mosaic/stack
1
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 2 Wiki Activity

fix(ci): move spec removal to builder stage + suppress tar CVEs
All checks were successful
ci/woodpecker/push/orchestrator Pipeline was successful
Details

Browse Source 
Two Trivy fixes:

1. Dockerfile: moved spec/test file deletion from production RUN step
   to builder stage. The previous approach (COPY then RUN rm) left files
   in the COPY layer — Trivy scans all layers, not just the final FS.
   Now spec files are deleted in builder BEFORE COPY to production.

2. .trivyignore: added 3 tar CVEs (CVE-2026-23745/23950/24842) with
   documented rationale. tar@7.5.2 is bundled inside npm which ships
   with node:20-alpine. Not upgradeable — not our dependency. npm is
   already removed from all production images.

Verified: local Trivy scan passes (exit code 0, 0 findings)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Jason Woltje
2026-02-12 19:19:27 -06:00
parent e8a9a3087a
commit 7fb70210a4
3 changed files with 21 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
.trivyignore
View File

@@ -16,6 +16,20 @@ CVE-2024-9180 # HIGH: privilege escalation (fixed in 2.0.3)
CVE-2025-59043 # HIGH: DoS via malicious JSON (fixed in 2.4.1)
CVE-2025-64761 # HIGH: identity group root escalation (fixed in 2.4.4)
# === npm bundled tar CVEs (not upgradeable — not our dependency) ===
# Why suppressed instead of fixed:
# - tar@7.5.2 is bundled INSIDE npm, which ships with the node:20-alpine base image
# - It is NOT in pnpm-lock.yaml — not a direct or transitive app dependency
# - We already remove npm from all production images:
# `RUN rm -rf /usr/local/lib/node_modules/npm /usr/local/bin/npm /usr/local/bin/npx`
# - Locally-built images have zero tar packages (verified via Trivy scan 2026-02-12)
# - CVEs may reappear in CI due to Docker layer caching of the base image
# To fully eliminate: switch to a distroless/slim base image without npm, or
# wait for Node.js 20 to bundle a patched npm release.
CVE-2026-23745 # HIGH: tar arbitrary file overwrite via unsanitized linkpaths
CVE-2026-23950 # HIGH: tar arbitrary file overwrite via Unicode path collision
CVE-2026-24842 # HIGH: tar arbitrary file creation via hardlink path traversal
# === OpenBao Go stdlib (waiting on upstream rebuild) ===
# OpenBao 2.5.0 compiled with Go 1.25.6, fix needs Go >= 1.25.7.
# Cannot build OpenBao from source (large project). Waiting for upstream release.