diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml new file mode 100644 index 0000000..d18069e --- /dev/null +++ b/.github/workflows/trivy.yml @@ -0,0 +1,33 @@ +name: Trivy Dependency Scan + +# Quality gate for dependency bumps (incl. Renovate automerge): fail the PR if a +# changed dependency pulls in a known HIGH/CRITICAL vulnerability, so we never ship +# an update with a known issue. + +on: + push: + branches: [localstack] + pull_request: + branches: [localstack] + +concurrency: + group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} + cancel-in-progress: true + +jobs: + trivy-fs: + name: Scan go.mod for known CVEs + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v7 + + - name: Run Trivy filesystem scan + uses: aquasecurity/trivy-action@v0.36.0 + with: + scan-type: fs + scanners: vuln + severity: HIGH,CRITICAL + # Skip CVEs with no fix available, otherwise an unfixable upstream CVE would + # permanently block every merge until a patch exists. + ignore-unfixed: true + exit-code: "1" diff --git a/renovate.json b/renovate.json index 3bf539a..9fe2a89 100644 --- a/renovate.json +++ b/renovate.json @@ -4,24 +4,47 @@ "config:recommended" ], "postUpdateOptions": ["gomodTidy"], + "platformAutomerge": true, + "automergeStrategy": "squash", + "minimumReleaseAge": "3 days", + "internalChecksFilter": "strict", "packageRules": [ { "matchManagers": ["gomod"], "matchDepTypes": ["golang"], "rangeStrategy": "bump", - "groupName": "Go toolchain" + "groupName": "Go toolchain", + "automerge": true }, { "matchManagers": ["gomod"], "excludePackageNames": ["go"], "matchUpdateTypes": ["minor", "patch"], - "groupName": "Go dependencies (non-major)" + "groupName": "Go dependencies (non-major)", + "automerge": true }, { "matchManagers": ["gomod"], "excludePackageNames": ["go"], "matchUpdateTypes": ["major"], - "enabled": false + "enabled": false, + "automerge": false + }, + { + "matchManagers": ["github-actions"], + "matchUpdateTypes": ["minor", "patch", "digest"], + "automerge": true + }, + { + "matchManagers": ["github-actions"], + "matchUpdateTypes": ["major"], + "automerge": false } - ] + ], + "vulnerabilityAlerts": { + "groupName": null, + "automerge": true, + "labels": ["security"], + "minimumReleaseAge": "0" + } }