CI security scanning #14

Closed
opened 2026-06-12 20:27:44 +00:00 by james · 0 comments
Owner

Scope

  • Dependency scanning: npm audit at minimum, plus OSV-Scanner for broader coverage.
  • Container image scan on the built service image (Trivy or equivalent).
  • Fail the PR check on findings at or above a configured severity. Start with high.

Acceptance criteria

  • A deliberately vulnerable dependency in a throwaway branch trips the check.
  • Findings are surfaced in the PR check output, not buried in raw logs.
  • The severity threshold is documented and configurable in one place.

Part of epic #2. Depends on #13.

## Scope - Dependency scanning: `npm audit` at minimum, plus OSV-Scanner for broader coverage. - Container image scan on the built service image (Trivy or equivalent). - Fail the PR check on findings at or above a configured severity. Start with `high`. ## Acceptance criteria - [ ] A deliberately vulnerable dependency in a throwaway branch trips the check. - [ ] Findings are surfaced in the PR check output, not buried in raw logs. - [ ] The severity threshold is documented and configurable in one place. Part of epic #2. Depends on #13.
james closed this issue 2026-06-14 00:18:27 +00:00
Sign in to join this conversation.
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
james/carol#14
No description provided.