Skip to content

Scan containers with Trivy before pushing #131

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: develop
Choose a base branch
from
Open

Scan containers with Trivy before pushing #131

wants to merge 4 commits into from

Conversation

@johnjeffers
Copy link
Contributor

@johnjeffers johnjeffers commented Nov 4, 2025

Update the Deploy workflow to include trivy scans before push. The workflow will fail on any High or Critical vuln that has a mitigation path, but skips vulns with no fixes via the --ignore-unfixed flag.

Other changes:

  • updates all of the existing Github and Docker Actions to the latest versions.
  • updates the Dockerfile to add --no-install-recommends to the apt install so the pre-build scan does not fail.

@johnjeffers johnjeffers requested review from a team as code owners November 4, 2025 21:35
wied03
wied03 reviewed Nov 4, 2025
View reviewed changes
Copy link
Contributor

@wied03 wied03 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just a few questions

.github/workflows/docker-publish.yaml
--ignore-unfixed \
docker/fusionauth/fusionauth-app
- name: Build and scan platform images
Copy link
Contributor

@wied03 wied03 Nov 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Trying to think through real world edge cases here. If we had an unknown vuln at release time, or a vuln that hits right at release time, this could cause us to fail here and not publish (and in the release process, if we don't publish here soon after S3 artifacts, we have a problem).

Should we make this more of an async, scheduled workflow that doesn't inhibit a release if the scan fails? Or if we don't want to do that, might we need bigger release workflow changes that can build and push a Docker image with a draft set of artifacts before the S3 push, but that might be a heavier lift.

Copy link
Contributor Author

@johnjeffers johnjeffers Nov 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMO we should not push an image with a known vulnerability, and if that interrupts the release process, that's a good thing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wied03 wied03 wied03 left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@johnjeffers @wied03