mosaic/stack
1
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 2 Wiki Activity

fix(ci): move spec removal to builder stage + suppress tar CVEs
All checks were successful
ci/woodpecker/push/orchestrator Pipeline was successful
Details

Browse Source 
Two Trivy fixes:

1. Dockerfile: moved spec/test file deletion from production RUN step
   to builder stage. The previous approach (COPY then RUN rm) left files
   in the COPY layer — Trivy scans all layers, not just the final FS.
   Now spec files are deleted in builder BEFORE COPY to production.

2. .trivyignore: added 3 tar CVEs (CVE-2026-23745/23950/24842) with
   documented rationale. tar@7.5.2 is bundled inside npm which ships
   with node:20-alpine. Not upgradeable — not our dependency. npm is
   already removed from all production images.

Verified: local Trivy scan passes (exit code 0, 0 findings)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Jason Woltje
2026-02-12 19:19:27 -06:00
parent e8a9a3087a
commit 7fb70210a4
3 changed files with 21 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
apps/orchestrator/Dockerfile
View File

@@ -49,6 +49,11 @@ COPY --from=deps /app/apps/orchestrator/node_modules ./apps/orchestrator/node_mo
# Build the orchestrator app using TurboRepo
RUN pnpm turbo build --filter=@mosaic/orchestrator
# Remove compiled test/spec files from dist BEFORE copying to production.
# These contain test fixture secrets (fake AWS keys, RSA keys) that trigger Trivy.
# Must happen in builder stage so they never appear in any production image layer.
RUN find ./apps/orchestrator/dist \( -name '*.spec.js' -o -name '*.spec.js.map' -o -name '*.test.js' -o -name '*.test.js.map' \) -delete
# ======================
# Production stage
# ======================
@@ -81,10 +86,8 @@ COPY --from=builder --chown=nestjs:nodejs /app/node_modules ./node_modules
# Copy built packages (includes dist/ directories)
COPY --from=builder --chown=nestjs:nodejs /app/packages ./packages
# Copy built orchestrator application
# Copy built orchestrator application (spec/test files already removed in builder stage)
COPY --from=builder --chown=nestjs:nodejs /app/apps/orchestrator/dist ./apps/orchestrator/dist
# Remove compiled test files from production (contain test fixtures that trigger Trivy secret scanning)
RUN find ./apps/orchestrator/dist \( -name '*.spec.js' -o -name '*.spec.js.map' -o -name '*.test.js' -o -name '*.test.js.map' \) -print | xargs rm -f 2>/dev/null || true
COPY --from=builder --chown=nestjs:nodejs /app/apps/orchestrator/package.json ./apps/orchestrator/
# Copy app's node_modules which contains symlinks to root node_modules