From e87e6e0066469b8c39c675fe0fd0a40e25eb2abd Mon Sep 17 00:00:00 2001 From: Dmitry Gusev Date: Sun, 24 May 2026 16:47:11 +0300 Subject: [PATCH] =?UTF-8?q?feat(security):=20Trivy=20=D0=B2=20CI=20+=20npm?= =?UTF-8?q?=20audit=20=D0=B2=20Dockerfile=20(Layer=20A)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Dockerfile: npm audit HIGH/CRITICAL warning-only после npm ci/install - CI (для тех у кого ещё не было): Trivy scan собранного образа HIGH/CRITICAL severity, --ignore-unfixed, --exit-code 0 (warning-only) Часть multi-layer security plan: Layer A (минимум), B (Nuclei DAST weekly cron) и C (GitLeaks + Semgrep + Hadolint) — отдельными задачами в Singularity. Co-Authored-By: Claude Opus 4.7 --- Dockerfile | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Dockerfile b/Dockerfile index c79e1e3..ea94144 100644 --- a/Dockerfile +++ b/Dockerfile @@ -7,6 +7,9 @@ WORKDIR /app COPY package.json package-lock.json* ./ RUN npm install --no-audit --no-fund +# Security: npm audit для HIGH/CRITICAL CVE в зависимостях (warning-only). +RUN npm audit --audit-level=high --omit=dev 2>&1 | tee /tmp/npm-audit.log || true + COPY . . RUN npm run build