Merge branch 'feature/cve-audit-protocol' into 'master'

chore: add CVE audit skill and scheduled GitLab CI jobs (#704)

Closes #704

See merge request postgres-ai/database-lab!1137

Author: agneum

.claude/commands/cve-audit.md

@@ -0,0 +1,100 @@
+---
+description: Run CVE audit across Go deps, UI deps, and Docker image. Produce a triage report with fix recommendations.
+argument-hint: [image-ref] (default: dblab_server:local, matches `make build-image`)
+---
+
+# CVE Audit Protocol
+
+You are running a vulnerability audit for DLE. The goal is a **triage report** that a
+developer can act on — not a raw scanner dump.
+
+## Scope
+
+Three layers, each with its own scanner:
+
+| Layer | Tool | Command |
+|-------|------|---------|
+| Go source + deps | `govulncheck` | `cd engine && govulncheck ./...` |
+| UI deps | `pnpm audit` | `cd ui && pnpm audit` |
+| Built Docker image | `trivy` | `trivy image --severity CRITICAL,HIGH,MEDIUM $IMAGE` |
+
+Target image: `$ARGUMENTS` if provided, else `dblab_server:local` (the tag produced
+by `cd engine && make build-image`). If the image is missing locally, tell the user
+to run `make build-image` first rather than silently falling back to a registry tag.
+
+## Steps
+
+1. **Preflight** — verify each tool is installed. If any are missing, report which
+   and stop; do not silently skip. Tools:
+   - `go` + `govulncheck` (install with `go install golang.org/x/vuln/cmd/govulncheck@latest`)
+   - `pnpm`
+   - `trivy`
+   - `jq` (for JSON parsing below)
+
+2. **Write outputs to `cve-reports/`** (create if missing). Use these filenames:
+   - `cve-reports/govulncheck.txt` and `govulncheck.json`
+   - `cve-reports/pnpm-audit.txt` and `pnpm-audit.json`
+   - `cve-reports/trivy.txt` and `trivy.json`
+
+3. **Run the three scanners in parallel** where possible (they don't depend on
+   each other). Capture both human-readable text and JSON formats. Don't fail the
+   audit if a scanner returns non-zero — findings produce non-zero exit codes.
+
+   ```bash
+   # Go
+   cd engine && govulncheck -format json ./... > ../cve-reports/govulncheck.json; govulncheck ./... > ../cve-reports/govulncheck.txt; cd ..
+
+   # UI
+   cd ui && pnpm audit --json > ../cve-reports/pnpm-audit.json; pnpm audit > ../cve-reports/pnpm-audit.txt; cd ..
+
+   # Image
+   trivy image --severity CRITICAL,HIGH,MEDIUM --format json -o cve-reports/trivy.json "$IMAGE"
+   trivy image --severity CRITICAL,HIGH -o cve-reports/trivy.txt "$IMAGE"
+   ```
+
+4. **Build the triage report** — `cve-reports/SUMMARY.md`. Structure:
+
+   ### Header
+   - Date, image ref, tool versions, Go version, Node/pnpm version.
+
+   ### Severity counts (per layer)
+   Table: CRITICAL / HIGH / MEDIUM / LOW for Go stdlib, Go deps, UI deps, image OS
+   packages, image Go binaries.
+
+   ### Top actionable items
+   Filter by: `Severity in {CRITICAL, HIGH}` AND `Status == "fixed"` AND
+   `FixedVersion != ""`. Group by remediation (e.g. "upgrade Go to 1.26.2",
+   "`go get -u github.com/X`", "rebuild on `docker:29.3.1`"). One line per group with
+   the CVEs it resolves.
+
+   ### Unfixed but important
+   `Severity in {CRITICAL, HIGH}` AND no fix available. Note these for tracking.
+   Suggest `.trivyignore` entry only if we've confirmed non-exploitability.
+
+   ### Notable CVSS vectors
+   For anything scoring ≥9.0 or marked network-exploitable with no privileges
+   (`AV:N/PR:N/UI:N`), call it out explicitly — these are the "drop everything"
+   ones.
+
+   ### Delta (optional)
+   If a previous `cve-reports/SUMMARY.md` exists in git, diff the CVE IDs and
+   highlight: new findings since last run, findings resolved since last run.
+
+5. **Do not** propose automated `go get -u` across the board — some upgrades
+   have breaking changes. List the commands and let the user run them.
+
+6. **Output to the user** — a short paragraph summary (counts + top 3-5 actions),
+   then a pointer to `cve-reports/SUMMARY.md` for the full report. Do not paste
+   the full scanner output in chat.
+
+## Notes on reading results
+
+- Trivy's **Severity** label comes from the distro/vendor; consult **CVSS vector**
+  in JSON (`.Results[].Vulnerabilities[].CVSS`) for true risk. Rules of thumb:
+  - `AV:N` (network) + `PR:N` (no auth) + `UI:N` (no click) → fix urgently
+  - `AV:L` (local only) → lower urgency for server containers
+  - `UI:R` → often not reachable in server context
+- `govulncheck` separates **called** vs **imported-but-not-called** vulns. Prioritize
+  called ones; imported-only can often wait for a bulk dep bump.
+- `pnpm audit` includes transitive deps — check if the vulnerable path is actually
+  reachable before treating it as critical.

.gitignore

@@ -17,3 +17,6 @@ engine/coverage.out
 engine/meta
 
 ui/packages/shared/dist/
+
+cve-reports/
+.trivycache/

.gitlab-ci-security.yml

@@ -0,0 +1,203 @@
+# Scheduled CVE audit. Produces JSON + human-readable reports as artifacts.
+#
+# Trigger: GitLab CI Schedule with variable SECURITY_AUDIT=1.
+# Also runs on manual (web) trigger with the same variable.
+#
+# Configure a weekly schedule at: Settings > CI/CD > Schedules.
+# Recommended cadence: weekly (e.g. Monday 03:00 UTC).
+
+.security_rules: &security_rules
+  rules:
+    - if: $CI_PIPELINE_SOURCE == "schedule" && $SECURITY_AUDIT == "1"
+    - if: $CI_PIPELINE_SOURCE == "web" && $SECURITY_AUDIT == "1"
+  interruptible: false
+
+# Must list every stage used across all included files — a later `stages:`
+# declaration replaces earlier ones (GitLab merges by overwrite, not append).
+# Keep in sync with engine/.gitlab-ci.yml if stages change there.
+stages:
+  - test
+  - build-binary
+  - build
+  - integration-test
+  - security
+
+cve-govulncheck:
+  <<: *security_rules
+  stage: security
+  image:
+    name: golang:1.26
+    pull_policy: if-not-present
+  before_script:
+    - go install golang.org/x/vuln/cmd/govulncheck@latest
+  script:
+    - mkdir -p cve-reports
+    - cd engine
+    - govulncheck -format json ./... > ../cve-reports/govulncheck.json || true
+    - govulncheck ./... > ../cve-reports/govulncheck.txt || true
+    - cd ..
+    - echo "=== govulncheck summary ==="
+    - tail -40 cve-reports/govulncheck.txt || true
+  artifacts:
+    when: always
+    name: "cve-go-$CI_COMMIT_SHORT_SHA"
+    paths:
+      - cve-reports/govulncheck.json
+      - cve-reports/govulncheck.txt
+    expire_in: 90 days
+  allow_failure: true
+
+cve-pnpm-audit:
+  <<: *security_rules
+  stage: security
+  image:
+    name: node:20-alpine
+    pull_policy: if-not-present
+  before_script:
+    - apk add --no-cache git jq
+    - npm install -g pnpm@9
+  script:
+    - mkdir -p cve-reports
+    - cd ui
+    - pnpm install --frozen-lockfile --ignore-scripts || pnpm install --ignore-scripts
+    - pnpm audit --json > ../cve-reports/pnpm-audit.json || true
+    - pnpm audit > ../cve-reports/pnpm-audit.txt || true
+    - cd ..
+    - echo "=== pnpm audit summary ==="
+    - jq '.metadata.vulnerabilities // .vulnerabilities // {}' cve-reports/pnpm-audit.json || true
+  artifacts:
+    when: always
+    name: "cve-ui-$CI_COMMIT_SHORT_SHA"
+    paths:
+      - cve-reports/pnpm-audit.json
+      - cve-reports/pnpm-audit.txt
+    expire_in: 90 days
+  allow_failure: true
+
+cve-trivy-image:
+  <<: *security_rules
+  stage: security
+  image:
+    name: aquasec/trivy:latest
+    entrypoint: [""]
+    pull_policy: if-not-present
+  variables:
+    # Latest build from the master branch. Override via schedule variable for ad-hoc scans.
+    CVE_SCAN_IMAGE: "registry.gitlab.com/postgres-ai/database-lab/dblab-server:master"
+    TRIVY_CACHE_DIR: ".trivycache"
+    TRIVY_NO_PROGRESS: "true"
+    # Authenticate to GitLab Container Registry via CI job token.
+    TRIVY_USERNAME: "$CI_REGISTRY_USER"
+    TRIVY_PASSWORD: "$CI_REGISTRY_PASSWORD"
+  cache:
+    key: trivy-db
+    paths:
+      - .trivycache/
+  script:
+    - mkdir -p cve-reports
+    - trivy --version
+    - trivy image --download-db-only
+    - trivy image --severity CRITICAL,HIGH,MEDIUM --format json -o cve-reports/trivy.json "$CVE_SCAN_IMAGE" || true
+    - trivy image --severity CRITICAL,HIGH -o cve-reports/trivy.txt "$CVE_SCAN_IMAGE" || true
+    - echo "=== trivy severity counts ==="
+    - |
+      trivy image --severity CRITICAL,HIGH,MEDIUM,LOW --format json "$CVE_SCAN_IMAGE" 2>/dev/null \
+        | grep -oE '"Severity":"[A-Z]+"' | sort | uniq -c || true
+  artifacts:
+    when: always
+    name: "cve-image-$CI_COMMIT_SHORT_SHA"
+    paths:
+      - cve-reports/trivy.json
+      - cve-reports/trivy.txt
+    expire_in: 90 days
+  allow_failure: true
+
+cve-summary:
+  <<: *security_rules
+  stage: security
+  needs:
+    - job: cve-govulncheck
+      artifacts: true
+      optional: true
+    - job: cve-pnpm-audit
+      artifacts: true
+      optional: true
+    - job: cve-trivy-image
+      artifacts: true
+      optional: true
+  image:
+    name: alpine:3.20
+    pull_policy: if-not-present
+  before_script:
+    - apk add --no-cache jq bash
+  script:
+    - |
+      bash -c '
+      set -u
+      mkdir -p cve-reports
+      out=cve-reports/SUMMARY.md
+      {
+        echo "# CVE audit report"
+        echo
+        echo "- Date: $(date -u +%FT%TZ)"
+        echo "- Pipeline: $CI_PIPELINE_URL"
+        echo "- Commit: $CI_COMMIT_SHORT_SHA"
+        echo
+
+        echo "## Severity counts"
+        echo
+        echo "### Docker image (trivy)"
+        if [ -f cve-reports/trivy.json ]; then
+          jq -r "[.Results[]? | .Vulnerabilities[]? | .Severity] | group_by(.) | map(\"- \(.[0]): \(length)\") | .[]" cve-reports/trivy.json || echo "- (no data)"
+        else
+          echo "- (trivy did not run)"
+        fi
+        echo
+
+        echo "### Go (govulncheck)"
+        if [ -f cve-reports/govulncheck.json ]; then
+          called=$(jq -rs "[.[] | .finding? | select(. != null) | select((.trace // []) | any(.function != null)) | .osv] | unique | length" cve-reports/govulncheck.json 2>/dev/null || echo "?")
+          imported=$(jq -rs "[.[] | .finding? | select(. != null) | .osv] | unique | length" cve-reports/govulncheck.json 2>/dev/null || echo "?")
+          echo "- called (code path reachable): $called unique advisories"
+          echo "- imported (including unreachable): $imported unique advisories"
+        else
+          echo "- (govulncheck did not run)"
+        fi
+        echo
+
+        echo "### UI (pnpm audit)"
+        if [ -f cve-reports/pnpm-audit.json ]; then
+          jq -r "(.metadata.vulnerabilities // .vulnerabilities // {}) | to_entries[] | \"- \(.key): \(.value)\"" cve-reports/pnpm-audit.json 2>/dev/null || echo "- (parse failed; see pnpm-audit.txt)"
+        else
+          echo "- (pnpm audit did not run)"
+        fi
+        echo
+
+        echo "## Top fixable CRITICAL/HIGH in image"
+        echo
+        if [ -f cve-reports/trivy.json ]; then
+          jq -r "[.Results[]? | .Vulnerabilities[]? | select((.Severity==\"CRITICAL\" or .Severity==\"HIGH\") and (.Status==\"fixed\" or .FixedVersion != null and .FixedVersion != \"\"))] | unique_by(.VulnerabilityID + .PkgName) | map(\"- \(.Severity) \(.VulnerabilityID) — \(.PkgName) \(.InstalledVersion) → \(.FixedVersion)\") | .[]" cve-reports/trivy.json | head -40
+        fi
+        echo
+
+        echo "## Unfixed CRITICAL/HIGH in image"
+        echo
+        if [ -f cve-reports/trivy.json ]; then
+          jq -r "[.Results[]? | .Vulnerabilities[]? | select((.Severity==\"CRITICAL\" or .Severity==\"HIGH\") and ((.FixedVersion // \"\") == \"\"))] | unique_by(.VulnerabilityID + .PkgName) | map(\"- \(.Severity) \(.VulnerabilityID) — \(.PkgName) \(.InstalledVersion) (no upstream fix)\") | .[]" cve-reports/trivy.json | head -40
+        fi
+        echo
+
+        echo "## Artifacts"
+        echo
+        echo "- cve-reports/govulncheck.{json,txt}"
+        echo "- cve-reports/pnpm-audit.{json,txt}"
+        echo "- cve-reports/trivy.{json,txt}"
+      } > "$out"
+      cat "$out"
+      '
+  artifacts:
+    when: always
+    name: "cve-summary-$CI_COMMIT_SHORT_SHA"
+    paths:
+      - cve-reports/
+    expire_in: 365 days

.gitlab-ci.yml

@@ -11,10 +11,21 @@ workflow:
 
 include:
   - template: Security/SAST.gitlab-ci.yml
+    rules:
+      - if: $SECURITY_AUDIT != "1"
   - local: 'engine/.gitlab-ci.yml'
+    rules:
+      - if: $SECURITY_AUDIT != "1"
   - local: 'ui/.gitlab-ci.yml'
+    rules:
+      - if: $SECURITY_AUDIT != "1"
+  - local: '.gitlab-ci-security.yml'
+    rules:
+      - if: $SECURITY_AUDIT == "1"
   - project: 'postgres-ai/infra'
     file: '/ci/templates/approval-check.yml'
+    rules:
+      - if: $SECURITY_AUDIT != "1"
 
 empty-job:
   stage: test

ui/.gitlab-ci.yml

@@ -7,7 +7,11 @@ include:
     - if: $CI_COMMIT_TAG =~ /^ui\/[0-9.]+$/
     - if: $CI_COMMIT_TAG =~ /^v[a-zA-Z0-9_.-]*/
     - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+      changes:
+        - ui/**/*
     - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
+      changes:
+        - ui/**/*
 
 .ui_cache: &ui_cache
   image:

ui/packages/ce/.gitlab-ci.yml

@@ -2,10 +2,14 @@
 .only_ui_feature: &only_ui_feature
   rules:
     - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+      changes:
+        - ui/**/*
 
 .only_ui_master: &only_ui_master
   rules:
     - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
+      changes:
+        - ui/**/*
 
 .only_ui_tag_release: &only_ui_tag_release
   rules:

ui/packages/shared/.gitlab-ci.yml

@@ -1,6 +1,8 @@
 .only_ui_feature: &only_ui_feature
   rules:
     - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+      changes:
+        - ui/**/*
 
 .only_ui_tag_release: &only_ui_tag_release
   rules: