ci: add Dockerfile.openclaw to container-scan Trivy workflow

[Skords-01]

Summary

• Adds a parallel Trivy scan job (trivy-image-openclaw) for Dockerfile.openclaw (the openclaw console bot) to .github/workflows/container-scan.yml, closing the coverage gap tracked since PR-30 shipped the distroless refactor.
• Updates docs/03-operations/ops/docker-image-policy.md to remove the "follow-up PR" note and document actual coverage.

Governing Skill

sergeant-deploy (CI workflow change)

Playbook

No exact playbook match — this is a CI workflow extension with no product-surface impact.

Verification

• YAML validated: python3 -c "import yaml; yaml.safe_load(open('.github/workflows/container-scan.yml'))" → passes.
• The new job trivy-image-openclaw is structurally identical to trivy-image:
  • Same SHA-pinned action versions.
  • Same platforms: linux/amd64 guard + arch-check step.
  • Same severity gate: CRITICAL,HIGH, ignore-unfixed: true, shared .trivyignore.
  • Distinct tag (sergeant-openclaw-ci:latest), SARIF file (trivy-openclaw.sarif), artifact name (trivy-openclaw-sarif), and Code Scanning category (trivy-image-openclaw) to avoid collisions with the api scan.
  • Distinct GHA cache scope (container-scan-openclaw) to avoid cache poisoning between the two builds.
• PR trigger paths extended with Dockerfile.openclaw and tools/openclaw/**.

Docs and Governance

• docs/03-operations/ops/docker-image-policy.md § Trivy gate + TL;DR updated; "follow-up PR" placeholder removed.

Risk and Rollout

Low risk. The existing trivy-image job is untouched. The new job runs in parallel — a failure blocks merge for the openclaw image but does not affect the api scan outcome. On first run the GHA cache for container-scan-openclaw is cold (slower build); subsequent runs use the layer cache.

Hard Rule #15 acknowledgement

Docs updated alongside code; internal doc updated in Ukrainian.

Closes the follow-up noted in docs/03-operations/ops/docker-image-policy.md § Trivy gate.

https://claude.ai/code/session_01LBMY124XpqUHQ9ed8yCRzA

---

Generated by Claude Code

---

Summary by cubic

Adds a parallel Trivy scan for Dockerfile.openclaw, so both images are gated on HIGH/CRITICAL CVEs. Also fixes a flaky timezone test in @sergeant/shared.

• New Features

  • Added trivy-image-openclaw mirroring trivy-image with linux/amd64 guard, CRITICAL,HIGH gate (ignore-unfixed: true), shared .trivyignore.
  • Separate outputs to avoid collisions: image sergeant-openclaw-ci:latest, SARIF trivy-openclaw.sarif (artifact trivy-openclaw-sarif), Code Scanning category trivy-image-openclaw, cache scope container-scan-openclaw.
  • PR triggers now watch Dockerfile.openclaw and tools/openclaw/**.

• Bug Fixes

  • Upgraded Dockerfile.openclaw to node:22.16.0-alpine (builder/deps) and gcr.io/distroless/nodejs22-debian13:nonroot (runtime) to clear HIGH/CRITICAL CVEs and align with Dockerfile.api.
  • Stabilized toLocalISODate property tests in @sergeant/shared by avoiding Kyiv UTC 21–23 boundary (constrain hours to 0–20; check at 06:00/20:00).

^{Written for commit d50d113. Summary will update on new commits.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
sergeant	Ready	Preview, Comment	Jun 9, 2026 4:13pm

[coderabbitai]

Warning

Review limit reached

@Skords-01, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 56 minutes and 11 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 5771f251-4a9a-4d61-a39f-269444403a07

📥 Commits

Reviewing files that changed from the base of the PR and between 6e79498 and d50d113.

📒 Files selected for processing (4)

• .github/workflows/container-scan.yml
• docs/02-engineering/architecture/diagrams/c3-workspaces.md
• docs/03-operations/ops/docker-image-policy.md
• packages/shared/src/utils/date.property.test.ts

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/ci-trivy-dockerfile-openclaw

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[github-actions]

⏱️ CI Pipeline Duration Report

Based on the last 50 successful runs on the default branch.

Overall Pipeline

Metric	Value
p50	6m 26s
p95	7m 55s
p99	9m 3s
Current run	55m 59s
vs p95	+607.2%

Trend (last 20 runs): ▃▃▁▂▃▃▃▂▃▃▂▂▄▃▃▆▅▄█▆

Per-Job Breakdown

Job	p50	p95	p99	Current	vs p95
Accessibility (axe-core)	2m 5s	2m 21s	2m 23s	0s	-100.0%
Commit messages (commitlint)	0s	0s	0s	33s	N/A
Critical-flow E2E (Playwright)	1m 36s	1m 44s	1m 44s	2m 39s	+52.9%
Migration lint (AGENTS rule	0s	0s	0s	7s	N/A
Pipeline duration (p95 trend)	26s	27s	27s	—	—
Secret scan (gitleaks)	8s	11s	11s	1m 48s	+881.8%
Smoke E2E (Playwright)	1m 26s	1m 40s	1m 40s	—	—
Test coverage (vitest)	2m 4s	2m 33s	2m 33s	12m 24s	+386.3%
Workflow lint (actionlint)	7s	7s	7s	13s	+85.7%
check	4m 12s	4m 54s	5m 6s	32s	-89.1%
tsconfig strict guard (PR-1.A)	5s	14s	14s	10s	-28.6%

⚠️ Warning: Current run (55m 59s) exceeds p95 + 20% threshold (9m 30s). Consider reviewing slow jobs.