Skip to content

Comments

fix(ci): replace oraclelinux base image with debian bookworm-slim#532

Merged
bug-ops merged 3 commits intomainfrom
fix/trivy-ci-531
Feb 18, 2026
Merged

fix(ci): replace oraclelinux base image with debian bookworm-slim#532
bug-ops merged 3 commits intomainfrom
fix/trivy-ci-531

Conversation

@bug-ops
Copy link
Owner

@bug-ops bug-ops commented Feb 18, 2026

Summary

  • Replace oraclelinux:9-slim with debian:bookworm-slim in both Dockerfile and Dockerfile.dev to eliminate CRITICAL/HIGH CVEs detected by Trivy
  • Remove unnecessary packages: systemd-sysv, pkg-config, libssl-dev (project uses rustls)
  • Pin trivy-action to v0.34.0 instead of @master

Test plan

  • CI docker-build-and-scan job passes with zero CRITICAL/HIGH findings
  • Trivy SARIF results upload to Security tab
  • Docker image builds successfully

Closes #531

Switch Docker base from oraclelinux:9-slim to debian:bookworm-slim
to resolve CRITICAL/HIGH CVEs detected by Trivy scanner. Remove
unnecessary packages (systemd-sysv, pkg-config, libssl-dev). Pin
trivy-action to v0.34.0 for reproducible CI runs.

Closes #531
@github-actions github-actions bot added ci bug Something isn't working size/S labels Feb 18, 2026
With format=sarif, trivy-action builds report with all severities
regardless of severity filter, causing exit-code 1 on LOW/MEDIUM
findings. Add limit-severities-for-sarif to restrict exit-code
check to CRITICAL/HIGH only.
@bug-ops bug-ops enabled auto-merge (squash) February 18, 2026 13:42
@bug-ops bug-ops merged commit bbb91a1 into main Feb 18, 2026
18 checks passed
@bug-ops bug-ops deleted the fix/trivy-ci-531 branch February 18, 2026 13:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug Something isn't working ci size/S

Projects

None yet

Development

Successfully merging this pull request may close these issues.

ci: Trivy vulnerability scanner fails on Docker image

1 participant