Skip to content

fix: resolve 5 HIGH Trivy misconfiguration findings#840

Merged
marcusburghardt merged 2 commits intocomplytime:mainfrom
marcusburghardt:fix/trivy-high-misconfigurations
Apr 27, 2026
Merged

fix: resolve 5 HIGH Trivy misconfiguration findings#840
marcusburghardt merged 2 commits intocomplytime:mainfrom
marcusburghardt:fix/trivy-high-misconfigurations

Conversation

@marcusburghardt
Copy link
Copy Markdown
Contributor

@marcusburghardt marcusburghardt commented Apr 23, 2026

Summary

Fixes all 5 HIGH-severity Trivy misconfiguration findings that block the
OSV-Scanner / Trivy Source Scan CI job.

Changes

.devcontainer/Dockerfile (DS-0015 + DS-0017)

  • Added explicit dnf clean all && yum clean all to the package install
    RUN instruction. The previous rm -rf /var/cache was functionally
    equivalent but Trivy requires the canonical clean commands.

Dockerfile (DS-0002)

  • Added USER 1001 to the final stage so the production container no
    longer runs as root. UBI minimal supports arbitrary UIDs without
    requiring useradd.

tests/e2e/play-kube.yml (KSV-0118 + KSV-0014)

  • Added pod-level securityContext with runAsNonRoot: true and
    runAsUser: 1001 (consistent with the e2e test Dockerfile's USER 1001).
  • Added readOnlyRootFilesystem: true to the container securityContext.
  • Mounted an emptyDir volume at /home/wiremock so WireMock can still
    write to its working directory.

Findings addressed

ID Severity File Description
DS-0015 HIGH .devcontainer/Dockerfile yum clean all missing
DS-0017 HIGH .devcontainer/Dockerfile RUN <pkg-mgr> update without clean
DS-0002 HIGH Dockerfile Image user should not be root
KSV-0118 HIGH tests/e2e/play-kube.yml Default security context configured
KSV-0014 HIGH tests/e2e/play-kube.yml Root file system is not read-only

@marcusburghardt
Copy link
Copy Markdown
Contributor Author

marcusburghardt commented Apr 23, 2026

Failing CI tests are not in scope of this PR. They will be addressed in separate PRs in order to keep the scope simple.

@marcusburghardt marcusburghardt force-pushed the fix/trivy-high-misconfigurations branch from 2f0568a to e74bf60 Compare April 24, 2026 08:20
@marcusburghardt
fix: resolve 5 HIGH Trivy misconfiguration findings
5a5bcc0 
- .devcontainer/Dockerfile: add explicit dnf/yum clean all (DS-0015, DS-0017)
- Dockerfile: add USER 1001 to final stage to avoid running as root (DS-0002)
- tests/e2e/play-kube.yml: add pod-level securityContext with runAsNonRoot
  and readOnlyRootFilesystem with emptyDir for WireMock (KSV-0118, KSV-0014)

Assisted-by: OpenCode (claude-opus-4-6)
Signed-off-by: Marcus Burghardt <maburgha@redhat.com>
@marcusburghardt
fix: use dnf consistently in devcontainer to resolve DS-0017
1789fa9 
Trivy DS-0017 requires that the package manager used for "update" matches
the one used for "install" within the same RUN instruction. The previous
Dockerfile mixed dnf (update) with yum (reinstall, install), causing
Trivy to flag "dnf update" as running alone. Since yum is a symlink to
dnf on Fedora, switch all commands to dnf.

Assisted-by: OpenCode (claude-opus-4-6)
Signed-off-by: Marcus Burghardt <maburgha@redhat.com>
@marcusburghardt marcusburghardt force-pushed the fix/trivy-high-misconfigurations branch from e74bf60 to 1789fa9 Compare April 24, 2026 08:35
sonupreetam
sonupreetam approved these changes Apr 27, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@sonupreetam sonupreetam left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@marcusburghardt marcusburghardt merged commit cd7142e into complytime:main Apr 27, 2026
15 of 17 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sonupreetam sonupreetam sonupreetam approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@marcusburghardt @sonupreetam