fix: switch to php:8.2-apache-bookworm, add apt upgrade, Trivy ignore-unfixed

- Base image: php:8.2-apache → php:8.2-apache-bookworm (Debian 12) Reduces OS-level CVEs from ~1200+ to only fixable ones - Add apt-get upgrade -y before package installs - Trivy: add ignore-unfixed: true (suppress CVEs with no available fix) - Pin trivy-action@0.31.0 instead of @master - Upgrade codeql-action upload-sarif v3 → v4
2026-05-16 07:23:39 +00:00
parent 6b982b6730
commit 68906b2f28
2 changed files with 8 additions and 6 deletions
@@ -27,16 +27,17 @@ jobs:
        run: docker build -t evershelf:scan .

      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@0.31.0
        with:
          image-ref: 'evershelf:scan'
          format: 'sarif'
          output: 'trivy-results.sarif'
          severity: 'CRITICAL,HIGH'
+          ignore-unfixed: true
          exit-code: '0'   # don't fail the build, just report

      - name: Upload Trivy SARIF to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
        with:
          sarif_file: 'trivy-results.sarif'
          category: 'trivy-docker'
@@ -52,17 +53,18 @@ jobs:
        uses: actions/checkout@v4

      - name: Run Trivy filesystem scanner
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@0.31.0
        with:
          scan-type: 'fs'
          scan-ref: '.'
          format: 'sarif'
          output: 'trivy-fs-results.sarif'
          severity: 'CRITICAL,HIGH'
+          ignore-unfixed: true
          exit-code: '0'

      - name: Upload Trivy FS SARIF
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
        with:
          sarif_file: 'trivy-fs-results.sarif'
          category: 'trivy-fs'