Skip to content

Comments

fix(ci): replace oraclelinux base image with debian bookworm-slim#532

Merged
bug-ops merged 3 commits intomainfrom
fix/trivy-ci-531
Feb 18, 2026
Merged

fix(ci): replace oraclelinux base image with debian bookworm-slim#532
bug-ops merged 3 commits intomainfrom
fix/trivy-ci-531

Conversation

@bug-ops
Copy link
Owner

@bug-ops bug-ops commented Feb 18, 2026

Summary

  • Replace oraclelinux:9-slim with debian:bookworm-slim in both Dockerfile and Dockerfile.dev to eliminate CRITICAL/HIGH CVEs detected by Trivy
  • Remove unnecessary packages: systemd-sysv, pkg-config, libssl-dev (project uses rustls)
  • Pin trivy-action to v0.34.0 instead of @master

Test plan

  • CI docker-build-and-scan job passes with zero CRITICAL/HIGH findings
  • Trivy SARIF results upload to Security tab
  • Docker image builds successfully

Closes #531

@bug-ops
fix(ci): replace oraclelinux base image with debian bookworm-slim
830f6fa 
Switch Docker base from oraclelinux:9-slim to debian:bookworm-slim
to resolve CRITICAL/HIGH CVEs detected by Trivy scanner. Remove
unnecessary packages (systemd-sysv, pkg-config, libssl-dev). Pin
trivy-action to v0.34.0 for reproducible CI runs.

Closes #531
@github-actions github-actions bot added ci bug Something isn't working size/S labels Feb 18, 2026
@bug-ops
fix(ci): correct trivy-action tag to 0.34.0 (without v prefix)
df28d50
@bug-ops
fix(ci): limit Trivy SARIF exit-code to CRITICAL/HIGH only
f69f2f6 
With format=sarif, trivy-action builds report with all severities
regardless of severity filter, causing exit-code 1 on LOW/MEDIUM
findings. Add limit-severities-for-sarif to restrict exit-code
check to CRITICAL/HIGH only.
@bug-ops bug-ops enabled auto-merge (squash) February 18, 2026 13:42
@bug-ops bug-ops merged commit bbb91a1 into main Feb 18, 2026
18 checks passed
@bug-ops bug-ops deleted the fix/trivy-ci-531 branch February 18, 2026 13:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

bug Something isn't working ci size/S

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

ci: Trivy vulnerability scanner fails on Docker image

1 participant

@bug-ops