Skip to content

[docker] Add Trivy security scanning and enhance container security #96

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Copilot wants to merge 3 commits into from
Closed

[docker] Add Trivy security scanning and enhance container security #96

Copilot wants to merge 3 commits into from
+97 −5

Conversation

Copy link
Contributor

Copilot AI commented Sep 11, 2025
edited
Loading

This PR enhances the Docker optimization work from #58 by adding comprehensive security scanning and build improvements.

Security Enhancements

Trivy Integration:

  • Added Trivy vulnerability scanning to CI pipeline with SARIF output uploaded to GitHub Security tab
  • New make docker-scan target for local security scanning with automatic installation guidance
  • Scanning focuses on HIGH and CRITICAL vulnerabilities for actionable security insights

Build Security:

  • Enhanced Go build flags with -s -extldflags '-static' for static linking and symbol stripping
  • Updated Alpine base image from 3.18 to 3.20 for latest security patches
  • Improved binary security through additional compiler flags

Example Usage

# Local security scanning
make docker-scan

# CI automatically scans on PR/push with results in Security tab
# Enhanced build produces smaller, more secure binaries

Testing:

  • All existing tests pass with no regressions
  • Added dedicated Docker security tests to validate enhancements
  • Makefile targets properly validated

The Docker optimization from #58 provided an excellent foundation with multi-stage builds, non-root execution, health checks, and proper volumes. This PR adds the missing security scanning layer and hardens the build process further.

Fixes #47.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • invalid-host
    • Triggering command: /tmp/go-build544346517/b342/admin.test -test.testlogfile=/tmp/go-build544346517/b342/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.parallel=8 -test.v=true (dns block)
  • invalid-host-that-does-not-exist
    • Triggering command: /tmp/go-build544346517/b342/admin.test -test.testlogfile=/tmp/go-build544346517/b342/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.parallel=8 -test.v=true (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot AI and others added 2 commits September 11, 2025 06:13
@mfittko
[docker] Add Trivy security scanning and build optimizations
350bfb7 
Co-authored-by: mfittko <326798+mfittko@users.noreply.github.com>
@mfittko
Add Docker security tests to validate enhancements
4a67d41 
Co-authored-by: mfittko <326798+mfittko@users.noreply.github.com>
Copilot AI changed the title [WIP] [docker] Optimize Dockerfile and containerization: multi-stage, healthchecks, security, docs [docker] Add Trivy security scanning and enhance container security Sep 11, 2025
Copilot AI requested a review from mfittko September 11, 2025 06:16
@mfittko
Copy link
Contributor

mfittko commented Dec 31, 2025

defered

@mfittko mfittko closed this Dec 31, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mfittko mfittko Awaiting requested review from mfittko

Assignees

@mfittko mfittko

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[docker] Optimize Dockerfile and containerization: multi-stage, healthchecks, security, docs

2 participants

@mfittko