespace on the Deployment, PDB, and Service.

Verified: trivy 0.70.0 `config` scan of the changed files reports 0
misconfigurations (Dockerfile + deployment.yaml), no new issues introduced.
Applied the exact per-rule remediations, so trivy-fs should now pass.

This unblocks trivy-fs across the repo (the SaaS PR stack and other PRs).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_018LMoqYsUY6usjNMBjvxCbU
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant