p24-infra Docs

Image CVE scanning + dependency PRs

2 min read

Spec 08 — Image CVE scanning + dependency PRs

Purpose

We pull :latest for several images (prom/prometheus, grafana/grafana, prom/alertmanager, caddy). There’s no tracking of when an image was last pulled, no CVE scanning, no Renovate/Dependabot for our own Python services (queue-exporter, pdf-service). Drift is silent and security advisories are missed until an audit.

Two layers:

  • Renovate for keeping image tags and Python deps up to date (PRs to review).
  • Trivy in nightly CI to surface CVEs in currently-running images.

Rulebook

  1. No :latest in compose files (after this spec). Use pinned digests or semver tags; let Renovate bump them.
  2. CVE policy: CRITICAL → fix within 7 days. HIGH → within 30. MEDIUM/LOW → batched quarterly.
  3. Renovate auto-merges patch updates for dev-only tools (renderer, image scanners). All else is PR-with-review.

Implementation plan

  1. Pin all image tags in monitoring/docker-compose.yml and hostinger/docker-compose.yml to current versions.
  2. Add renovate.json at repo root configured for:
    • Docker image tag updates (semver-aware)
    • Python requirements.txt updates in infra-src/
    • GitHub Actions versions
  3. Add .github/workflows/trivy-scan.yml — nightly, runs trivy image against every image in compose files. Posts summary to Discord; opens issue for CRITICAL findings.
  4. Add .github/dependabot.yml as belt-and-braces for GH Actions only (Renovate covers the rest but Dependabot is simpler for Actions).

Acceptance criteria

  • No :latest tags in any compose file (grep returns zero)
  • Renovate dashboard issue exists in repo
  • First Trivy scan completes; Discord receives summary
  • Manually introducing an old nginx:1.16 produces a CRITICAL alert in next nightly scan

Cost impact

0 €. Renovate is free on GitHub.

Back-out plan

Remove renovate.json, .github/dependabot.yml, trivy-scan.yml. Tags remain pinned (which is fine).

Risks / open questions

  • Risk: Renovate PR flood overwhelms. Mitigation: configure prHourlyLimit: 2, group minor/patch updates, schedule for Sundays.
  • Q: Use Trivy or Grype? A: Trivy — better integrated with GH Action ecosystem, comparable DB quality.

Graph View

Backlinks