fix(security): resolve GitHub code scanning alert #1 (#291)

AbdelrhmanHamouda · web-flow · commit 5c6ccd5b78e1 · 2026-02-16T09:53:58.000+01:00
* fix(ci): scope workflow permissions to job level and use Trivy action for SBOM generation

Move permissions from workflow level to job level in docs-preview workflow for principle of least privilege. Replace manual Trivy installation and CLI commands with aquasecurity/trivy-action@0.29.0 for SBOM generation in release workflow.

* chore: fux
diff --git a/.github/workflows/docs-preview.yml b/.github/workflows/docs-preview.yml
@@ -16,17 +16,15 @@ on:
       - master
       - main
 
-permissions:
-  contents: write  # Required to push to gh-pages branch
-  pages: write
-  id-token: write
-  pull-requests: write
-  actions: read
-
 jobs:
   # Build and deploy docs preview for opened/updated PRs
   build-preview:
-    if: github.event.action != 'closed'
+    permissions:
+      contents: write       # Push to gh-pages branch
+      pull-requests: write  # Create/update preview comment
+    # SECURITY: Only run on pull_request trigger (not pull_request_target) to prevent
+    # untrusted fork PRs from executing code with write permissions (RCE vulnerability)
+    if: github.event_name == 'pull_request' && github.event.action != 'closed'
     runs-on: ubuntu-latest
     steps:
       - name: 📂 Checkout PR code
@@ -126,6 +124,9 @@ jobs:
 
   # Clean up preview when PR is closed/merged
   cleanup-preview:
+    permissions:
+      contents: write       # Push to gh-pages branch
+      pull-requests: write  # Update comment on cleanup
     if: github.event.action == 'closed'
     runs-on: ubuntu-latest
     steps:
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -46,26 +46,19 @@ jobs:
             --bare \
             --tags=${{ github.ref_name }},latest
 
-      - name: 🔍 Install Trivy
-        run: |
-          wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
-          echo "deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list
-          sudo apt-get update
-          sudo apt-get install trivy
-
       - name: 📋 Generate SBOM (SPDX format)
-        run: |
-          trivy image \
-            --format spdx-json \
-            --output sbom-spdx.json \
-            ${{ env.DOCKER_IMAGE }}:${{ github.ref_name }}
+        uses: aquasecurity/trivy-action@0.29.0
+        with:
+          image-ref: ${{ env.DOCKER_IMAGE }}:${{ github.ref_name }}
+          format: spdx-json
+          output: sbom-spdx.json
 
       - name: 📋 Generate SBOM (CycloneDX format)
-        run: |
-          trivy image \
-            --format cyclonedx \
-            --output sbom-cyclonedx.json \
-            ${{ env.DOCKER_IMAGE }}:${{ github.ref_name }}
+        uses: aquasecurity/trivy-action@0.29.0
+        with:
+          image-ref: ${{ env.DOCKER_IMAGE }}:${{ github.ref_name }}
+          format: cyclonedx
+          output: sbom-cyclonedx.json
 
       - name: 📦 Upload SBOMs to release
         uses: softprops/action-gh-release@v2
