fix vulnerabilities and scan to CI

Author: mike-parkhill

.github/workflows/ci.yml

@@ -41,3 +41,25 @@ jobs:
       - name: Run tests (mcp-shared)
         run: npm run test -- --run
         working-directory: packages/mcp-shared
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build truvera-api image for scanning
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: ./apps/truvera-api/Dockerfile
+          load: true
+          tags: truvera-api-mcp:ci
+          build-args: |
+            BUILD_NUMBER=${{ github.run_number }}
+
+      - name: Scan truvera-api image for HIGH and CRITICAL vulnerabilities
+        uses: aquasecurity/trivy-action@v0.35.0
+        with:
+          image-ref: truvera-api-mcp:ci
+          format: table
+          ignore-unfixed: true
+          severity: HIGH,CRITICAL
+          exit-code: '1'

apps/truvera-api/Dockerfile

@@ -1,7 +1,7 @@
 # Multi-stage build for Truvera MCP Service
 ARG BUILD_NUMBER=1
 
-FROM node:22-alpine3.21 AS builder
+FROM node:22-alpine3.22 AS builder
 
 ARG BUILD_NUMBER
 
@@ -11,9 +11,6 @@ WORKDIR /app
 RUN apk update && apk upgrade --no-cache && \
     apk add --no-cache openssl
 
-# Upgrade npm
-RUN npm install -g npm@11.6.4 --no-fund --no-audit
-
 # Copy root package files for workspace
 COPY package*.json ./
 
@@ -39,17 +36,14 @@ COPY apps/truvera-api/tsconfig.json ./apps/truvera-api/
 RUN BUILD_NUMBER=$BUILD_NUMBER npm run build --workspace=apps/truvera-api
 
 # Runtime stage
-FROM node:22-alpine3.21
+FROM node:22-alpine3.22
 
 WORKDIR /app
 
 # Upgrade system packages to fix security vulnerabilities
 RUN apk update && apk upgrade --no-cache && \
     apk add --no-cache openssl
 
-# Upgrade npm in the runtime image too (keeps logs consistent)
-RUN npm install -g npm@11.6.4 --no-fund --no-audit
-
 # Copy root package files
 COPY package*.json ./
 
@@ -58,7 +52,7 @@ COPY packages/mcp-shared/package*.json ./packages/mcp-shared/
 COPY apps/truvera-api/package*.json ./apps/truvera-api/
 
 # Install production dependencies only
-RUN npm ci --workspaces --only=production
+RUN npm ci --workspaces --omit=dev
 
 # Copy built shared package from builder
 COPY --from=builder /app/packages/mcp-shared/dist ./packages/mcp-shared/dist

package-lock.json

@@ -21,6 +21,12 @@
     "packages/*",
     "apps/*"
   ],
+  "overrides": {
+    "@hono/node-server": "^1.19.12",
+    "express-rate-limit": "^8.3.2",
+    "hono": "^4.12.11",
+    "path-to-regexp": "^8.4.2"
+  },
   "engines": {
     "node": ">=18.0.0",
     "npm": ">=8.0.0"