apunkt/plano
1
0
Fork 0
mirror of https://github.com/katanemo/plano.git synced 2026-04-25 00:36:34 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Add Trivy Docker security scan to CI (#755)

Browse source 
* Add Trivy Docker image security scan workflow

Scans the Docker image for CRITICAL and HIGH vulnerabilities using Trivy.
Blocks PRs on failures; runs non-blocking on main for visibility. Results
are uploaded to the GitHub Security tab via SARIF.


* Add explicit permissions to Docker security scan workflow

Set minimal permissions: contents read for checkout, security-events
write for SARIF upload to the GitHub Security tab.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Fix 27 HIGH vulnerabilities found by Trivy Docker scan

- Install supervisor via pip instead of apt to eliminate 22 Debian
  python3.13 package vulnerabilities
- Pin urllib3>=2.6.3 to fix CVE-2025-66418, CVE-2025-66471, CVE-2026-21441
- Add ignore-unfixed to Trivy scan to suppress unfixable glibc CVE-2026-0861

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Adil Hafeez 2026-02-13 19:53:49 -08:00 committed by GitHub
parent 94f804991e
commit 38646fdac2
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
4 changed files with 67 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

7
Dockerfile
View file

@ -46,9 +46,11 @@ FROM python:3.13.11-slim AS arch
RUN set -eux; \
apt-get update; \
apt-get install -y --no-install-recommends supervisor gettext-base curl; \
apt-get install -y --no-install-recommends gettext-base curl; \
apt-get clean; rm -rf /var/lib/apt/lists/*
RUN pip install --no-cache-dir supervisor
# Remove PAM packages (CVE-2025-6020)
RUN set -eux; \
dpkg -r --force-depends libpam-modules libpam-modules-bin libpam-runtime libpam0g || true; \
@ -70,6 +72,7 @@ RUN uv run pip install --no-cache-dir .
COPY cli/planoai planoai/
COPY config/envoy.template.yaml .
COPY config/plano_config_schema.yaml .
RUN mkdir -p /etc/supervisor/conf.d
COPY config/supervisord.conf /etc/supervisor/conf.d/supervisord.conf
COPY --from=wasm-builder /arch/target/wasm32-wasip1/release/prompt_gateway.wasm /etc/envoy/proxy-wasm-plugins/prompt_gateway.wasm
@ -81,4 +84,4 @@ RUN mkdir -p /var/log/supervisor && \
/var/log/access_ingress.log /var/log/access_ingress_prompt.log \
/var/log/access_internal.log /var/log/access_llm.log /var/log/access_agent.log
ENTRYPOINT ["/usr/bin/supervisord"]
ENTRYPOINT ["/usr/local/bin/supervisord", "-c", "/etc/supervisor/conf.d/supervisord.conf"]