π security(image): clear image HIGH/CRITICAL CVEs and scope the Grype gate#442
Merged
Conversation
β¦ gate The first grype-image scan on main surfaced a pre-existing CVE backlog that nothing had been scanning (Snyk Container never ran β no token configured). Bumped the base + cosign to clear everything in the Node runtime and Alpine OS packages; triaged the residual findings that live only inside the bundled cosign/trivy tool binaries' vendored Go module graphs. - π§ Dockerfile: node:24-alpine base bump (node 24.14.0->24.16.0 / CVE-2026-21710, musl 1.2.5->1.2.6, curl 8.19.0->8.20.0, git 2.52.0->2.54.0), cosign 2.6.3->3.0.6, bash 5.3.3->5.3.9. cosign 3.0.6 keeps the verify flags the signature path uses. - β¨ .grype.yaml: documented, location-scoped triage for /usr/bin/cosign and /usr/bin/trivy (vendored Go CVEs clear only on Alpine package rebuilds) - π§ security-grype.yml: load .grype.yaml via GRYPE_CONFIG for a deterministic gate - π CHANGELOG: Security entry Verified: full release image scan reports 0 HIGH/CRITICAL outside the two triaged binaries; grype --fail-on high passes with the config (was 11 critical + 22 high).
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
scttbnsn
requested review from
ALARGECOMPANY and
biggest-littlest
as code owners
Codecov Reportβ All modified and coverable lines are covered by tests. π’ Thoughts on this report? Let us know! |
biggest-littlest
approved these changes
Jun 16, 2026
biggest-littlest
left a comment
biggest-littlest
left a comment
Member
There was a problem hiding this comment.
Image CVE remediation looks right. Base + cosign bump clears the fixable HIGH/CRITICALs; the .grype.yaml triage is location-scoped to the bundled cosign/trivy binaries only and well documented. Verified the gate passes. π
ALARGECOMPANY
approved these changes
Jun 16, 2026
ALARGECOMPANY
left a comment
ALARGECOMPANY
left a comment
Member
There was a problem hiding this comment.
LGTM. Triage rationale matches the Snyk-removal reasoning (don't gate on a module graph we don't ship), Node/OS/app deps stay fully gated. Approving.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Clears the HIGH/CRITICAL container-image CVEs that the new
grype-imagescan(added in #441) surfaced, and scopes the Grype image gate so it stays accurate
going forward.
Before this change the built release image reported 11 critical + 22 high.
After it: 0 HIGH/CRITICAL outside the two bundled third-party tool binaries
(
cosign,trivy), which are triaged with a documented, location-scoped.grype.yaml.Changes
Dockerfileβ bump the base + pins that carried the fixable CVEs:node:24-alpineβ Alpine 3.24.1 digest (clears the Node-runtime CVE, musl, curl Γ2, git)bash 5.3.3-r1 β 5.3.9-r1,git 2.52.0-r0 β 2.54.0-r0cosign 2.6.3-r1 β 3.0.6-r1(clears the bulk of the vendored-Go cosign CVEs; CLIverifyflags drydock uses are unchanged).grype.yaml(new) β location-scopedignorefor/usr/bin/cosignand/usr/bin/trivyonly. These are vendored Go-module CVEs compiled into theupstream tool binaries; we can't patch them independently β they clear when
Alpine rebuilds those packages, which we pick up on the next base bump. The
Node runtime, every OS package, and the entire app dependency graph stay
fully gated. Gating on a module graph we don't ship is the same
manifest-vs-shipped mismatch we dropped Snyk over.
security-grype.ymlβ wireGRYPE_CONFIGto the repo-root.grype.yamlso the gate is deterministic across action versions (grype also auto-discovers
it, but pinning the path is explicit).
CHANGELOG.mdβSecurityentry under Unreleased.Verification
grype --fail-on highwith the config exits 0(was exit 2 / 33 findings). HIGH+ findings outside the two triaged binaries: 0.
app/security/scan.ts'sverify --output json --key --certificate-identity --certificate-oidc-issuer.The red
grype-imagealerts currently in the Security tab will auto-close on thenext scan once this lands (the new SARIF no longer reports them).