Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 10 additions & 10 deletions .github/labeler-config.yaml
Original file line number Diff line number Diff line change
@@ -1,19 +1,19 @@
version: 1
labels:
- label: "major"
title: "^!(fix|feat|chore)(\\(\\w+\\))?:\\s.+$"
- label: "breaking-change"
title: "^!(fix|feat|chore)(\\(\\w+\\))?:\\s.+$"
body: "^BREAKING CHANGE:.*$"
- label: "minor"
title: "^feat(\\(\\w+\\))?:\\s.+$"
- label: "feature"
title: "^feat(\\(\\w+\\))?:\\s.+$"
title: "^feat(\\(\\w+\\)):\\s.+$"
- label: "patch"
title: "^fix(\\(\\w+\\))?:\\s.+$"
title: "^(fix|chore|refactor|style|perf|test|docs|revert)(\\(\\w+\\)):\\s.+$"
- label: "fix"
title: "^fix(\\(\\w+\\))?:\\s.+$"
- label: "patch"
title: "^chore(\\(\\w+\\))?:\\s.+$"
title: "^fix(\\(\\w+\\)):\\s.+$"
- label: "feature"
title: "^feat(\\(\\w+\\)):\\s.+$"
- label: "chore"
title: "^(chore|refactor|style|perf|test|docs|revert)(\\(\\w+\\)):\\s.+$"
- label: "breaking-change"
body: "^BREAKING CHANGE:.*$"
- label: "ready-to-merge"
mergeable: true
- label: "draft"
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/pr-semantic.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
name: PR
name: CI - Conventions
on:
pull_request:
types: [opened, reopened, edited, labeled, unlabeled, synchronize]
Expand All @@ -14,10 +14,10 @@ permissions:

jobs:
pr_labels:
name: Add labels
name: Labels
runs-on: ubuntu-latest
steps:
- uses: srvaroa/labeler@b4493338d7929ddc4ffc95fadf6f28c73bae2e90
- uses: srvaroa/labeler@v1.13.0
with:
config_path: .github/labeler-config.yaml
env:
Expand Down
17 changes: 17 additions & 0 deletions .github/workflows/pr-trivy.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
name: CI - Trivy
on:
pull_request:

concurrency:
group: pr-trivy-${{ github.ref }}
cancel-in-progress: true

jobs:
security:
name: Security
uses: dnlopes/Reusable.Workflows/.github/workflows/trivy-scan.yaml@v1
permissions:
contents: read
pull-requests: write # needed for PR comments
statuses: write # needed for setting the status of the PR

2 changes: 1 addition & 1 deletion .github/workflows/release.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
name: Release
name: CI - Release
on:
push:
branches:
Expand Down
86 changes: 86 additions & 0 deletions .trivyignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,86 @@
# Trivy Ignore File
# Copy this file to your repository root as '.trivyignore'
# Documentation: https://aquasecurity.github.io/trivy/latest/docs/configuration/filtering/#by-vulnerability-ids
#
# Format:
# - One entry per line
# - Lines starting with # are comments
# - Supports CVE IDs, vulnerability IDs, and package specifiers
#
# IMPORTANT: Document WHY each vulnerability is ignored!
# Review this file regularly and remove entries when fixes are available.

# =============================================================================
# EXAMPLE: Ignore specific CVEs
# =============================================================================

# CVE-2023-XXXXX: False positive - not exploitable in our context
# Affected: example-package v1.2.3
# Reason: We don't use the vulnerable code path
# Review date: 2024-01-15
# CVE-2023-XXXXX

# CVE-2024-YYYYY: No fix available, mitigated by network policy
# Affected: another-package v4.5.6
# Reason: Service is not exposed externally, mitigated at network layer
# Review date: 2024-02-01
# CVE-2024-YYYYY

# =============================================================================
# EXAMPLE: Ignore by package (use with caution!)
# =============================================================================

# Ignore all vulnerabilities in a specific Go package
# Only use when the package is vendored and patched internally
# pkg:golang/github.com/example/internal-fork

# =============================================================================
# EXAMPLE: Ignore vulnerabilities until a specific date
# =============================================================================

# Format: CVE-ID exp:YYYY-MM-DD
# The vulnerability will be ignored until the expiration date
# After expiration, Trivy will report it again

# CVE-2024-ZZZZZ: Temporary ignore while waiting for upstream fix
# Expected fix in next release (ETA: March 2024)
# CVE-2024-ZZZZZ exp:2024-03-31

# =============================================================================
# EXAMPLE: Ignore misconfigurations by ID
# =============================================================================

# AVD-AWS-0086: S3 bucket logging - handled by centralized logging solution
# AVD-AWS-0086

# AVD-KSV-0001: Process can elevate privileges - required for init container
# AVD-KSV-0001

# =============================================================================
# EXAMPLE: Ignore secrets (use with extreme caution!)
# =============================================================================

# Only ignore secrets that are:
# - Test/example values in documentation
# - Already rotated/invalidated
# - False positives (e.g., UUIDs detected as secrets)

# generic-api-key: False positive - this is a placeholder in example config
# examples/config.example.yaml

# =============================================================================
# COMMON FALSE POSITIVES
# =============================================================================

# Test fixtures and example files often trigger false positives
# Consider using skip-dirs in trivy.yaml instead of ignoring here

# =============================================================================
# YOUR PROJECT-SPECIFIC IGNORES BELOW
# =============================================================================
# Remember to:
# 1. Document the reason for each ignore
# 2. Set a review/expiration date
# 3. Remove entries when fixes become available
# 4. Review this file in security audits

27 changes: 27 additions & 0 deletions trivy.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
format: table
exit-code: 1
timeout: 10m
severity: [CRITICAL, HIGH, MEDIUM]
scanners: [vuln, secret, misconfig]

scan:
skip-dirs:
- node_modules
- vendor
- .git
- .terraform
- __pycache__
- .venv
- venv
- dist
- build
- .cache

vulnerability:
type: [library]
ignore-unfixed: true

misconfiguration:
include-non-failures: false
terraform:
exclude-downloaded-modules: true