mirror of
https://github.com/katanemo/plano.git
synced 2026-06-17 15:25:17 +02:00
Fix 27 HIGH vulnerabilities found by Trivy Docker scan
- Install supervisor via pip instead of apt to eliminate 22 Debian python3.13 package vulnerabilities - Pin urllib3>=2.6.3 to fix CVE-2025-66418, CVE-2025-66471, CVE-2026-21441 - Add ignore-unfixed to Trivy scan to suppress unfixable glibc CVE-2026-0861 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Adil Hafeez
parent
4aa7bd5767
commit
c866a04230
4 changed files with 13 additions and 5 deletions
2
.github/workflows/docker-security-scan.yml
vendored
2
.github/workflows/docker-security-scan.yml
vendored
|
|
@ -36,6 +36,7 @@ jobs:
|
|||
format: table
|
||||
# Fail on PRs so vulnerabilities block merge; on main just report
|
||||
exit-code: ${{ github.event_name == 'pull_request' && '1' || '0' }}
|
||||
ignore-unfixed: true
|
||||
severity: CRITICAL,HIGH
|
||||
|
||||
- name: Run Trivy scanner (SARIF for GitHub Security tab)
|
||||
|
|
@ -45,6 +46,7 @@ jobs:
|
|||
image-ref: ${{ env.DOCKER_IMAGE }}:scan
|
||||
format: sarif
|
||||
output: trivy-results.sarif
|
||||
ignore-unfixed: true
|
||||
severity: CRITICAL,HIGH
|
||||
|
||||
- name: Upload Trivy results to GitHub Security tab
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue