Wip/scan with trivy

[chopkinsmade]

What

Why

How this has been tested

• I have tested locally
• Testing not required

Reviewer Checklist

• I have reviewed the PR and ensured no secret values are present

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

[github-actions]

Trivy fs scan - Vulnerabilities detected

The following vulnerabilities of HIGH or CRITICAL severity have been detected in the code. Please resolve these before merging the pull request.

Type: npm

Target: package-lock.json

Severity: HIGH

CVE-2022-0235 node-fetch: exposure of sensitive information to an unauthorized actor
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

Type: uv

Target: uv.lock

Severity: HIGH

CVE-2025-69223 aiohttp: AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a zip bomb to be used to execute a DoS against the AIOHTTP server. An attacker may be able to send a compressed request that when decompressed by AIOHTTP could exhaust the host's memory. This issue is fixed in version 3.13.3.

Severity: HIGH

CVE-2026-21441 urllib3: urllib3 vulnerable to decompression-bomb safeguard bypass when following HTTP redirects (streaming API)
urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression based on the HTTP Content-Encoding header (e.g., gzip, deflate, br, or zstd). When using the streaming API, the library decompresses only the necessary bytes, enabling partial content consumption. Starting in version 1.22 and prior to version 2.6.3, for HTTP redirect responses, the library would read the entire response body to drain the connection and decompress the content unnecessarily. This decompression occurred even before any read methods were called, and configured read limits did not restrict the amount of decompressed data. As a result, there was no safeguard against decompression bombs. A malicious server could exploit this to trigger excessive resource consumption on the client. Applications and libraries are affected when they stream content from untrusted sources by setting preload_content=False when they do not disable redirects. Users should upgrade to at least urllib3 v2.6.3, in which the library does not decode content of redirect responses when preload_content=False. If upgrading is not immediately possible, disable redirects by setting redirect=False for requests to untrusted source.

Type: terraform

Target: .

Type: dockerfile

Target: Dockerfile

Severity: HIGH

DS002 Image user should not be 'root'
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

Type: terraform

Target: s3.tf

Severity: HIGH

AVD-AWS-0086 S3 Access block should block public ACL
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

Severity: HIGH

AVD-AWS-0087 S3 Access block should block public policy
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

Severity: HIGH

AVD-AWS-0088 Unencrypted S3 bucket.
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

Severity: HIGH

AVD-AWS-0091 S3 Access Block should Ignore Public ACL
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

Severity: HIGH

AVD-AWS-0093 S3 Access block should restrict public bucket to limit access
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

Severity: HIGH

AVD-AWS-0132 S3 encryption should use Customer Managed Keys
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

Type: terraform

Target: security_groups.tf

Severity: CRITICAL

aws-vpc-no-public-egress-sgr A security group rule should not allow unrestricted egress to any IP address.
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.