Description
Currently, the deploy.yml GitHub Actions workflow builds the backend Docker image and pushes it directly to AWS ECR. However, it does not perform any vulnerability scanning on the built image before pushing. This is a security risk as the container could have vulnerable dependencies or OS packages.
Proposed Solution
Add the aquasecurity/trivy-action step to deploy.yml right after the Docker build step and before pushing to ECR. This will scan the local image for CRITICAL and HIGH CVEs, ensuring that only secure images are deployed to the EC2 instance.
Expected Behavior
- Trivy scans the newly built image in the CI pipeline.
- It surfaces severe vulnerabilities in the GitHub Actions logs.
- This strengthens the platform's security posture and aligns with DevSecOps best practices.
Additional Context
I would love to work on this issue under GSSoC. Please assign this to me!
Type: Security / DevOps
Description
Currently, the
deploy.ymlGitHub Actions workflow builds the backend Docker image and pushes it directly to AWS ECR. However, it does not perform any vulnerability scanning on the built image before pushing. This is a security risk as the container could have vulnerable dependencies or OS packages.Proposed Solution
Add the
aquasecurity/trivy-actionstep todeploy.ymlright after the Docker build step and before pushing to ECR. This will scan the local image forCRITICALandHIGHCVEs, ensuring that only secure images are deployed to the EC2 instance.Expected Behavior
Additional Context
I would love to work on this issue under GSSoC. Please assign this to me!
Type: Security / DevOps