fix(ci): ignore unfixed image CVEs#146
Merged
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR fixes the remaining
docker-buildCI failure after PR #145 by changing image vulnerability scanning to gate only actionable CVEs.Changes:
APT_CACHE_BUSTto backend CI builds so theapt-get update && apt-get upgradelayer is not restored stale from BuildKit cache.ignore-unfixed: truewhile keepingexit-code: 1.always()to thedocker-buildjob condition so backend-only PRs still run Docker checks when frontend jobs are skipped.Root Cause
docker-buildfailed onmainbecause Trivy reported HIGH/CRITICAL Debian 13.5 CVEs in the backend image. Local verification showed those findings currently have no fixed Debian package versions available, soapt-get upgradealone cannot remediate them.The intended gate is now:
Verification
Local verification:
docker build --pull --build-arg APT_CACHE_BUST=local-verify --file backend/Dockerfile --tag votecatcher-backend:trivy-check backend trivy image --ignore-unfixed --severity CRITICAL,HIGH --exit-code 1 votecatcher-backend:trivy-check docker build --pull --build-arg APT_CACHE_BUST=local-verify-prod --file backend/Dockerfile.prod --tag votecatcher-backend:prod-trivy-check backend trivy image --ignore-unfixed --severity CRITICAL,HIGH --exit-code 1 votecatcher-backend:prod-trivy-check .agent-workspace/.local/bin/actionlint -ignore "SC2129" .github/workflows/ci.yml .github/workflows/code-quality.ymlGitHub Actions verification:
docker-buildruns and passes on PR fix(ci): ignore unfixed image CVEs #146.2821377693283580753964Notes
Raw
actionlintstill reports pre-existing ShellCheckSC2129style warnings in summary shell blocks. Those warnings are unrelated to this PR and were ignored for workflow syntax validation.ignore-unfixed: trueis a deliberate CI policy change: known but currently unpatchable distro CVEs remain visible in Trivy output, but they do not block CI until fixed package versions exist.