Security Scanning
4-layer automated security scanning protects the Renewa One codebase and container images.
Scanning Layers
| Tool | Purpose | Blocking Level | Scope |
|---|---|---|---|
| Trivy | Container/filesystem vulnerabilities | MEDIUM+ | Images, filesystem |
| npm/bun audit | Dependency CVEs | MEDIUM+ (with ignore list) | package.json deps |
| Semgrep | Static application security testing | CRITICAL/HIGH | Source code |
| Gitleaks | Secret detection | All findings | Git history + staged |
Workflow Configuration
| Workflow | Trigger | Purpose |
|---|---|---|
.github/workflows/security-scan.yml | Daily 2 AM UTC + PR | All 4 scanning layers |
.github/workflows/container-security-scan.yml | On image build | Trivy container-specific scan |
Scans run as part of CI-CD Workflows and report to the GitHub Security Tab under Code Scanning.
False Positive Management
| Tool | Config File | Purpose |
|---|---|---|
| Semgrep | .semgrepignore | Exclude paths/rules |
| Trivy | renewa-one/.trivyignore | Ignore specific CVEs |
| Gitleaks | .gitleaks.toml | Exclude known safe patterns |
CVE ignore example — when a vulnerability has no available fix:
# renewa-one/.trivyignore
CVE-2026-32280 # Atlas Go stdlib x509 DoS - no upstream fix
Results
- GitHub Security Tab → Code scanning alerts
- PR comments with scan summaries
- Blocking: PRs cannot merge with unresolved MEDIUM+ findings (Trivy/audit) or CRITICAL/HIGH (Semgrep)
Key Principles
- All 4 layers must pass for
ci-gateto go green - Scheduled daily scans catch newly disclosed CVEs
- Coding Guidelines enforce secure coding patterns (XSS protection, input sanitization)
- Secret management via GitHub Environment Secrets only (see Deployment Pipeline)
Key Files
.github/workflows/security-scan.yml.github/workflows/container-security-scan.ymlrenewa-one/.trivyignore.semgrepignore.gitleaks.toml
See Also
- CI-CD Workflows — workflow integration
- Coding Guidelines — secure coding standards
- Deployment Pipeline — secret management
- Git Workflow — pre-commit secret detection via Gitleaks