Skip to content

fix(ci): repair the SCA self-scan Trivy install (pinned 0.72.0 deb)#475

Merged
haksungjang merged 3 commits into
mainfrom
fix/sca-self-trivy-install
Jul 7, 2026
Merged

fix(ci): repair the SCA self-scan Trivy install (pinned 0.72.0 deb)#475
haksungjang merged 3 commits into
mainfrom
fix/sca-self-trivy-install

Conversation

@haksungjang

Copy link
Copy Markdown
Contributor

Symptom

The SCA self-scan badge in the README has been red for over a week — every nightly run failed at the Install Trivy step, with no CVE involved.

Root cause

aquasecurity/setup-trivy@v0.2.6 pinned Trivy v0.58.0, whose GitHub release was removed upstream — the git tag v0.58.0 still exists, but its release assets now 404 (Trivy is at 0.72.0). The action resolved the version via the tags API and then failed downloading the vanished asset, exiting 1 immediately.

(The first diagnosis — a moving-ref install.sh change — was wrong; verified on the runner that repos/aquasecurity/trivy/releases/tags/v0.58.0 itself 404s while the git tag resolves.)

Fix

Install the same Trivy the worker image ships (0.72.0) from the upstream per-arch .deb, verified against the SHA-256 already vetted in apps/backend/Dockerfile.worker:

  • Existing release → no vanished-asset failure.
  • Pinned .deb + sha256sum -c → no runtime version resolution, no moving ref, no anon rate-limit surface.
  • Dog-foods the exact scanner end users run, and keeps TRIVY_VERSION in lockstep with the worker image (the image-scan gate drives those bumps).

Verification

Dispatched the workflow on this branch (run 28836722022) — full pipeline green: Install Trivy → SBOM scan → parse → 0 Critical, and the stale-issue-close path ran clean. Locally verified the checksum pipeline and YAML + actionlint.

The nightly SCA self-scan has failed at the "Install Trivy" step on every run
for over a week, leaving the README badge red — with no CVE involved. Root
cause: aquasecurity/setup-trivy@v0.2.6 fetches Trivy's contrib/install.sh from
Trivy's default branch (a MOVING ref) and executes it. Trivy commit 75c4dc0
("add client option to install script", #9962) changed that script, breaking
the invocation the pinned action makes — the step exits 1 immediately after
resolving v0.58.0.

This is the second breakage of the same class (the curl | sh installer broke
the same way in 2026-05, which is why we moved to the action). Fix the class,
not the instance: download the pinned Trivy release tarball directly and verify
it with `sha256sum -c` against the published checksums file. No moving ref, no
GitHub-API tag lookup / rate-limit surface, and it matches the supply-chain
integrity posture TRUSCA itself ships.

Verified the grep + `sha256sum -c` pipeline isolates the correct asset line and
rejects a tampered file; YAML + actionlint clean.
The first attempt hard-coded trivy_<v>_Linux-64bit.tar.gz, which 404s for
v0.58.0 — Trivy's asset naming has varied. Enumerate the immutable pinned
release's assets via the API (token-auth, no rate limit) and match the Linux
amd64 tarball + checksums by pattern, then verify with sha256sum -c. Still
fully pinned on TRIVY_VERSION; no moving ref, no filename guess.
Real root cause: the previously pinned Trivy v0.58.0 GitHub *release* was
removed upstream — the git tag remains but its assets 404, so both setup-trivy
(which resolved 0.58.0 then failed to download it) and the direct-download
attempt failed. Trivy is now at 0.72.0.

Install the exact version the worker image ships (0.72.0) from the upstream
per-arch .deb, verified against the SHA-256 already vetted in
apps/backend/Dockerfile.worker. No runtime version resolution, no moving ref,
and the self-scan now dog-foods the same scanner end users run.
@haksungjang haksungjang merged commit 2d6a4b3 into main Jul 7, 2026
21 checks passed
@haksungjang haksungjang deleted the fix/sca-self-trivy-install branch July 7, 2026 02:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant