Security: npm audit, Dependabot, Trivy, CodeQL, OSV Scanner + Node 24 + v2.5.2#20
Merged
Merged
Conversation
- Add npm audit --audit-level=high to functional-tests.yml; fails the
test check on HIGH/CRITICAL dependency CVEs.
- Add .github/dependabot.yml: daily checks for npm (/, /packages/core,
/packages/stdio) and github-actions ecosystems.
- Add Trivy image scanning to docker-publish.yml:
- In pre-merge-cd-check: scans the PR amd64 image; HIGH+CRITICAL
reported to Security tab via SARIF; CRITICAL blocks the PR.
- New scan job (between verify and merge): scans :latest-amd64 before
final manifest tags and git tag are created; CRITICAL blocks release.
- cleanup job updated to also trigger on scan failure.
- Add .github/workflows/codeql.yml: GitHub CodeQL semantic analysis for
TypeScript (language: javascript, build-mode: none). Runs on PRs,
push to main, and weekly schedule. Add CodeQL to required branch
protection checks.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
npm audit fix patched: - @modelcontextprotocol/sdk: GHSA-345p-7cg4-v4c7 (cross-client data leak via shared server/transport instance reuse) - rollup: GHSA-mw96-cpmx-2vgc (arbitrary file write via path traversal, dev dependency via vitest) Remaining 5 moderate vulns (esbuild/vite/vitest chain) require a breaking vitest v4 upgrade and are below --audit-level=high threshold. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Alpine base image packages with no upstream patch would otherwise block every PR and release. With ignore-unfixed: true, Trivy only reports and blocks on CVEs that have a fix the team can actually apply. Applied to all four Trivy steps: - pre-merge-cd-check: SARIF report step + CRITICAL blocking step - scan job: SARIF report step + CRITICAL blocking step Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Node 24 (Active LTS since Oct 2025): - Upgrade Docker base image node:20-alpine to node:24-alpine. Node 20 reaches EOL April 2026; Node 24 ships with npm 11 which has updated bundled deps resolving HIGH CVEs Trivy found in the image. - Update CI node-version from 20 to 24 to match. OSV Scanner: - Add google/osv-scanner-action/osv-scanner-action@v2.3.3 to the test job after npm audit. Scans lockfiles against the OSV/NIST database so vulns are caught at the test stage, not after a full Docker build. Fix Trivy env-var pollution bug: - trivy-action exports TRIVY_FORMAT and TRIVY_OUTPUT into GITHUB_ENV. When format=table (the default), the action skips overwriting these vars, so the SARIF step values bleed into the blocking step, causing it to run in SARIF mode and fail on HIGH findings instead of CRITICAL. - Fix: replace both blocking trivy-action steps with plain run: steps invoking trivy CLI directly. CLI flags always override env vars. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
npm audit fix --force upgrades vitest 3.x -> 4.x (GHSA-67mh-4wv8-2f99). This resolves the esbuild/vite/vitest chain of 5 moderate CVEs that OSV Scanner flagged in the test job. Build and type-check pass cleanly. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
npm audit fix --force updated the version constraint in package.json but only package-lock.json was staged in the previous commit. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
3 tasks
paradoxbound
added a commit
that referenced
this pull request
Feb 26, 2026
…v4 (#22) ## Summary Fixes the post-merge pipeline failure from PR #20 where `mirror.gcr.io/aquasec/trivy-db` returned 404, preventing `v2.5.2` from being published. - **Trivy DB primary + fallback**: Sets `TRIVY_DB_REPOSITORY=ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db` on all four Trivy steps. Trivy tries GHCR first, falls back to AWS ECR Public if unavailable, before failing. - **`codeql-action/upload-sarif` v3 → v4**: Addresses the deprecation warning logged during the failed run (v3 deprecated December 2026). ## Test plan - [ ] Post-merge `scan` job completes successfully with Trivy DB downloaded from GHCR - [ ] SARIF uploaded to Security tab - [ ] `merge` job runs and v2.5.2 tags published correctly 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Co-authored-by: Paradoxbound <paradoxbound@paradoxbound.org> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds free GitHub security scanning to the pipeline and upgrades the runtime to Node 24. Releases as v2.5.2.
Security scanning (new)
npm audit— added tofunctional-tests.ymlafternpm ci. Blocks thetestcheck on HIGH or CRITICAL CVEs using the npm advisory database.google/osv-scanner-action@v2.3.3) — added tofunctional-tests.ymlafternpm audit. Scans allpackage-lock.jsonfiles recursively against the OSV/NIST database — the same source Trivy uses for npm packages — so vulnerabilities are caught at the fast test stage rather than waiting for the full Docker build and image scan..github/dependabot.yml. Daily checks for npm packages across all three package roots (/,/packages/core,/packages/stdio) and all GitHub Actions versions. Security alerts are real-time regardless of schedule.docker-publish.ymlin two places:pre-merge-cd-check(PR gate): scans:pr-{n}-amd64; CRITICAL+HIGH reported to Security tab via SARIF; CRITICAL with a fix available blocks the PR.scanjob betweenverifyandmerge(post-merge gate): scans:latest-amd64before manifest tags and git tag are created; CRITICAL blocks the release..github/workflows/codeql.yml. Semantic TypeScript analysis (language: javascript,build-mode: none). Runs on PRs, push to main, and weekly.Bug fix: Trivy env-var pollution
trivy-actionexportsTRIVY_FORMATandTRIVY_OUTPUTinto$GITHUB_ENV. When the blocking step specifiesformat: table(the action default), the action skips overwriting those vars, so the SARIF step values bleed in — causing the blocking step to run in SARIF mode and fail on HIGH findings instead of CRITICAL only.Fix: replaced both "Fail on CRITICAL"
trivy-actionsteps with plainrun:steps invoking thetrivybinary directly. CLI flags always override environment variables.Node 24 upgrade
node:20-alpinetonode:24-alpine. Node 20 reaches EOL April 2026; Node 24 has been Active LTS since October 2025. Node 24 ships with npm 11 which has updated bundled dependencies, resolving the HIGH CVEs Trivy was detecting in the Docker image (tar,glob,minimatch,cross-spawn).node-versionupdated from20to24to match.Dependency fixes
@modelcontextprotocol/sdk(GHSA-345p-7cg4-v4c7) androllup(GHSA-mw96-cpmx-2vgc).vitest3.x→4.xto resolve theesbuild/vite/vitestchain (GHSA-67mh-4wv8-2f99). Build and type-check pass cleanly on vitest v4.ignore-unfixed: trueon all Trivy steps — OS-level Alpine CVEs with no patch available do not block the pipeline.Post-merge: GitHub Settings to enable
CodeQLto required status checksTest plan
npm auditpasses — 0 vulnerabilitiesrun:to avoid env-var pollutionpre-merge-cd-checkTrivy SARIF uploaded to Security tabscanjob runs betweenverifyandmerge🤖 Generated with Claude Code