Merged
Conversation
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
On PRs, the Docker image is built with `load: true` (local only, not pushed to registry). The separate trivy.yml workflow runs on a different runner and can only pull from the registry, so it always scanned the stale :main image — missing any vulnerability fixes in the PR. Now on PRs, Trivy runs inline in the build job where the local image is available. The separate trivy.yml workflow is only called when the image is actually pushed (main, tags, workflow_dispatch). https://claude.ai/code/session_01X1xM95mNAa7FoTDH8mLMg3
shawnburke
changed the title
CVE-2026-27137 and CVE-2026-27138 (crypto/x509) are only fixed in Go 1.26.1+, not in the 1.25.x series. https://claude.ai/code/session_01X1xM95mNAa7FoTDH8mLMg3
shawnburke
changed the title
…ries The API proxy handler's retry loop used r.Clone() which does not deep-copy the request body. After the first attempt consumed the body, subsequent retries would send empty bodies, causing the upstream reverse proxy to return 502 Bad Gateway. Buffer the body before the retry loop and reconstruct it on each attempt. https://claude.ai/code/session_01X1xM95mNAa7FoTDH8mLMg3
The goinstall.sh from canha/golang-tools-install-script was not reliably installing the specified Go version, causing Trivy to detect 5 CRITICAL/HIGH stdlib CVEs (CVE-2026-25679, CVE-2026-27137, CVE-2026-27138, CVE-2026-27139, CVE-2026-27142) despite go.mod specifying 1.26.1 which fixes them. Switch to downloading the official Go tarball directly from dl.google.com and installing to /usr/local/go. This also fixes the GOROOT/GOPATH confusion where both pointed to /root/.go. https://claude.ai/code/session_01X1xM95mNAa7FoTDH8mLMg3
The separate trivy.yml workflow still referenced the old Go installation path (root/.go). Update to usr/local/go to match the Dockerfile change. https://claude.ai/code/session_01X1xM95mNAa7FoTDH8mLMg3
Move the inline Trivy scan steps from the build job into a dedicated
trivy-pr job ("Run Trivy PR scan (local image)") so it shows up as
a distinct job in the GitHub Actions UI. The Docker image is passed
between jobs via artifacts. Rename the existing trivy job to
"Run Trivy Container scan" for clarity.
https://claude.ai/code/session_01X1xM95mNAa7FoTDH8mLMg3
Contributor
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.