From 15e13cb92f210fe932b8746d62680c7b521779c1 Mon Sep 17 00:00:00 2001 From: John Watson Date: Fri, 20 Mar 2026 15:16:54 +0000 Subject: [PATCH 1/2] Pin Trivy --- .github/workflows/build-scan-push.yml | 2 +- .github/workflows/nightly-scan.yml | 2 +- Dockerfile | 2 +- JOB.env | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build-scan-push.yml b/.github/workflows/build-scan-push.yml index e0e39bd..70b57bc 100644 --- a/.github/workflows/build-scan-push.yml +++ b/.github/workflows/build-scan-push.yml @@ -103,7 +103,7 @@ jobs: - name: Run Aqua Trivy scan id: trivy-scan if: ${{ matrix.target == 'production' }} - uses: aquasecurity/trivy-action@0.35.0 + uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 with: input: image-${{ matrix.image.nodeVersion }}.tar scan-type: image diff --git a/.github/workflows/nightly-scan.yml b/.github/workflows/nightly-scan.yml index ee670c0..2294917 100644 --- a/.github/workflows/nightly-scan.yml +++ b/.github/workflows/nightly-scan.yml @@ -40,7 +40,7 @@ jobs: - name: Run Aqua Trivy scan id: trivy-scan - uses: aquasecurity/trivy-action@0.35.0 + uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 with: image-ref: defradigital/${{env.IMAGE_NAME}}:${{env.DEFRA_VERSION}}-node${{matrix.image.nodeVersion}} format: sarif diff --git a/Dockerfile b/Dockerfile index 722f3b2..4c7c788 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,5 @@ # Set default values for build arguments -ARG DEFRA_VERSION=3.0.3 +ARG DEFRA_VERSION=3.0.4 ARG BASE_VERSION=24.14.0-alpine3.23 FROM node:$BASE_VERSION AS production diff --git a/JOB.env b/JOB.env index 7affe9e..f297853 100644 --- a/JOB.env +++ b/JOB.env @@ -1,2 +1,2 @@ -DEFRA_VERSION=3.0.3 +DEFRA_VERSION=3.0.4 IMAGE_NAME=node From e9189a3eda7c72a3fb57babb263edeeb6215f689 Mon Sep 17 00:00:00 2001 From: John Watson Date: Fri, 20 Mar 2026 15:37:46 +0000 Subject: [PATCH 2/2] Add vuln --- .grype.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.grype.yaml b/.grype.yaml index 3f9305b..ca3173d 100644 --- a/.grype.yaml +++ b/.grype.yaml @@ -33,3 +33,5 @@ ignore: reason: "Node 24: tar patched but not yet available in Node.js base images" - vulnerability: GHSA-9ppj-qmqm-q256 reason: "Node 24: tar patched but not yet available in Node.js base images" + - vulnerability: CVE-2026-2673 + reason: "Alpine libcrypto: No fix available"