chore: enhance Trivy security scanning configuration

- Add ignore-unfixed: true to Trivy workflow to focus on actionable vulnerabilities - Expand .trivyignore from 1 to 10 CVEs with detailed categorization - Document why each CVE is ignored (system libraries, unused features) - Ignore glibc/libtasn1 system library CVEs pending upstream fixes - Ignore curl CVEs for SSH/OAuth2/LDAP features not used by application - Ignore OpenLDAP CVE as library is not used by amcrest2mqtt This aligns with govee2mqtt security configuration and reduces noise from unfixable or non-applicable security alerts while maintaining focus on CRITICAL and HIGH severity issues that can be addressed. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2 weeks ago · 21925c5688
parent d66d3aebbc
commit 21925c5688
2 changed files with 32 additions and 0 deletions
--- a/.github/workflows/deploy.yaml
+++ b/.github/workflows/deploy.yaml
@ -191,6 +191,7 @@ jobs:
          format: 'sarif'
          output: 'trivy-results.sarif'
          severity: 'CRITICAL,HIGH'
+          ignore-unfixed: true

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@27fcff4ecb39e96348e7ceddcc2d9ef42308b6fc # v4
--- a/.trivyignore
+++ b/.trivyignore
@ -1,3 +1,34 @@
+# =============================================================================
+# System Libraries - Waiting for upstream fixes in python:3.14-slim base image
+# =============================================================================
+
+# glibc vulnerabilities - system library, waiting for Debian/Python base image updates
+CVE-2026-0861  # glibc: Integer overflow in memalign leads to heap corruption
+CVE-2026-0915  # glibc: Information disclosure via zero-valued network query
+
+# libtasn1 - system library dependency, not directly used by amcrest2mqtt
+CVE-2025-13151  # libtasn1: DoS via stack-based buffer overflow in asn1_expend_octet_string
+
+# =============================================================================
+# curl - Pulled in as system dependency but specific vulnerable features not used
+# =============================================================================
+# amcrest2mqtt uses Python requests library for HTTP, not curl directly
+# These CVEs relate to curl features (SSH, OAuth2, LDAP, cert pinning) not used by this app
+
+CVE-2025-15224  # curl: SSH/SCP/SFTP transfers - not used
+CVE-2025-15079  # curl: SSH transfers with specific options - not used
+CVE-2025-14819  # curl: TLS with reused easy/multi handles - not used
+CVE-2025-14524  # curl: OAuth2 bearer tokens - not used
+CVE-2025-14017  # curl: Multi-threaded LDAPS transfers - not used
+CVE-2025-13034  # curl: CURLOPT_PINNEDPUBLICKEY option - not used
+
+# =============================================================================
+# Other system dependencies not used by application
+# =============================================================================
+
+# OpenLDAP - not used by amcrest2mqtt (connects to Amcrest cameras and MQTT only)
+CVE-2026-22185  # OpenLDAP LMDB: DoS and Info Disclosure via Heap Buffer Underflow
+
 # libexpat is only pulled in via apt-get install git during build.
 # It is not used in the final runtime image or by amcrest2mqtt at all.
 CVE-2025-59375