karant-dev · karant-dev · Jan 18, 2026 · Jan 18, 2026 · Jan 18, 2026 · Jan 18, 2026
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -68,7 +68,17 @@ jobs:
           format: 'sarif'
           output: 'trivy-results.sarif'
           severity: 'CRITICAL,HIGH'
-          exit-code: '1' # Fail the build on vulnerability
+          exit-code: '0' # Don't fail yet, just generate report
+          trivyignores: .trivyignore
+          ignore-unfixed: true
+
+      - name: Run Trivy vulnerability scanner (Console Output)
+        uses: aquasecurity/trivy-action@0.33.1
+        with:
+          image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }}
+          format: 'table'
+          severity: 'CRITICAL,HIGH'
+          exit-code: '1' # Fail here to stop the build
           trivyignores: .trivyignore
           ignore-unfixed: true
 

diff --git a/Dockerfile b/Dockerfile
@@ -1,5 +1,5 @@
 # Stage 1: Build & Dependencies
 FROM node:20-slim as builder
 WORKDIR /app

 # Install build dependencies for node-canvas (Debian)
@@ -20,7 +20,7 @@
 RUN npm prune --production

 # Stage 2: Web (Nginx)
 FROM nginx:alpine as web
 RUN apk add --no-cache curl
 RUN touch /var/run/nginx.pid && \
  chown -R nginx:nginx /var/run/nginx.pid && \
@@ -35,18 +35,24 @@
 CMD ["nginx", "-g", "daemon off;"]

 # Stage 3: API (Node)
 FROM node:20-slim as api
 WORKDIR /app
 
 # Install runtime dependencies for node-canvas (Debian)
-RUN apt-get update && apt-get install -y \
+RUN apt-get update && apt-get upgrade -y && apt-get install -y \
   libcairo2 \
   libpango-1.0-0 \
   libpangocairo-1.0-0 \
   libjpeg62-turbo \
   libgif7 \
   librsvg2-2 \
   && npm install -g npm@latest \
+  && npm install -g tar@7.5.3 \
+  && rm -rf /usr/local/lib/node_modules/npm/node_modules/tar \
+  && cp -r /usr/local/lib/node_modules/tar /usr/local/lib/node_modules/npm/node_modules/ \
+  && rm -rf /usr/local/lib/node_modules/tar \
+  && rm -rf /root/.npm \
+  && rm -rf ~/.npm \
   && rm -rf /var/lib/apt/lists/*
 
 COPY package*.json ./
@@ -57,7 +63,8 @@
 COPY --from=builder /app/tsconfig.json ./
 
 # Install tsx globally
-RUN npm install -g tsx
+RUN npm install -g tsx \
+  && rm -rf /root/.npm
 
 USER node
 EXPOSE 3000