feat(ci-cd): add trivy scan (#2293)

vaibhavbhalla2505 · Vaibhav  Bhalla · Sunny  Tyagi · web-flow · commit 5edc0f08ba4c · 2025-07-14T11:51:56.000+05:30
* feat(ci-cd): add trivy scan GH-2292 * checking deps * update test case * update readme file --------- Co-authored-by: Vaibhav Bhalla <vaibhav.bhalla@SFSupports-MacBook-Air.local> Co-authored-by: Sunny Tyagi <sunny.tyagi@Sunny-SFIN1189.local> Co-authored-by: a-ganguly <abir.ganguly@sourcefuse.com>
diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
@@ -0,0 +1,29 @@
+# This is a basic workflow to help you get started with Actions
+
+name: Trivy Scan
+
+# Controls when the action will run. Triggers the workflow on push or pull request
+# events but only for the master branch
+on:
+  pull_request:
+    branches: [master]
+    types: [opened, synchronize, reopened]
+
+# A workflow run is made up of one or more jobs that can run sequentially or in parallel
+jobs:
+  # This workflow contains a single job called "trivy"
+  trivy:
+    # The type of runner that the job will run on
+    runs-on: [self-hosted, linux, codebuild]
+
+    # Steps represent a sequence of tasks that will be executed as part of the job
+    steps:
+      # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
+      - uses: actions/checkout@v3
+
+      - name: Run Trivy vulnerability scanner in repo mode
+        uses: aquasecurity/trivy-action@0.28.0
+        with:
+          scan-type: "fs"
+          scan-ref: "${{ github.workspace }}"
+          trivy-config: "${{ github.workspace }}/trivy.yaml"
diff --git a/README.md b/README.md
@@ -10,9 +10,6 @@
 <a href="https://sonarcloud.io/summary/new_code?id=sourcefuse_loopback4-microservice-catalog" target="_blank">
 <img alt="Sonar Quality Gate" src="https://img.shields.io/sonar/quality_gate/sourcefuse_loopback4-microservice-catalog?server=https%3A%2F%2Fsonarcloud.io&style=for-the-badge">
 </a>
-<a href="https://app.snyk.io/org/ashishkaushik/reporting?context[page]=issues-detail&project_target=%255B%2522sourcefuse%252Floopback4-microservice-catalog%2522%255D&project_origin=%255B%2522github%2522%255D&issue_status=%255B%2522Open%2522%255D&issue_by=Severity&table_issues_detail_cols=SCORE%257CCVE%257CCWE%257CPROJECT%257CEXPLOIT%2520MATURITY%257CAUTO%2520FIXABLE%257CINTRODUCED%257CSNYK%2520PRODUCT&v=1">
-<img alt="Synk Status" src="https://img.shields.io/badge/SYNK_SECURITY-MONITORED-GREEN?style=for-the-badge">
-</a>
 <a href="./LICENSE">
 <img src="https://img.shields.io/github/license/sourcefuse/loopback4-microservice-catalog?style=for-the-badge" alt="License" />
 </a>
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -41,6 +41,11 @@
     },
     "oidc-provider": {
       "@koa/cors": "^5.0.0"
+    },
+    "loopback4-notifications": {
+        "twilio": {
+            "axios": "^1.8.2"
+        }
     }
   },
   "dependencies": {
diff --git a/sandbox/chat-notification-pubnub-example/services/notifications-service/package-lock.json b/sandbox/chat-notification-pubnub-example/services/notifications-service/package-lock.json
diff --git a/sandbox/chat-notification-pubnub-example/services/notifications-service/package.json b/sandbox/chat-notification-pubnub-example/services/notifications-service/package.json
@@ -69,7 +69,7 @@
     "loopback-connector-kv-redis": "^4.0.0",
     "loopback-connector-postgresql": "^7.1.1",
     "loopback4-authorization": "^7.0.2",
-    "loopback4-notifications": "^8.0.3",
+    "loopback4-notifications": "^9.0.1",
     "nodemailer": "^6.7.5",
     "prom-client": "^14.0.1",
     "pubnub": "^7.2.3",
@@ -92,6 +92,15 @@
     },
     "node-apn": {
       "node-forge": "^1.3.1"
+    },
+    "axios": "^1.8.2",
+    "twilio": {
+      "axios": "^1.8.2"
+    },
+    "loopback4-notifications": {
+      "twilio": {
+        "axios": "^1.8.2"
+      }
     }
   }
 }
diff --git a/sandbox/chat-notification-socketio-example/services/notifications-service/package-lock.json b/sandbox/chat-notification-socketio-example/services/notifications-service/package-lock.json
diff --git a/sandbox/chat-notification-socketio-example/services/notifications-service/package.json b/sandbox/chat-notification-socketio-example/services/notifications-service/package.json
@@ -68,7 +68,7 @@
     "loopback-connector-kv-redis": "^4.0.0",
     "loopback-connector-postgresql": "^7.1.1",
     "loopback4-authorization": "^7.0.2",
-    "loopback4-notifications": "^8.0.3",
+    "loopback4-notifications": "^9.0.1",
     "nodemailer": "^6.7.5",
     "prom-client": "^14.0.1",
     "socket.io-client": "^4.5.1",
@@ -89,6 +89,15 @@
     },
     "node-apn": {
       "node-forge": "^1.3.1"
+    },
+    "axios": "^1.8.2",
+    "twilio": {
+      "axios": "^1.8.2"
+    },
+    "loopback4-notifications": {
+      "twilio": {
+        "axios": "^1.8.2"
+      }
     }
   }
 }
diff --git a/sandbox/telemed-app/backend/notification-service/package.json b/sandbox/telemed-app/backend/notification-service/package.json
@@ -81,7 +81,7 @@
     "loopback-connector-postgresql": "^7.1.1",
     "loopback4-authentication": "^12.1.0",
     "loopback4-authorization": "^7.0.2",
-    "loopback4-notifications": "^8.0.2",
+    "loopback4-notifications": "^9.0.1",
     "pubnub": "^7.2.3",
     "swagger-stats": "^0.99.5",
     "symlink-resolver": "0.2.1",
diff --git a/services/authentication-service/src/modules/auth/controllers/logout.controller.ts b/services/authentication-service/src/modules/auth/controllers/logout.controller.ts
@@ -168,7 +168,7 @@ export class LogoutController {
       params.append('refresh_token', refreshTokenModel.externalRefreshToken);
       const strToEncode = `${process.env.KEYCLOAK_CLIENT_ID}:${process.env.KEYCLOAK_CLIENT_SECRET}`;
       fetch(logoutUrl, {
-        agent: getProxyAgent(),
+        agent: getProxyAgent() as unknown as import('http').Agent,
         method: 'post',
         body: params,
         headers: {
@@ -258,7 +258,7 @@ export class LogoutController {
       const logoutUrl = `https://oauth2.googleapis.com/revoke?token=${refreshTokenModel.externalAuthToken}`;
       params.append('refresh_token', refreshTokenModel.externalRefreshToken);
       fetch(logoutUrl, {
-        agent: getProxyAgent(),
+        agent: getProxyAgent() as unknown as import('http').Agent,
         method: 'post',
         body: params,
         headers: {
diff --git a/services/notification-service/package.json b/services/notification-service/package.json
@@ -143,6 +143,15 @@
             "finalhandler": "^1.2.0",
             "send": "^0.18.0",
             "serve-static": "^1.15.0"
+        },
+        "axios": "^1.8.2",
+        "twilio": {
+        "axios": "^1.8.2"
+        },
+        "loopback4-notifications": {
+            "twilio": {
+                "axios": "^1.8.2"
+            }
         }
     },
     "publishConfig": {
diff --git a/services/survey-service/src/services/survey-response.service.ts b/services/survey-service/src/services/survey-response.service.ts
@@ -154,8 +154,7 @@ export class SurveyResponseService {
       questions,
       createdSurveyResponse.id,
     );
-    // eslint-disable-next-line @typescript-eslint/prefer-nullish-coalescing
-    if (createdSurveyResponse.extId || createdSurveyResponse.extMetadata) {
+    if (createdSurveyResponse.extId ?? createdSurveyResponse.extMetadata) {
       surveyResponseDetails.forEach(quesResp => {
         quesResp.extId = createdSurveyResponse.extId;
         quesResp.extMetadata = createdSurveyResponse.extMetadata;
diff --git a/trivy.yaml b/trivy.yaml
@@ -0,0 +1,16 @@
+format: table
+exit-code: 1
+severity:
+  - HIGH
+  - CRITICAL
+skip-files:
+  - db.env
+security-checks:
+  - vuln
+  - secret
+  - license
+vulnerability:
+  type:
+    - os
+    - library
+  ignore-unfixed: true
