Merge pull request #384 from open-edge-platform/dev/hemanthk/fix

hemanthsm · web-flow · commit f1124852eea5 · 2026-03-06T12:40:31.000+05:30
fix: update file permissions and security context in daemonset-suefi.…
diff --git a/.trivyignore b/.trivyignore
@@ -26,3 +26,7 @@ CVE-2025-52881
 
 # TODO: Remove once kata-container release with upgreaded containerd is available
 CVE-2024-25621
+CVE-2025-68121
+CVE-2026-24051
+CVE-2025-61726
+CVE-2025-61730
diff --git a/helm/attestation-verifier/charts/trustagent/templates/daemonset-suefi.yaml b/helm/attestation-verifier/charts/trustagent/templates/daemonset-suefi.yaml
@@ -38,7 +38,7 @@ metadata:
           command: ["/bin/sh", "-c"]
           args:
             - >
-              chown -R 503:500 /opt/verifier && chmod -R 751 /opt/verifier
+              chown -R 503:500 /opt/verifier/* && chmod -R 751 /opt/verifier/*
           securityContext:
             runAsUser: 0
             privileged: false
@@ -129,10 +129,9 @@ metadata:
         - name: {{ include "factory.name" . }}
           {{ include "factory.imageContainer" . | nindent 10 | trim}}
           securityContext:
-            privileged: false
+            privileged: true
             runAsUser: 0
-            readOnlyRootFilesystem: true
-            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: false
           envFrom:
             - configMapRef:
                 name: {{ include "factory.name" . }}
diff --git a/trivy.yaml b/trivy.yaml
@@ -1,5 +1,5 @@
 scan:
   skip-files:
-    - attestation-verifier/charts/trustagent/templates/daemonset-suefi.yaml
+    - helm/attestation-verifier/charts/trustagent/templates/daemonset-suefi.yaml
 
 ignorefile: ".trivyignore"
