Skip to content

Security: npm audit, Dependabot, Trivy, CodeQL, OSV Scanner + Node 24 + v2.5.2#20

Merged
paradoxbound merged 6 commits into
mainfrom
feature/free-security-scanning
Feb 26, 2026
Merged

Security: npm audit, Dependabot, Trivy, CodeQL, OSV Scanner + Node 24 + v2.5.2#20
paradoxbound merged 6 commits into
mainfrom
feature/free-security-scanning

Conversation

@paradoxbound

@paradoxbound paradoxbound commented Feb 26, 2026

Copy link
Copy Markdown
Owner

Summary

Adds free GitHub security scanning to the pipeline and upgrades the runtime to Node 24. Releases as v2.5.2.

Security scanning (new)

  • npm audit — added to functional-tests.yml after npm ci. Blocks the test check on HIGH or CRITICAL CVEs using the npm advisory database.
  • OSV Scanner (google/osv-scanner-action@v2.3.3) — added to functional-tests.yml after npm audit. Scans all package-lock.json files recursively against the OSV/NIST database — the same source Trivy uses for npm packages — so vulnerabilities are caught at the fast test stage rather than waiting for the full Docker build and image scan.
  • Dependabot — new .github/dependabot.yml. Daily checks for npm packages across all three package roots (/, /packages/core, /packages/stdio) and all GitHub Actions versions. Security alerts are real-time regardless of schedule.
  • Trivy image scanning — added to docker-publish.yml in two places:
    • Inside pre-merge-cd-check (PR gate): scans :pr-{n}-amd64; CRITICAL+HIGH reported to Security tab via SARIF; CRITICAL with a fix available blocks the PR.
    • New scan job between verify and merge (post-merge gate): scans :latest-amd64 before manifest tags and git tag are created; CRITICAL blocks the release.
  • CodeQL — new .github/workflows/codeql.yml. Semantic TypeScript analysis (language: javascript, build-mode: none). Runs on PRs, push to main, and weekly.

Bug fix: Trivy env-var pollution

trivy-action exports TRIVY_FORMAT and TRIVY_OUTPUT into $GITHUB_ENV. When the blocking step specifies format: table (the action default), the action skips overwriting those vars, so the SARIF step values bleed in — causing the blocking step to run in SARIF mode and fail on HIGH findings instead of CRITICAL only.

Fix: replaced both "Fail on CRITICAL" trivy-action steps with plain run: steps invoking the trivy binary directly. CLI flags always override environment variables.

Node 24 upgrade

  • Docker base image upgraded from node:20-alpine to node:24-alpine. Node 20 reaches EOL April 2026; Node 24 has been Active LTS since October 2025. Node 24 ships with npm 11 which has updated bundled dependencies, resolving the HIGH CVEs Trivy was detecting in the Docker image (tar, glob, minimatch, cross-spawn).
  • CI node-version updated from 20 to 24 to match.

Dependency fixes

  • HIGH (npm audit fix): patched @modelcontextprotocol/sdk (GHSA-345p-7cg4-v4c7) and rollup (GHSA-mw96-cpmx-2vgc).
  • MODERATE (OSV Scanner / npm audit fix --force): upgraded vitest 3.x4.x to resolve the esbuild/vite/vitest chain (GHSA-67mh-4wv8-2f99). Build and type-check pass cleanly on vitest v4.
  • ignore-unfixed: true on all Trivy steps — OS-level Alpine CVEs with no patch available do not block the pipeline.

Post-merge: GitHub Settings to enable

  • Branch protection → required checks: Add CodeQL to required status checks
  • Security → Secret scanning → Push protection: Enable to reject pushes containing detected secrets at the server level (free for public repos, no workflow change needed)

Test plan

  • npm audit passes — 0 vulnerabilities
  • OSV Scanner passes — 0 vulnerabilities after vitest v4 upgrade
  • Trivy blocking step uses run: to avoid env-var pollution
  • pre-merge-cd-check Trivy SARIF uploaded to Security tab
  • CodeQL analysis passes
  • Build and type-check clean on Node 24 / vitest v4
  • After merge: scan job runs between verify and merge
  • After merge: v2.5.2 Docker tags published correctly

🤖 Generated with Claude Code

Paradoxbound and others added 5 commits February 26, 2026 15:35
- Add npm audit --audit-level=high to functional-tests.yml; fails the
  test check on HIGH/CRITICAL dependency CVEs.
- Add .github/dependabot.yml: daily checks for npm (/, /packages/core,
  /packages/stdio) and github-actions ecosystems.
- Add Trivy image scanning to docker-publish.yml:
  - In pre-merge-cd-check: scans the PR amd64 image; HIGH+CRITICAL
    reported to Security tab via SARIF; CRITICAL blocks the PR.
  - New scan job (between verify and merge): scans :latest-amd64 before
    final manifest tags and git tag are created; CRITICAL blocks release.
  - cleanup job updated to also trigger on scan failure.
- Add .github/workflows/codeql.yml: GitHub CodeQL semantic analysis for
  TypeScript (language: javascript, build-mode: none). Runs on PRs,
  push to main, and weekly schedule. Add CodeQL to required branch
  protection checks.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
npm audit fix patched:
- @modelcontextprotocol/sdk: GHSA-345p-7cg4-v4c7 (cross-client data
  leak via shared server/transport instance reuse)
- rollup: GHSA-mw96-cpmx-2vgc (arbitrary file write via path traversal,
  dev dependency via vitest)

Remaining 5 moderate vulns (esbuild/vite/vitest chain) require a
breaking vitest v4 upgrade and are below --audit-level=high threshold.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Alpine base image packages with no upstream patch would otherwise block
every PR and release.  With ignore-unfixed: true, Trivy only reports and
blocks on CVEs that have a fix the team can actually apply.

Applied to all four Trivy steps:
- pre-merge-cd-check: SARIF report step + CRITICAL blocking step
- scan job:           SARIF report step + CRITICAL blocking step

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Node 24 (Active LTS since Oct 2025):
- Upgrade Docker base image node:20-alpine to node:24-alpine.
  Node 20 reaches EOL April 2026; Node 24 ships with npm 11 which has
  updated bundled deps resolving HIGH CVEs Trivy found in the image.
- Update CI node-version from 20 to 24 to match.

OSV Scanner:
- Add google/osv-scanner-action/osv-scanner-action@v2.3.3 to the test
  job after npm audit. Scans lockfiles against the OSV/NIST database
  so vulns are caught at the test stage, not after a full Docker build.

Fix Trivy env-var pollution bug:
- trivy-action exports TRIVY_FORMAT and TRIVY_OUTPUT into GITHUB_ENV.
  When format=table (the default), the action skips overwriting these
  vars, so the SARIF step values bleed into the blocking step, causing
  it to run in SARIF mode and fail on HIGH findings instead of CRITICAL.
- Fix: replace both blocking trivy-action steps with plain run: steps
  invoking trivy CLI directly. CLI flags always override env vars.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
npm audit fix --force upgrades vitest 3.x -> 4.x (GHSA-67mh-4wv8-2f99).
This resolves the esbuild/vite/vitest chain of 5 moderate CVEs that OSV
Scanner flagged in the test job. Build and type-check pass cleanly.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@paradoxbound paradoxbound changed the title Security: npm audit, Dependabot, Trivy image scanning, CodeQL Security: npm audit, Dependabot, Trivy, CodeQL, OSV Scanner + Node 24 + v2.5.2 Feb 26, 2026
npm audit fix --force updated the version constraint in package.json
but only package-lock.json was staged in the previous commit.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@paradoxbound paradoxbound merged commit a220efa into main Feb 26, 2026
11 checks passed
paradoxbound added a commit that referenced this pull request Feb 26, 2026
…v4 (#22)

## Summary

Fixes the post-merge pipeline failure from PR #20 where
`mirror.gcr.io/aquasec/trivy-db` returned 404, preventing `v2.5.2` from
being published.

- **Trivy DB primary + fallback**: Sets
`TRIVY_DB_REPOSITORY=ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db`
on all four Trivy steps. Trivy tries GHCR first, falls back to AWS ECR
Public if unavailable, before failing.
- **`codeql-action/upload-sarif` v3 → v4**: Addresses the deprecation
warning logged during the failed run (v3 deprecated December 2026).

## Test plan

- [ ] Post-merge `scan` job completes successfully with Trivy DB
downloaded from GHCR
- [ ] SARIF uploaded to Security tab
- [ ] `merge` job runs and v2.5.2 tags published correctly

🤖 Generated with [Claude Code](https://claude.com/claude-code)

---------

Co-authored-by: Paradoxbound <paradoxbound@paradoxbound.org>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant