Skip to content

refactor!: enforce an optimize single platform docker-build with failure on CRITICAL or HIGH fixed vulnerabilities detection #98

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jbern0rd merged 5 commits into from
Feb 2, 2026
Merged

refactor!: enforce an optimize single platform docker-build with failure on CRITICAL or HIGH fixed vulnerabilities detection #98

jbern0rd merged 5 commits into from
Feb 2, 2026
+88 −46

Conversation

@jbern0rd
Copy link
Contributor

@jbern0rd jbern0rd commented Jan 8, 2026
edited by cursor bot
Loading

Note

Medium Risk
Changes the docker build workflow execution order (build->scan->push) and tightens security gating, which may newly fail builds or alter multi-arch publishing behavior.

Overview
Updates the reusable docker-build GitHub Actions workflow to build a single platform image (new platform input replacing platforms), load it on the runner, and delay pushing until after security checks.

Upgrades Trivy and switches scanning to image-ref instead of a saved tarball, adds input validation for platform and security-report, and introduces a dedicated Trivy run that fails the job on CRITICAL,HIGH vulnerabilities (with ignore-unfixed: true) before pushing. PR comment text is adjusted to include the platform, and the README is updated to document the single-platform limitation and new input.

Written by Cursor Bugbot for commit 359da29. This will update automatically on new commits. Configure here.

@jbern0rd jbern0rd self-assigned this Jan 8, 2026
@jbern0rd jbern0rd changed the title feat: improve docker build feat: fail docker-build on CRITICAL or HIGH fixed vulnerabilities found with Trivy Jan 12, 2026
@jbern0rd jbern0rd changed the title feat: fail docker-build on CRITICAL or HIGH fixed vulnerabilities found with Trivy feat: fail docker-build on CRITICAL or HIGH vulnerabilities with fix available Jan 12, 2026
abbesBenayache
abbesBenayache reviewed Jan 12, 2026
View reviewed changes
cursor[bot]
cursor bot reviewed Jan 12, 2026
View reviewed changes
cursor[bot]
cursor bot reviewed Feb 2, 2026
View reviewed changes
Copy link

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 2 potential issues.

Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.

@jbern0rd jbern0rd changed the title feat: fail docker-build on CRITICAL or HIGH vulnerabilities with fix available refactor!: enforce an optimize single platform docker-build with failure on CRITICAL or HIGH fixed vulnerabilities detection Feb 2, 2026
@jbern0rd jbern0rd merged commit 59d6ea2 into main Feb 2, 2026
3 checks passed
@jbern0rd jbern0rd deleted the bugfix/block-docker-push-on-vulnerability branch February 2, 2026 10:42
@iexec-release-please-app iexec-release-please-app bot mentioned this pull request Feb 2, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

@thewhitewizard thewhitewizard thewhitewizard approved these changes

@abbesBenayache abbesBenayache abbesBenayache approved these changes

Assignees

@jbern0rd jbern0rd

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@jbern0rd @thewhitewizard @abbesBenayache