Commit graph

7 commits

Author SHA1 Message Date
Ian Littman
18256bdf0e
Add missing step-security hardening action, bump to current version (#38470)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Chores**
* Upgraded security protections across build and deployment workflows
for enhanced runner environment hardening.
* Strengthened CI/CD infrastructure security measures throughout
automated processes.
  * No direct user-facing changes.

<sub>✏️ Tip: You can customize this high-level summary in your review
settings.</sub>

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-01-19 15:10:48 -06:00
Lucas Manuel Rodriguez
bfe3b186d3
Fix detected CVEs and docker scout exit code to fail the Github Action (#28836)
For #28837.

Fixing this all of this because we got multiple reports from the
community and customers and these were also detected by Amazon
Inspector.

- Fixes CVE-2025-22871 by upgrading Go from 1.24.1 to 1.24.2.
- `docker scout` now fails the daily scheduled action if there are
CRITICAL,HIGH CVEs (we missed setting `exit-code: true`).
- Report CVE-2025-46569 as not affected by it because of our use of
OPA's go package.
- Report CVE-2024-8260 as not affected by it because Fleet doesn't run
on Windows.
- The `security/status.md` shows a lot of changes because we are now
sorting CVEs so that newest come first.

---

- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files)
for more information.
- [ ] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
- [ ] Make sure fleetd is compatible with the latest released version of
Fleet (see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/fleetd-development-and-release-strategy.md)).
- [ ] Orbit runs on macOS, Linux and Windows. Check if the orbit
feature/bugfix should only apply to one platform (`runtime.GOOS`).
- [ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- [ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).
- [ ] For unreleased bug fixes in a release candidate, confirmed that
the fix is not expected to adversely impact load test results or alerted
the release DRI if additional load testing is needed.
2025-05-06 13:35:27 -03:00
Lucas Manuel Rodriguez
895194d63b
Add scanning to released images and process to track vulnerabilities (#28087)
For #25902.

---------

Co-authored-by: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com>
2025-04-16 11:50:10 -03:00
Scott Gress
1551157c23
Fix rate limiting issue in Trivy workflow scan (#23634) 2024-11-07 15:06:17 -06:00
Luke Heath
6ebc308eb4
[StepSecurity] ci: Harden GitHub Actions (#17780) 2024-03-22 15:32:23 -05:00
Luke Heath
4015a897da
Update trivy scan options (#17357) 2024-03-04 16:36:17 -06:00
Luke Heath
960a7a350a
Remove tfsec workflow (#17354) 2024-03-04 16:13:41 -06:00
Renamed from .github/workflows/trivy_scan.yml (Browse further)