From 2dc30c9c522b2279e418f76e3f3e5c6dbccc3e3e Mon Sep 17 00:00:00 2001 From: David Lopes Date: Fri, 5 Dec 2025 12:50:12 +0000 Subject: [PATCH] feat(ci): reconcile repository CI configurations --- .github/labeler-config.yaml | 20 +++---- .github/workflows/pr-semantic.yaml | 6 +-- .github/workflows/pr-trivy.yaml | 17 ++++++ .github/workflows/release.yaml | 2 +- .trivyignore | 86 ++++++++++++++++++++++++++++++ trivy.yaml | 27 ++++++++++ 6 files changed, 144 insertions(+), 14 deletions(-) create mode 100644 .github/workflows/pr-trivy.yaml create mode 100644 .trivyignore create mode 100644 trivy.yaml diff --git a/.github/labeler-config.yaml b/.github/labeler-config.yaml index ce449b1..1236d3a 100644 --- a/.github/labeler-config.yaml +++ b/.github/labeler-config.yaml @@ -1,19 +1,19 @@ version: 1 labels: - label: "major" - title: "^!(fix|feat|chore)(\\(\\w+\\))?:\\s.+$" - - label: "breaking-change" - title: "^!(fix|feat|chore)(\\(\\w+\\))?:\\s.+$" + body: "^BREAKING CHANGE:.*$" - label: "minor" - title: "^feat(\\(\\w+\\))?:\\s.+$" - - label: "feature" - title: "^feat(\\(\\w+\\))?:\\s.+$" + title: "^feat(\\(\\w+\\)):\\s.+$" - label: "patch" - title: "^fix(\\(\\w+\\))?:\\s.+$" + title: "^(fix|chore|refactor|style|perf|test|docs|revert)(\\(\\w+\\)):\\s.+$" - label: "fix" - title: "^fix(\\(\\w+\\))?:\\s.+$" - - label: "patch" - title: "^chore(\\(\\w+\\))?:\\s.+$" + title: "^fix(\\(\\w+\\)):\\s.+$" + - label: "feature" + title: "^feat(\\(\\w+\\)):\\s.+$" + - label: "chore" + title: "^(chore|refactor|style|perf|test|docs|revert)(\\(\\w+\\)):\\s.+$" + - label: "breaking-change" + body: "^BREAKING CHANGE:.*$" - label: "ready-to-merge" mergeable: true - label: "draft" diff --git a/.github/workflows/pr-semantic.yaml b/.github/workflows/pr-semantic.yaml index d7496c2..15881f3 100644 --- a/.github/workflows/pr-semantic.yaml +++ b/.github/workflows/pr-semantic.yaml @@ -1,4 +1,4 @@ -name: PR +name: CI - Conventions on: pull_request: types: [opened, reopened, edited, labeled, unlabeled, synchronize] @@ -14,10 +14,10 @@ permissions: jobs: pr_labels: - name: Add labels + name: Labels runs-on: ubuntu-latest steps: - - uses: srvaroa/labeler@b4493338d7929ddc4ffc95fadf6f28c73bae2e90 + - uses: srvaroa/labeler@v1.13.0 with: config_path: .github/labeler-config.yaml env: diff --git a/.github/workflows/pr-trivy.yaml b/.github/workflows/pr-trivy.yaml new file mode 100644 index 0000000..7fae4f1 --- /dev/null +++ b/.github/workflows/pr-trivy.yaml @@ -0,0 +1,17 @@ +name: CI - Trivy +on: + pull_request: + +concurrency: + group: pr-trivy-${{ github.ref }} + cancel-in-progress: true + +jobs: + security: + name: Security + uses: dnlopes/Reusable.Workflows/.github/workflows/trivy-scan.yaml@v1 + permissions: + contents: read + pull-requests: write # needed for PR comments + statuses: write # needed for setting the status of the PR + diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index b1ae71a..18f6518 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -1,4 +1,4 @@ -name: Release +name: CI - Release on: push: branches: diff --git a/.trivyignore b/.trivyignore new file mode 100644 index 0000000..30129df --- /dev/null +++ b/.trivyignore @@ -0,0 +1,86 @@ +# Trivy Ignore File +# Copy this file to your repository root as '.trivyignore' +# Documentation: https://aquasecurity.github.io/trivy/latest/docs/configuration/filtering/#by-vulnerability-ids +# +# Format: +# - One entry per line +# - Lines starting with # are comments +# - Supports CVE IDs, vulnerability IDs, and package specifiers +# +# IMPORTANT: Document WHY each vulnerability is ignored! +# Review this file regularly and remove entries when fixes are available. + +# ============================================================================= +# EXAMPLE: Ignore specific CVEs +# ============================================================================= + +# CVE-2023-XXXXX: False positive - not exploitable in our context +# Affected: example-package v1.2.3 +# Reason: We don't use the vulnerable code path +# Review date: 2024-01-15 +# CVE-2023-XXXXX + +# CVE-2024-YYYYY: No fix available, mitigated by network policy +# Affected: another-package v4.5.6 +# Reason: Service is not exposed externally, mitigated at network layer +# Review date: 2024-02-01 +# CVE-2024-YYYYY + +# ============================================================================= +# EXAMPLE: Ignore by package (use with caution!) +# ============================================================================= + +# Ignore all vulnerabilities in a specific Go package +# Only use when the package is vendored and patched internally +# pkg:golang/github.com/example/internal-fork + +# ============================================================================= +# EXAMPLE: Ignore vulnerabilities until a specific date +# ============================================================================= + +# Format: CVE-ID exp:YYYY-MM-DD +# The vulnerability will be ignored until the expiration date +# After expiration, Trivy will report it again + +# CVE-2024-ZZZZZ: Temporary ignore while waiting for upstream fix +# Expected fix in next release (ETA: March 2024) +# CVE-2024-ZZZZZ exp:2024-03-31 + +# ============================================================================= +# EXAMPLE: Ignore misconfigurations by ID +# ============================================================================= + +# AVD-AWS-0086: S3 bucket logging - handled by centralized logging solution +# AVD-AWS-0086 + +# AVD-KSV-0001: Process can elevate privileges - required for init container +# AVD-KSV-0001 + +# ============================================================================= +# EXAMPLE: Ignore secrets (use with extreme caution!) +# ============================================================================= + +# Only ignore secrets that are: +# - Test/example values in documentation +# - Already rotated/invalidated +# - False positives (e.g., UUIDs detected as secrets) + +# generic-api-key: False positive - this is a placeholder in example config +# examples/config.example.yaml + +# ============================================================================= +# COMMON FALSE POSITIVES +# ============================================================================= + +# Test fixtures and example files often trigger false positives +# Consider using skip-dirs in trivy.yaml instead of ignoring here + +# ============================================================================= +# YOUR PROJECT-SPECIFIC IGNORES BELOW +# ============================================================================= +# Remember to: +# 1. Document the reason for each ignore +# 2. Set a review/expiration date +# 3. Remove entries when fixes become available +# 4. Review this file in security audits + diff --git a/trivy.yaml b/trivy.yaml new file mode 100644 index 0000000..86cfde1 --- /dev/null +++ b/trivy.yaml @@ -0,0 +1,27 @@ +format: table +exit-code: 1 +timeout: 10m +severity: [CRITICAL, HIGH, MEDIUM] +scanners: [vuln, secret, misconfig] + +scan: + skip-dirs: + - node_modules + - vendor + - .git + - .terraform + - __pycache__ + - .venv + - venv + - dist + - build + - .cache + +vulnerability: + type: [library] + ignore-unfixed: true + +misconfiguration: + include-non-failures: false + terraform: + exclude-downloaded-modules: true