Feat/1054 feature testing trivy

[DanielOber]

• Trivy eingeführt und LHM action dafür verwendet
• notwenidge LCM maßnahmen für Trivy

Summary by CodeRabbit

• Chores
  • Added automated vulnerability scanning for pull requests; CI will run security checks and surface findings.
  • Uploads a scan report artifact for review.
  • Added an ignore entry for a specific CVE to reduce noise from an accepted risk.
  • Updated project dependencies and parent component versions to incorporate security fixes and align with newer releases.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds a GitHub Actions workflow that runs a Trivy security scan on pull requests, a repository-level .trivyignore excluding one CVE, and Pom updates: a commons‑lang3 dependency added (duplicate entry) and version bumps in refarch-eai/pom.xml.

Changes

Cohort / File(s)	Summary
CI workflow .github/workflows/trivy.yml	New workflow "build" triggered on pull_request; job build named "Security Check" runs on ubuntu-latest and invokes it-at-m/lhm_actions/action-templates/actions/action-trivy@12966547963631f8429d42bab860485b413003c2.
Trivy ignore .trivyignore	New file containing CVE-2025-48924 (no trailing newline shown).
Backend POM dependency changes refarch-backend/pom.xml	Added org.apache.commons:commons-lang3:3.18.0 with compile scope; appears duplicated in the file (two entries added).
EAI POM version bumps refarch-eai/pom.xml	Parent POM version updated from 3.5.4 to 3.5.10; camel-spring-boot-dependencies.version updated from 4.14.5 to 4.18.0.

Sequence Diagram(s)

sequenceDiagram
    autonumber
    actor Dev as Developer
    participant GH as GitHub
    participant R as Runner (ubuntu-latest)
    participant CO as actions/checkout
    participant AT as action-templates/action-trivy

    Dev->>GH: Open or update PR
    GH-->>R: Trigger "build" workflow on PR
    R->>CO: Checkout repository
    CO-->>R: Repo fetched
    R->>AT: Invoke Trivy action (action-trivy@...)
    Note right of AT: Reads `.trivyignore` (contains CVE-2025-48924)
    AT-->>R: Return exit code (0 = no vulns, 1 = vulns)
    alt Exit code 0
        R-->>GH: Report success
    else Exit code 1
        R-->>GH: Mark job failed
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

I hopped through commits, sniffed each file's map,
Planted a Trivy watch and a small ignore gap.
Two POM tweaks and a duplicated line—
I nibble the warnings, then dance on the vine. 🐇✨

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	PR description is in German with minimal detail and does not follow the template structure. Missing issue reference, changes list, and checklist.	Rewrite description following the template: list changes in English, add issue reference (Issue: #XXX), and complete the relevant checklist items.
Title check	❓ Inconclusive	The title partially relates to the changeset by referencing Trivy testing, but is overly vague with 'feature testing' and does not clearly convey that this adds a Trivy security scanning workflow.	Revise the title to be more specific and descriptive, such as 'Add Trivy security scanning workflow' or 'Add GitHub Actions Trivy security check workflow'.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/1054-feature-testing-trivy

📝 Coding Plan for PR comments

• Generate coding plan

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2572d77 and ad14414.

📒 Files selected for processing (1)

• .github/workflows/trivy.yml (1 hunks)

🧰 Additional context used

🪛 actionlint (1.7.7)

.github/workflows/trivy.yml

4-4: string should not be empty

(syntax-check)

🪛 GitHub Check: Run actionlint

.github/workflows/trivy.yml

[failure] 4-4:
string should not be empty

🪛 GitHub Actions: Actionlint

.github/workflows/trivy.yml

[error] 4-4: actionlint syntax-check error: string should not be empty

⏰ Context from checks skipped due to timeout of 90000ms (1)

• GitHub Check: build (refarch-backend)

🔇 Additional comments (1)

.github/workflows/trivy.yml (1)

8-10: Confirm runner availability
ubuntu-24.04 is still in preview and not enabled by default for all orgs. Jobs may queue indefinitely or fail. Switch to ubuntu-latest or confirm that 24.04 is permitted in your org settings.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ad14414 and 57705c7.

📒 Files selected for processing (1)

• .github/workflows/trivy.yml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms (1)

• GitHub Check: build (refarch-backend)

🔇 Additional comments (2)

.github/workflows/trivy.yml (2)

2-4: Trigger section fixed – looks good.

You removed the empty branches: array and aligned pull_request: correctly, resolving the actionlint error flagged earlier.
No further issues here.

---

6-7: I’ll verify whether ubuntu-24.04 is still marked as beta on GitHub’s hosted runners.

[web_search]

site:docs.github.com ubuntu-24.04 GitHub hosted runners

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

.github/workflows/trivy.yml (1)

12-20: Still missing scan-type & cache parameters

Prior feedback suggested adding scan-type: image for explicitness and cache: true for ~2× faster subsequent runs, but they are still absent.

       - name: Run Trivy vulnerability scanner in Image mode
         uses: aquasecurity/trivy-action@0.28.0
         with:
+          scan-type: image     # explicit, avoids confusion
           image-ref: 'ghcr.io/it-at-m/refarch-templates/refarch-backend:dev'
           format: 'table'
           exit-code: '1'
           ignore-unfixed: true
           vuln-type: 'os,library'
           severity: 'CRITICAL,HIGH'
+          cache: true          # reuse vulnerability DB, speeds up CI

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 57705c7 and b33ef1a.

📒 Files selected for processing (1)

• .github/workflows/trivy.yml (1 hunks)

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

.github/workflows/trivy.yml (1)

7-7: Runner label still not GA – workflow may never start
ubuntu-24.04 isn’t yet available on GitHub-hosted runners. Workflows will stay in the “queued” state once merged (or require a self-hosted runner). Use a GA label such as ubuntu-latest or ubuntu-22.04.

This is the same concern raised in a previous review and is still unresolved.

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between cfa03de and 9d77236.

📒 Files selected for processing (1)

• .github/workflows/trivy.yml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms (1)

• GitHub Check: build (refarch-backend)

[hupling]

eigentlich muss alles in https://github.com/it-at-m/lhm_actions ausgelagert werden

[hupling]

Wann soll der scan ausgeführt werden?

• wahrscheinlich ein Scheduled Scan auf main
• wenn eine neue Dependency hinzugefügt wird.

[coderabbitai]

Actionable comments posted: 7

♻️ Duplicate comments (1)

.github/workflows/trivy.yml (1)

12-17: Fix step name ↔ scan-type mismatch and drop superfluous quoting.

The step says “Image mode” but runs fs scan; also quotes aren’t needed.

Apply:

-      - name: Run Trivy vulnerability scanner in Image mode
+      - name: Run Trivy vulnerability scanner in FS mode
         uses: aquasecurity/trivy-action@0.28.0
         with:
-          scan-type: 'fs'
-          format: 'table'
-          exit-code: '1'
+          scan-type: fs
+          format: table
+          exit-code: 1

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 9d77236 and 66dd71a.

📒 Files selected for processing (1)

• .github/workflows/trivy.yml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: build (refarch-backend)

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (7)

.github/workflows/trivy.yml (7)

12-17: Step name says “Image mode” but you scan FS; drop quotes for cleanliness.

Align label with scan-type and remove superfluous quoting.

-      - name: Run Trivy vulnerability scanner in Image mode
+      - name: Run Trivy vulnerability scanner in FS mode
         uses: aquasecurity/trivy-action@0.28.0
         with:
-          scan-type: 'fs'
-          format: 'table'
-          exit-code: '1'
+          scan-type: fs
+          format: table
+          exit-code: 1

---

15-18: Gate on actionable issues; enable broader scanners and cache.

Tighten signal and speed up CI.

           scan-type: fs
-          format: table
-          exit-code: 1
-          trivyignores: '.github/.trivyignore'
+          format: table
+          exit-code: 1
+          severity: HIGH,CRITICAL
+          ignore-unfixed: true
+          scanners: vuln,secret,misconfig
+          cache: true
+          trivyignores: '.github/.trivyignore'

---

13-13: Pin the action to a commit SHA (supply-chain hardening).

Replace the tag with the release commit SHA.

-        uses: aquasecurity/trivy-action@0.28.0
+        uses: aquasecurity/trivy-action@<commit-sha-for-desired-release>

What is the latest stable commit SHA for aquasecurity/trivy-action, and which release tag does it correspond to?

---

1-4: Triggers: add push (deps), schedule, manual — aligns with PR discussion.

Covers “run on main” and “on new dependency” asks.

 name: build
 on:
-  pull_request:
+  pull_request:
+    branches: ['**']
+    types: [opened, synchronize, reopened, ready_for_review]
+  push:
+    branches: [main]
+    paths:
+      - '**/package-lock.json'
+      - '**/pnpm-lock.yaml'
+      - '**/yarn.lock'
+      - '**/pom.xml'
+      - '**/build.gradle*'
+      - '**/gradle.lockfile'
+      - '**/go.mod'
+      - '**/go.sum'
+      - '**/requirements*.txt'
+      - '**/Pipfile.lock'
+  schedule:
+    - cron: '0 2 * * 1'
+  workflow_dispatch:

---

1-7: Harden workflow: least-privilege, concurrency, timeout.

Prevents privilege creep and hanging runs.

 on:
   pull_request:
+permissions:
+  contents: read
+
+concurrency:
+  group: trivy-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
 jobs:
   build:
     name: Trivy Check
     runs-on: ubuntu-latest
+    timeout-minutes: 20

---

12-17: Optional: publish SARIF to Security tab while keeping gating step.

Adds history and annotations without weakening the gate.

      - name: Generate Trivy SARIF (no gate)
        uses: aquasecurity/trivy-action@<pinned-sha>
        with:
          scan-type: fs
          format: sarif
          output: trivy-results.sarif
          severity: HIGH,CRITICAL
          ignore-unfixed: true
          scanners: vuln,secret,misconfig
          cache: true
          exit-code: 0

      - name: Upload SARIF
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: trivy-results.sarif

---

1-19: Consider centralizing Trivy as a composite action in lhm_actions.

Improves reuse and consistency across repos.

Example consumer:

      - name: Trivy FS scan
        uses: it-at-m/lhm_actions/trivy-scan@v1
        with:
          scan-type: fs
          severity: HIGH,CRITICAL
          ignore-unfixed: true
          exit-code: 1
          trivyignores: .github/.trivyignore

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 66dd71a and eaa365d.

📒 Files selected for processing (2)

• .github/.trivyignore (1 hunks)
• .github/workflows/trivy.yml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: build (refarch-backend)

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (6)

.github/workflows/trivy.yml (6)

12-17: Step name ↔ scan type mismatch; tighten inputs and drop superfluous quotes.

Rename to reflect fs scan; add severity gating, enable cache, and remove unnecessary quotes.

-      - name: Run Trivy vulnerability scanner in Image mode
-        uses: aquasecurity/trivy-action@0.28.0
+      - name: Run Trivy vulnerability scanner in FS mode
+        uses: aquasecurity/trivy-action@0.28.0
         with:
-          scan-type: 'fs'
-          format: 'table'
-          exit-code: '1'
+          scan-type: fs
+          format: table
+          exit-code: 1
+          severity: HIGH,CRITICAL
+          ignore-unfixed: true
+          scanners: vuln,secret,misconfig
+          cache: true

---

18-18: Broken ignore-file path: points to filesystem root.

'/.trivyignore' won’t exist on the runner; use the actual repo path added in this PR.

-          trivyignores: '/.trivyignore'
+          trivyignores: '.github/workflows/.trivyignore'

---

12-18: Optional: publish SARIF to Security tab while keeping gate.

Keeps the first step as the gate; add a non-gating SARIF run and upload.

       - name: Run Trivy vulnerability scanner in FS mode
         uses: aquasecurity/trivy-action@f9424c1
         with:
           scan-type: fs
           format: table
           exit-code: 1
           severity: HIGH,CRITICAL
           ignore-unfixed: true
           scanners: vuln,secret,misconfig
           cache: true
           trivyignores: .github/workflows/.trivyignore
+
+      - name: Generate Trivy SARIF (no gate)
+        uses: aquasecurity/trivy-action@f9424c1
+        with:
+          scan-type: fs
+          format: sarif
+          output: trivy-results.sarif
+          severity: HIGH,CRITICAL
+          ignore-unfixed: true
+          scanners: vuln,secret,misconfig
+          cache: true
+          trivyignores: .github/workflows/.trivyignore
+          exit-code: 0
+
+      - name: Upload SARIF
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: trivy-results.sarif

---

5-7: Set a job timeout.

Avoids hanging CI on network/DB stalls.

 jobs:
   build:
     name: Trivy Check
     runs-on: ubuntu-latest
+    timeout-minutes: 20

---

1-4: Add least-privilege permissions and concurrency.

Prevents privilege creep and cancels redundant runs.

 on:
   pull_request:
+permissions:
+  contents: read
+  # security-events: write  # only if uploading SARIF
+
+concurrency:
+  group: trivy-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true

---

1-4: Triggers don’t match PR objectives; add push + schedule + manual.

Aligns with comments: run on main (dependency changes) and on a schedule, keep PR scans.

 name: build
 on:
-  pull_request:
+  pull_request:
+    branches: ['**']
+    types: [opened, synchronize, reopened, ready_for_review]
+  push:
+    branches: [main]
+    paths:
+      - '**/package-lock.json'
+      - '**/pnpm-lock.yaml'
+      - '**/yarn.lock'
+      - '**/pom.xml'
+      - '**/build.gradle*'
+      - '**/gradle.lockfile'
+      - '**/go.mod'
+      - '**/go.sum'
+      - '**/requirements*.txt'
+      - '**/Pipfile.lock'
+  schedule:
+    - cron: '0 2 * * 1'   # weekly Mon 02:00 UTC
+  workflow_dispatch:

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between eaa365d and 518d259.

📒 Files selected for processing (2)

• .github/workflows/.trivyignore (1 hunks)
• .github/workflows/trivy.yml (1 hunks)

🔇 Additional comments (1)

.github/workflows/trivy.yml (1)

13-13: Pin Trivy Action to a specific commit SHA
Replace the version tag with the exact commit SHA to prevent tag hijacks:

-      uses: aquasecurity/trivy-action@0.28.0
+      uses: aquasecurity/trivy-action@<commit-sha>  # pin to the exact release commit

.github/workflows/trivy.yml:13

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@refarch-backend/pom.xml`:
- Around line 255-260: The pom.xml adds commons-lang3 with a hardcoded version;
extract that into a properties entry (follow the existing pattern for
commons-collections4.version, commons-text.version, commons-io.version) by
adding a new property like commons-lang3.version in the <properties> block and
then change the <version> in the commons-lang3 <dependency> to reference
${commons-lang3.version}; update any related comments to reflect the CVE fix if
needed.
- Around line 255-260: Add a new Maven property named commons-lang3.version with
value 3.18.0 in the POM properties block and update the existing commons-lang3
dependency to use that property (replace the hardcoded <version>3.18.0</version>
with ${commons-lang3.version}); reference the dependency by its artifactId
commons-lang3 so you modify the dependency declaration consistently with other
commons-* properties like commons-collections4.version.

---

Duplicate comments:
In @.github/workflows/trivy.yml:
- Line 1: The workflow name is currently set to a generic value ("name: build");
update the workflow name to a descriptive label like "Trivy Security Scan" by
replacing the value assigned to the name field in the workflow file (the "name"
key at the top of the YAML) so CI checks and badges show a self-explanatory
title.
- Around line 4-7: Add the workflow-level least-privilege permissions, a
concurrency block to cancel stale runs, and a job timeout guard: add a top-level
permissions: contents: read, add a concurrency: group that uses something like
github.workflow + github.ref (and set cancel-in-progress: true) to prevent
duplicate/stale runs, and add timeout-minutes under the build job (e.g.,
timeout-minutes: 15) to bound execution for the "Security Check" job.
- Around line 2-3: Current workflow only triggers on pull_request; update the
on: block to also run on scheduled scans and on pushes to lock/manifest updates
so main and dependency bumps are scanned. Specifically, modify the on: block
(where "pull_request" is declared) to include a "schedule" entry (e.g., a cron
that runs daily/weekly) and a "push" entry with a paths filter for
dependency/manifest files (examples: **/package-lock.json, **/yarn.lock,
**/pnpm-lock.yaml, **/go.sum, **/Cargo.lock, **/Gemfile.lock, Dockerfile) so
pushes changing those files and scheduled runs against main trigger the Trivy
workflow.

[hupling]

lgtm

[devtobi]

LGTM

[hupling]

@DanielOber da ist noch ein fehler

[hupling]

@DanielOber da ist noch ein fehler

#1446 gelöst damit