From 658e1b706e215c96dcb964cec538ed79a16a3b9e Mon Sep 17 00:00:00 2001
From: justin-tahara <justintahara@gmail.com>
Date: Tue, 9 Sep 2025 17:26:15 -0700
Subject: [PATCH 1/3] feat(infra): Adding rety to Trivy tests

---
 ...er-build-push-backend-container-on-tag.yml | 31 +++++++++++++------
 ...-build-push-cloud-web-container-on-tag.yml | 25 ++++++++++-----
 ...ild-push-model-server-container-on-tag.yml | 26 ++++++++++------
 ...docker-build-push-web-container-on-tag.yml | 25 ++++++++++-----
 4 files changed, 72 insertions(+), 35 deletions(-)

diff --git a/.github/workflows/docker-build-push-backend-container-on-tag.yml b/.github/workflows/docker-build-push-backend-container-on-tag.yml
index cd996cf0c1d..076d0e44634 100644
--- a/.github/workflows/docker-build-push-backend-container-on-tag.yml
+++ b/.github/workflows/docker-build-push-backend-container-on-tag.yml
@@ -142,15 +142,26 @@ jobs:
       # can re-enable when they figure it out
       # https://github.com/aquasecurity/trivy/discussions/7538
       # https://github.com/aquasecurity/trivy-action/issues/389
+      # Security: Using pinned digest (0.65.0@sha256:a22415a38938a56c379387a8163fcb0ce38b10ace73e593475d3658d578b2436)
+      # Security: No Docker socket mount needed for remote registry scanning
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@master
-        env:
-          TRIVY_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-db:2"
-          TRIVY_JAVA_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-java-db:1"
-          TRIVY_USERNAME: ${{ secrets.DOCKER_USERNAME }}
-          TRIVY_PASSWORD: ${{ secrets.DOCKER_TOKEN }}
+        uses: nick-fields/retry@v3
         with:
-          # To run locally: trivy image --severity HIGH,CRITICAL onyxdotapp/onyx-backend
-          image-ref: docker.io/${{ env.REGISTRY_IMAGE }}:${{ github.ref_name }}
-          severity: "CRITICAL,HIGH"
-          trivyignores: ./backend/.trivyignore
+          timeout_minutes: 25
+          max_attempts: 3
+          retry_wait_seconds: 10
+          command: |
+            docker run --rm -v $HOME/.cache/trivy:/root/.cache/trivy \
+              -v ${{ github.workspace }}/backend/.trivyignore:/tmp/.trivyignore:ro \
+              -e TRIVY_DB_REPOSITORY="public.ecr.aws/aquasecurity/trivy-db:2" \
+              -e TRIVY_JAVA_DB_REPOSITORY="public.ecr.aws/aquasecurity/trivy-java-db:1" \
+              -e TRIVY_USERNAME="${{ secrets.DOCKER_USERNAME }}" \
+              -e TRIVY_PASSWORD="${{ secrets.DOCKER_TOKEN }}" \
+              aquasec/trivy@sha256:a22415a38938a56c379387a8163fcb0ce38b10ace73e593475d3658d578b2436 \
+              image \
+              --skip-version-check \
+              --timeout 20m \
+              --severity CRITICAL,HIGH \
+              --ignorefile /tmp/.trivyignore \
+              --exit-code 1 \
+              docker.io/${{ env.REGISTRY_IMAGE }}:${{ github.ref_name }}
\ No newline at end of file
diff --git a/.github/workflows/docker-build-push-cloud-web-container-on-tag.yml b/.github/workflows/docker-build-push-cloud-web-container-on-tag.yml
index 2b12a393be1..6f74bb280e7 100644
--- a/.github/workflows/docker-build-push-cloud-web-container-on-tag.yml
+++ b/.github/workflows/docker-build-push-cloud-web-container-on-tag.yml
@@ -139,12 +139,21 @@ jobs:
       # https://github.com/aquasecurity/trivy/discussions/7538
       # https://github.com/aquasecurity/trivy-action/issues/389
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@master
-        env:
-          TRIVY_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-db:2"
-          TRIVY_JAVA_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-java-db:1"
-          TRIVY_USERNAME: ${{ secrets.DOCKER_USERNAME }}
-          TRIVY_PASSWORD: ${{ secrets.DOCKER_TOKEN }}
+        uses: nick-fields/retry@v3
         with:
-          image-ref: docker.io/${{ env.REGISTRY_IMAGE }}:${{ github.ref_name }}
-          severity: "CRITICAL,HIGH"
+          timeout_minutes: 25
+          max_attempts: 3
+          retry_wait_seconds: 10
+          command: |
+            docker run --rm -v $HOME/.cache/trivy:/root/.cache/trivy \
+              -e TRIVY_DB_REPOSITORY="public.ecr.aws/aquasecurity/trivy-db:2" \
+              -e TRIVY_JAVA_DB_REPOSITORY="public.ecr.aws/aquasecurity/trivy-java-db:1" \
+              -e TRIVY_USERNAME="${{ secrets.DOCKER_USERNAME }}" \
+              -e TRIVY_PASSWORD="${{ secrets.DOCKER_TOKEN }}" \
+              aquasec/trivy@sha256:a22415a38938a56c379387a8163fcb0ce38b10ace73e593475d3658d578b2436 \
+              image \
+              --skip-version-check \
+              --timeout 20m \
+              --severity CRITICAL,HIGH \
+              --exit-code 1 \
+              docker.io/${{ env.REGISTRY_IMAGE }}:${{ github.ref_name }}
\ No newline at end of file
diff --git a/.github/workflows/docker-build-push-model-server-container-on-tag.yml b/.github/workflows/docker-build-push-model-server-container-on-tag.yml
index 39c14e5720e..e7edee05a32 100644
--- a/.github/workflows/docker-build-push-model-server-container-on-tag.yml
+++ b/.github/workflows/docker-build-push-model-server-container-on-tag.yml
@@ -164,13 +164,21 @@ jobs:
           fi
 
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@master
-        env:
-          TRIVY_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-db:2"
-          TRIVY_JAVA_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-java-db:1"
-          TRIVY_USERNAME: ${{ secrets.DOCKER_USERNAME }}
-          TRIVY_PASSWORD: ${{ secrets.DOCKER_TOKEN }}
+        uses: nick-fields/retry@v3
         with:
-          image-ref: docker.io/${{ env.REGISTRY_IMAGE }}:${{ github.ref_name }}
-          severity: "CRITICAL,HIGH"
-          timeout: "10m"
+          timeout_minutes: 25
+          max_attempts: 3
+          retry_wait_seconds: 10
+          command: |
+            docker run --rm -v $HOME/.cache/trivy:/root/.cache/trivy\
+              -e TRIVY_DB_REPOSITORY="public.ecr.aws/aquasecurity/trivy-db:2" \
+              -e TRIVY_JAVA_DB_REPOSITORY="public.ecr.aws/aquasecurity/trivy-java-db:1" \
+              -e TRIVY_USERNAME="${{ secrets.DOCKER_USERNAME }}" \
+              -e TRIVY_PASSWORD="${{ secrets.DOCKER_TOKEN }}" \
+              aquasec/trivy@sha256:a22415a38938a56c379387a8163fcb0ce38b10ace73e593475d3658d578b2436 \
+              image \
+              --skip-version-check \
+              --timeout 20m \
+              --severity CRITICAL,HIGH \
+              --exit-code 1 \
+              docker.io/${{ env.REGISTRY_IMAGE }}:${{ github.ref_name }}
\ No newline at end of file
diff --git a/.github/workflows/docker-build-push-web-container-on-tag.yml b/.github/workflows/docker-build-push-web-container-on-tag.yml
index 632dd660c1c..b346f79973d 100644
--- a/.github/workflows/docker-build-push-web-container-on-tag.yml
+++ b/.github/workflows/docker-build-push-web-container-on-tag.yml
@@ -150,12 +150,21 @@ jobs:
       # https://github.com/aquasecurity/trivy/discussions/7538
       # https://github.com/aquasecurity/trivy-action/issues/389
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@master
-        env:
-          TRIVY_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-db:2"
-          TRIVY_JAVA_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-java-db:1"
-          TRIVY_USERNAME: ${{ secrets.DOCKER_USERNAME }}
-          TRIVY_PASSWORD: ${{ secrets.DOCKER_TOKEN }}
+        uses: nick-fields/retry@v3
         with:
-          image-ref: docker.io/${{ env.REGISTRY_IMAGE }}:${{ github.ref_name }}
-          severity: "CRITICAL,HIGH"
+          timeout_minutes: 25
+          max_attempts: 3
+          retry_wait_seconds: 10
+          command: |
+            docker run --rm -v $HOME/.cache/trivy:/root/.cache/trivy \
+              -e TRIVY_DB_REPOSITORY="public.ecr.aws/aquasecurity/trivy-db:2" \
+              -e TRIVY_JAVA_DB_REPOSITORY="public.ecr.aws/aquasecurity/trivy-java-db:1" \
+              -e TRIVY_USERNAME="${{ secrets.DOCKER_USERNAME }}" \
+              -e TRIVY_PASSWORD="${{ secrets.DOCKER_TOKEN }}" \
+              aquasec/trivy@sha256:a22415a38938a56c379387a8163fcb0ce38b10ace73e593475d3658d578b2436 \
+              image \
+              --skip-version-check \
+              --timeout 20m \
+              --severity CRITICAL,HIGH \
+              --exit-code 1 \
+              docker.io/${{ env.REGISTRY_IMAGE }}:${{ github.ref_name }}
\ No newline at end of file

From 43d2b1eb63d0a133847e0b03331d96006a4a87e1 Mon Sep 17 00:00:00 2001
From: justin-tahara <justintahara@gmail.com>
Date: Tue, 9 Sep 2025 17:27:09 -0700
Subject: [PATCH 2/3] Adding newline at the end

---
 .../workflows/docker-build-push-backend-container-on-tag.yml    | 2 +-
 .../workflows/docker-build-push-cloud-web-container-on-tag.yml  | 2 +-
 .../docker-build-push-model-server-container-on-tag.yml         | 2 +-
 .github/workflows/docker-build-push-web-container-on-tag.yml    | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/docker-build-push-backend-container-on-tag.yml b/.github/workflows/docker-build-push-backend-container-on-tag.yml
index 076d0e44634..523ace96294 100644
--- a/.github/workflows/docker-build-push-backend-container-on-tag.yml
+++ b/.github/workflows/docker-build-push-backend-container-on-tag.yml
@@ -164,4 +164,4 @@ jobs:
               --severity CRITICAL,HIGH \
               --ignorefile /tmp/.trivyignore \
               --exit-code 1 \
-              docker.io/${{ env.REGISTRY_IMAGE }}:${{ github.ref_name }}
\ No newline at end of file
+              docker.io/${{ env.REGISTRY_IMAGE }}:${{ github.ref_name }}
diff --git a/.github/workflows/docker-build-push-cloud-web-container-on-tag.yml b/.github/workflows/docker-build-push-cloud-web-container-on-tag.yml
index 6f74bb280e7..fc2c4d0dcd3 100644
--- a/.github/workflows/docker-build-push-cloud-web-container-on-tag.yml
+++ b/.github/workflows/docker-build-push-cloud-web-container-on-tag.yml
@@ -156,4 +156,4 @@ jobs:
               --timeout 20m \
               --severity CRITICAL,HIGH \
               --exit-code 1 \
-              docker.io/${{ env.REGISTRY_IMAGE }}:${{ github.ref_name }}
\ No newline at end of file
+              docker.io/${{ env.REGISTRY_IMAGE }}:${{ github.ref_name }}
diff --git a/.github/workflows/docker-build-push-model-server-container-on-tag.yml b/.github/workflows/docker-build-push-model-server-container-on-tag.yml
index e7edee05a32..700c9417410 100644
--- a/.github/workflows/docker-build-push-model-server-container-on-tag.yml
+++ b/.github/workflows/docker-build-push-model-server-container-on-tag.yml
@@ -181,4 +181,4 @@ jobs:
               --timeout 20m \
               --severity CRITICAL,HIGH \
               --exit-code 1 \
-              docker.io/${{ env.REGISTRY_IMAGE }}:${{ github.ref_name }}
\ No newline at end of file
+              docker.io/${{ env.REGISTRY_IMAGE }}:${{ github.ref_name }}
diff --git a/.github/workflows/docker-build-push-web-container-on-tag.yml b/.github/workflows/docker-build-push-web-container-on-tag.yml
index b346f79973d..88583b0bf8c 100644
--- a/.github/workflows/docker-build-push-web-container-on-tag.yml
+++ b/.github/workflows/docker-build-push-web-container-on-tag.yml
@@ -167,4 +167,4 @@ jobs:
               --timeout 20m \
               --severity CRITICAL,HIGH \
               --exit-code 1 \
-              docker.io/${{ env.REGISTRY_IMAGE }}:${{ github.ref_name }}
\ No newline at end of file
+              docker.io/${{ env.REGISTRY_IMAGE }}:${{ github.ref_name }}

From 0bfd3bea8d7dd2d1fd7622480855386e77f16a63 Mon Sep 17 00:00:00 2001
From: justin-tahara <justintahara@gmail.com>
Date: Tue, 9 Sep 2025 17:33:12 -0700
Subject: [PATCH 3/3] Addressing greptile comments

---
 .../workflows/docker-build-push-backend-container-on-tag.yml  | 2 +-
 .../docker-build-push-cloud-web-container-on-tag.yml          | 2 +-
 .../docker-build-push-model-server-container-on-tag.yml       | 4 ++--
 .github/workflows/docker-build-push-web-container-on-tag.yml  | 2 +-
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/docker-build-push-backend-container-on-tag.yml b/.github/workflows/docker-build-push-backend-container-on-tag.yml
index 523ace96294..36747635d4b 100644
--- a/.github/workflows/docker-build-push-backend-container-on-tag.yml
+++ b/.github/workflows/docker-build-push-backend-container-on-tag.yml
@@ -147,7 +147,7 @@ jobs:
       - name: Run Trivy vulnerability scanner
         uses: nick-fields/retry@v3
         with:
-          timeout_minutes: 25
+          timeout_minutes: 30
           max_attempts: 3
           retry_wait_seconds: 10
           command: |
diff --git a/.github/workflows/docker-build-push-cloud-web-container-on-tag.yml b/.github/workflows/docker-build-push-cloud-web-container-on-tag.yml
index fc2c4d0dcd3..6c4634a2640 100644
--- a/.github/workflows/docker-build-push-cloud-web-container-on-tag.yml
+++ b/.github/workflows/docker-build-push-cloud-web-container-on-tag.yml
@@ -141,7 +141,7 @@ jobs:
       - name: Run Trivy vulnerability scanner
         uses: nick-fields/retry@v3
         with:
-          timeout_minutes: 25
+          timeout_minutes: 30
           max_attempts: 3
           retry_wait_seconds: 10
           command: |
diff --git a/.github/workflows/docker-build-push-model-server-container-on-tag.yml b/.github/workflows/docker-build-push-model-server-container-on-tag.yml
index 700c9417410..e47d6c7fe91 100644
--- a/.github/workflows/docker-build-push-model-server-container-on-tag.yml
+++ b/.github/workflows/docker-build-push-model-server-container-on-tag.yml
@@ -166,11 +166,11 @@ jobs:
       - name: Run Trivy vulnerability scanner
         uses: nick-fields/retry@v3
         with:
-          timeout_minutes: 25
+          timeout_minutes: 30
           max_attempts: 3
           retry_wait_seconds: 10
           command: |
-            docker run --rm -v $HOME/.cache/trivy:/root/.cache/trivy\
+            docker run --rm -v $HOME/.cache/trivy:/root/.cache/trivy \
               -e TRIVY_DB_REPOSITORY="public.ecr.aws/aquasecurity/trivy-db:2" \
               -e TRIVY_JAVA_DB_REPOSITORY="public.ecr.aws/aquasecurity/trivy-java-db:1" \
               -e TRIVY_USERNAME="${{ secrets.DOCKER_USERNAME }}" \
diff --git a/.github/workflows/docker-build-push-web-container-on-tag.yml b/.github/workflows/docker-build-push-web-container-on-tag.yml
index 88583b0bf8c..302ef188895 100644
--- a/.github/workflows/docker-build-push-web-container-on-tag.yml
+++ b/.github/workflows/docker-build-push-web-container-on-tag.yml
@@ -152,7 +152,7 @@ jobs:
       - name: Run Trivy vulnerability scanner
         uses: nick-fields/retry@v3
         with:
-          timeout_minutes: 25
+          timeout_minutes: 30
           max_attempts: 3
           retry_wait_seconds: 10
           command: |