Skip to content

chore: harden webapp docker image #3845

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
nicktrn merged 5 commits into from
Jun 5, 2026
+104 −11
Merged

chore: harden webapp docker image #3845

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
02ea05c
chore(docker): bookworm-slim base + apt upgrade on build
nicktrn Jun 4, 2026
170bafb
chore(emails): move react-email CLI to devDependencies
nicktrn Jun 4, 2026
5d8c2e2
ci: scan published webapp image post-publish (OS, summary-only)
nicktrn Jun 4, 2026
4b9b996
chore(docker): bump goose v3.26.0->v3.27.1, builder go 1.23->1.26
nicktrn Jun 4, 2026
93199f2
ci: log in to GHCR before image scan for private-image support
nicktrn Jun 5, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions .github/workflows/publish-webapp.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,13 @@ on:
type: string
required: false
default: ""
outputs:
version:
description: The published image tag
value: ${{ jobs.publish.outputs.version }}
short_sha:
description: Short commit SHA of the published build
value: ${{ jobs.publish.outputs.short_sha }}
secrets:
SENTRY_AUTH_TOKEN:
required: false
Expand Down
11 changes: 11 additions & 0 deletions .github/workflows/publish.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -96,3 +96,14 @@ jobs:
uses: ./.github/workflows/publish-worker-v4.yml
with:
image_tag: ${{ inputs.image_tag }}

# OS-level CVE scan of the image just published above. Report-only (writes to
# the run summary); runs alongside the worker publishes and never blocks them.
scan-webapp:
needs: [publish-webapp]
permissions:
contents: read
packages: read # pull the just-published image from GHCR
uses: ./.github/workflows/trivy-image-webapp.yml
with:
image-ref: ghcr.io/triggerdotdev/trigger.dev:${{ needs.publish-webapp.outputs.version }}
75 changes: 75 additions & 0 deletions .github/workflows/trivy-image-webapp.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@
name: Trivy Image Scan (webapp)

# OS-level CVE scan of a published webapp image. Called by the publish pipeline
# (publish.yml) to scan each build right after it's pushed to GHCR — so every
# main build and every release is scanned, not rebuilt. Also runnable ad-hoc
# via workflow_dispatch against any image ref.
#
# Report-only: writes a table to the run summary. No SARIF upload, no gate.
# Library/dependency CVEs are covered by Dependabot, so this is restricted to
# OS packages (`vuln-type: os`) to avoid double-reporting.

on:
workflow_call:
inputs:
image-ref:
description: "Full image ref to scan (e.g. ghcr.io/triggerdotdev/trigger.dev:main)"
type: string
required: true
workflow_dispatch:
inputs:
image-ref:
description: "Full image ref to scan"
type: string
required: false
default: "ghcr.io/triggerdotdev/trigger.dev:main"

permissions: {}

concurrency:
group: trivy-image-webapp-${{ inputs.image-ref }}
cancel-in-progress: true

jobs:
scan:
name: Scan
runs-on: ubuntu-latest
permissions:
contents: read
packages: read # pull the image from GHCR
steps:
# Authenticate to GHCR so the scan also works for private images
# (GITHUB_TOKEN isn't forwarded to Docker automatically). Harmless for
# public images. Pairs with the packages: read permission above.
- name: Log in to GitHub Container Registry
uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Run Trivy image scan
uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
with:
scan-type: image
image-ref: ${{ inputs.image-ref }}
# vuln-type maps to --pkg-types: OS packages only (library deps are
# Dependabot's job). ignore-unfixed drops vulns with no patch yet.
vuln-type: os
ignore-unfixed: true
severity: HIGH,CRITICAL
format: table
output: trivy-image-webapp.txt
Comment thread
nicktrn marked this conversation as resolved.

- name: Job summary
if: always()
env:
IMAGE_REF: ${{ inputs.image-ref }}
run: |
{
echo "## Trivy Image Scan (webapp) — \`${IMAGE_REF}\`"
echo '```'
# GitHub step summary is capped at 1 MiB; truncate large reports.
head -c 900000 trivy-image-webapp.txt 2>/dev/null || echo "(no report produced)"
echo '```'
} >> "$GITHUB_STEP_SUMMARY"
12 changes: 6 additions & 6 deletions docker/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
ARG NODE_IMAGE=node:20.20.2-bullseye-slim@sha256:65ef49f7d24aefd012a7fc6f9a2b734bcc19e424976a81f60c86b47266ef5b28
ARG NODE_IMAGE=node:20.20.2-bookworm-slim@sha256:2cf067cfed83d5ea958367df9f966191a942351a2df77d6f0193e162b5febfc0

FROM golang:1.23-alpine AS goose_builder
RUN go install github.com/pressly/goose/v3/cmd/goose@v3.26.0
FROM golang:1.26-alpine AS goose_builder
RUN go install github.com/pressly/goose/v3/cmd/goose@v3.27.1

FROM ${NODE_IMAGE} AS pruner

Expand All @@ -13,7 +13,7 @@ RUN find . -name "node_modules" -type d -prune -exec rm -rf '{}' +

# Base strategy to have layer caching
FROM ${NODE_IMAGE} AS base
RUN apt-get update && apt-get install -y openssl dumb-init
RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends openssl dumb-init && rm -rf /var/lib/apt/lists/*
WORKDIR /triggerdotdev
COPY --chown=node:node .gitignore .gitignore
COPY --from=pruner --chown=node:node /triggerdotdev/out/json/ .
Expand Down Expand Up @@ -43,7 +43,7 @@ RUN --mount=type=cache,id=pnpm,target=/root/.local/share/pnpm/store pnpm install
## Builder (builds the webapp)
FROM base AS builder
# This is needed for the sentry-cli binary while building the webapp
RUN apt-get update && apt-get install -y openssl dumb-init ca-certificates
RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends openssl dumb-init ca-certificates && rm -rf /var/lib/apt/lists/*
WORKDIR /triggerdotdev
# Corepack is used to install pnpm with the exact version from packageManager
RUN corepack enable && corepack prepare pnpm@10.33.2 --activate
Expand Down Expand Up @@ -75,7 +75,7 @@ RUN --mount=type=secret,id=sentry_auth_token \

# Runner
FROM ${NODE_IMAGE} AS runner
RUN apt-get update && apt-get install -y openssl netcat-openbsd ca-certificates
RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends openssl netcat-openbsd ca-certificates && rm -rf /var/lib/apt/lists/*
WORKDIR /triggerdotdev
ENV NODE_ENV=production

Expand Down
4 changes: 2 additions & 2 deletions internal-packages/emails/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,15 +16,15 @@
"nodemailer": "^8.0.6",
"react": "^18.2.0",
"react-dom": "^18.2.0",
"react-email": "^6.5.0",
"resend": "^3.2.0",
"tiny-invariant": "^1.2.0",
"zod": "3.25.76"
},
"devDependencies": {
"@types/nodemailer": "^8.0.0",
"@types/react": "18.2.69",
"@types/react-dom": "18.2.7"
"@types/react-dom": "18.2.7",
"react-email": "^6.5.0"
},
"engines": {
"node": ">=18.0.0"
Expand Down
6 changes: 3 additions & 3 deletions pnpm-lock.yaml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading