vr6syncro/ci-workflows
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions

fix(security): resilient Trivy bootstrap (apt-retry + checksum-verified binary fallback) #2

Merged
vr6syncro merged 2 commits from fix/resilient-trivy-bootstrap into main 2026-06-01 19:49:06 +02:00
Conversation 0 Commits 2 Files changed 2 +72 -23
vr6syncro commented 2026-06-01 19:48:55 +02:00
Owner
Copy link

Problem

The Bootstrap scanners step ran wget https://aquasecurity.github.io/... under set -euo pipefail with no fallback. On the dind runner (which cannot reliably reach that host), the wget/apt path died and the whole security job went red before any scan ran — no findings, no notify, just a failing check. This is why NestAgent/NestMsg security CI was red while NestFather/ZeitOMeter (good runner) passed. Same runner-infra class as the E2E-dind timeouts.

Fix (both security.yml + security-hardened.yml)

  • Retry the apt signed-repo install with backoff.
  • Fall back to the official pinned release binary (HTTPS + SHA256-checksum-verified from the release's checksums.txt; dynamic latest version with a safety pin).
  • Each method is guarded so a single unreachable host can't kill the job under set -e.
  • Fails-closed only if every method fails (a missing scanner must not silently look like a clean result).
  • security-hardened.yml: OSV-Scanner / Hadolint / SAST installs preserved unchanged.

Validated: both files YAML-parse; both bootstrap run-blocks pass bash -n. Must be promoted to the v2 tag to take effect fleet-wide.

🤖 Generated with Claude Code

## Problem The `Bootstrap scanners` step ran `wget https://aquasecurity.github.io/...` under `set -euo pipefail` with **no fallback**. On the dind runner (which cannot reliably reach that host), the `wget`/apt path died and the whole **security job went red before any scan ran** — no findings, no notify, just a failing check. This is why NestAgent/NestMsg security CI was red while NestFather/ZeitOMeter (good runner) passed. Same runner-infra class as the E2E-dind timeouts. ## Fix (both security.yml + security-hardened.yml) - Retry the apt signed-repo install **3×** with backoff. - Fall back to the **official pinned release binary** (HTTPS + SHA256-checksum-verified from the release's `checksums.txt`; dynamic latest version with a safety pin). - Each method is guarded so a single unreachable host can't kill the job under `set -e`. - **Fails-closed** only if every method fails (a missing scanner must not silently look like a clean result). - security-hardened.yml: OSV-Scanner / Hadolint / SAST installs preserved unchanged. Validated: both files YAML-parse; both bootstrap run-blocks pass `bash -n`. Must be promoted to the `v2` tag to take effect fleet-wide. 🤖 Generated with [Claude Code](https://claude.com/claude-code)
fix(security): resilient Trivy bootstrap (apt-retry + checksum-verified binary fallback)
Some checks failed
security-hardened.yml / fix(security): resilient Trivy bootstrap (apt-retry + checksum-verified binary fallback) (push) Failing after 0s
Details
security.yml / fix(security): resilient Trivy bootstrap (apt-retry + checksum-verified binary fallback) (push) Failing after 0s
Details
8b33715866 
The 'Bootstrap scanners' step ran 'wget https://aquasecurity.github.io/...' under
set -e with no fallback; on the dind runner (which cannot always reach that host)
the whole security job died red before any scan/findings/notify. Now: retry apt 3x,
then fall back to the official pinned release binary (HTTPS + SHA256-verified), and
hard-fail (fails-closed) only if ALL methods fail.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
fix(security-hardened): preserve OSV/Hadolint/SAST installs in resilient bootstrap
Some checks failed
security-hardened.yml / fix(security-hardened): preserve OSV/Hadolint/SAST installs in resilient bootstrap (push) Failing after 0s
Details
security.yml / fix(security-hardened): preserve OSV/Hadolint/SAST installs in resilient bootstrap (push) Failing after 0s
Details
security-hardened.yml / fix(security-hardened): preserve OSV/Hadolint/SAST installs in resilient bootstrap (pull_request) Failing after 0s
Details
security.yml / fix(security-hardened): preserve OSV/Hadolint/SAST installs in resilient bootstrap (pull_request) Failing after 0s
Details
security-hardened.yml / fix(security): resilient Trivy bootstrap (apt-retry + checksum-verified binary fallback) (pull_request) Failing after 0s
Details
security.yml / fix(security): resilient Trivy bootstrap (apt-retry + checksum-verified binary fallback) (pull_request) Failing after 0s
Details
f3ac2f948c
vr6syncro deleted branch fix/resilient-trivy-bootstrap 2026-06-01 19:49:07 +02:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
vr6syncro/ci-workflows!2
No description provided.