fix(ci): resolve trivy-fs misconfigs blocking every PR#233
Open
seonghobae wants to merge 1 commit into
Open
Conversation
The org's required trivy-fs gate scans the whole repo and fails on FIXABLE
findings, so a pre-existing set of infra misconfigs was blocking EVERY PR in
this repo (it fails identically on unrelated PRs). The 4 findings (from the
trivy-fs SARIF):
- DS-0026 Dockerfile: no HEALTHCHECK → add a HEALTHCHECK (wget /).
- KSV-0020 k8s: runAsUser must be >10000 → 101 -> 10001.
- KSV-0021 k8s: runAsGroup must be >10000 → 101 -> 10001 (+ fsGroup).
- KSV-0110 k8s: default namespace → add a 'scopeweave' Namespace and set
metadata.namespace on the Deployment, PDB, and Service.
Verified: trivy 0.70.0 `config` scan of the changed files reports 0
misconfigurations (Dockerfile + deployment.yaml), no new issues introduced.
Applied the exact per-rule remediations, so trivy-fs should now pass.
This unblocks trivy-fs across the repo (the SaaS PR stack and other PRs).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_018LMoqYsUY6usjNMBjvxCbU
This was referenced Jul 6, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Unblocks the required
trivy-fsgate for the whole repoThe org's required
trivy-fssecurity gate (ContextualWisdomLab/.github→security-scan.yml) scans the whole repo and fails on fixable CRITICAL/HIGH findings. A pre-existing set of infra misconfigs has been failing it on every PR (it fails identically on unrelated PRs, e.g. #213). Pulled the actual findings from the trivy-fs SARIF and fixed each by rule ID:DockerfileHEALTHCHECK(wget /)infra/k8s/deployment.yamlrunAsUser101 → 10001 (>10000)infra/k8s/deployment.yamlrunAsGroup/fsGroup101 → 10001infra/k8s/{deployment,service}.yamlscopeweaveNamespace + setmetadata.namespaceVerified
trivy 0.70.0 configscan of the changed files → 0 misconfigurations (Dockerfile + deployment.yaml), no new issues. (Local trivy's policy DB differs from CI's cached one, so I applied the exact per-rule remediations rather than relying on local repro.)Small + focused on purpose — merging this makes
trivy-fspass across the repo, unblocking the SaaS PR stack (#212→) and every other PR.🤖 Generated with Claude Code