Merge pull request #141 from BitGo/WP-6506-npm-trivy-ci-checks

pranavjain97 · web-flow · commit 19b067a6bb1a · 2025-10-31T15:41:23.000-04:00
feat: add npm security checks in CI via trivy
diff --git a/.github/workflows/build-and-test.yaml b/.github/workflows/build-and-test.yaml
@@ -99,6 +99,43 @@ jobs:
       - name: Lint
         run: npm run lint
 
+  trivy-scan:
+    name: Security - Trivy Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ inputs.node-version }}
+          cache: 'npm'
+
+      - name: Cache dependencies
+        uses: actions/cache@v3
+        id: node-modules-cache
+        with:
+          path: '**/node_modules'
+          key: ${{ runner.os }}-modules-${{ hashFiles('**/package-lock.json') }}
+          restore-keys: |
+            ${{ runner.os }}-modules-
+
+      - name: Install dependencies
+        if: steps.node-modules-cache.outputs.cache-hit != 'true'
+        run: npm ci
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          scan-ref: '.'
+          format: 'table'
+          severity: 'CRITICAL,HIGH'
+          exit-code: '1'
+          ignore-unfixed: true
+          scanners: 'vuln' # Only scan for vulnerabilities, not secrets
+
   test:
     name: Test
     runs-on: ubuntu-latest
diff --git a/.trivyignore b/.trivyignore
@@ -0,0 +1,27 @@
+# Trivy Ignore File
+# Exclude false positive vulnerabilities from security scans
+#
+# NOTE: We use scanners:'vuln' in CI workflows to skip secret scanning entirely.
+# Test certificates (.pem, .key files) are not scanned for secrets in CI.
+#
+# This file is used for ignoring specific CVEs that are false positives.
+# 
+# Format:
+#   CVE-ID [exp:YYYY-MM-DD] [# comment]
+#
+# Examples:
+#   CVE-2024-12345  # False positive - not applicable to our usage
+#   CVE-2024-67890 exp:2025-12-31  # Temporary ignore until vendor fixes
+#
+
+# Add specific CVE ignores below with reasons:
+
+# Ruby gem vulnerabilities in js-xdr/Gemfile.lock
+# Source: @bitgo-beta/sdk-coin-algo -> stellar-sdk@10.4.1 -> stellar-base -> js-xdr@1.3.0
+# Reason: Ruby gems are not executed in Node.js runtime, false positive
+# These are packaged Ruby files for Ruby bindings/testing, not used in JavaScript
+CVE-2020-8165   # rubygem-activesupport 4.2.1
+CVE-2023-22796  # rubygem-activesupport 4.2.1
+CVE-2014-10077  # rubygem-i18n 0.7.0
+CVE-2020-10663  # rubygem-json 1.8.2
+CVE-2022-31163  # rubygem-tzinfo 1.2.2
