feat(ci): add Trivy image vulnerability scanning to all Docker builds

Co-Authored-By: Paperclip <noreply@paperclip.ing>
Merge pull request #186 from cartsnitch/fix/receiptwitness-config-validation
2026-04-14 15:21:08 +00:00 · 2026-04-14 14:07:48 +00:00 · 2026-04-14 13:48:17 +00:00 · 2026-04-14 13:12:46 +00:00
4 changed files with 163 additions and 19 deletions
@@ -13,6 +13,7 @@ concurrency:
 permissions:
  contents: write
  packages: write
+  security-events: write

 env:
  REGISTRY: ghcr.io
@@ -151,17 +152,42 @@ jobs:
            type=raw,value=${{ steps.calver.outputs.version }},enable=${{ github.ref == 'refs/heads/main' }}
            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}

-      - name: Build and push Docker image
+      - name: Build Docker image
        uses: docker/build-push-action@v6
        with:
          context: .
-          push: ${{ github.event_name == 'push' }}
+          load: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          target: prod
          cache-from: type=gha
          cache-to: type=gha,mode=max

+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@0.28.0
+        with:
+          image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:sha-${{ github.sha }}
+          format: 'sarif'
+          output: 'trivy-results-frontend.sarif'
+          severity: 'CRITICAL,HIGH'
+          exit-code: '1'
+
+      - name: Upload Trivy scan results to GitHub Security
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: 'trivy-results-frontend.sarif'
+
+      - name: Push Docker image
+        if: github.event_name == 'push'
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+
      - name: Create git tag
        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
        run: |
@@ -221,15 +247,41 @@ jobs:
            type=raw,value=${{ steps.calver.outputs.version }},enable=${{ github.ref == 'refs/heads/main' }}
            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}

-      - name: Build and push auth Docker image
+      - name: Build Docker image
        uses: docker/build-push-action@v6
        with:
          context: ./auth
          file: ./auth/Dockerfile
-          push: ${{ github.event_name == 'push' }}
+          load: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}

+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@0.28.0
+        with:
+          image-ref: ${{ env.REGISTRY }}/${{ env.AUTH_IMAGE_NAME }}:sha-${{ github.sha }}
+          format: 'sarif'
+          output: 'trivy-results-auth.sarif'
+          severity: 'CRITICAL,HIGH'
+          exit-code: '1'
+
+      - name: Upload Trivy scan results to GitHub Security
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: 'trivy-results-auth.sarif'
+
+      - name: Push Docker image
+        if: github.event_name == 'push'
+        uses: docker/build-push-action@v6
+        with:
+          context: ./auth
+          file: ./auth/Dockerfile
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+
  build-and-push-receiptwitness:
    runs-on: runners-cartsnitch
    if: github.event_name == 'push'
@@ -278,15 +330,41 @@ jobs:
            type=raw,value=${{ steps.calver.outputs.version }},enable=${{ github.ref == 'refs/heads/main' }}
            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}

-      - name: Build and push receiptwitness image
+      - name: Build Docker image
        uses: docker/build-push-action@v6
        with:
          context: .
          file: ./receiptwitness/Dockerfile
-          push: ${{ github.event_name == 'push' }}
+          load: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}

+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@0.28.0
+        with:
+          image-ref: ${{ env.REGISTRY }}/${{ env.RECEIPTWITNESS_IMAGE_NAME }}:sha-${{ github.sha }}
+          format: 'sarif'
+          output: 'trivy-results-receiptwitness.sarif'
+          severity: 'CRITICAL,HIGH'
+          exit-code: '1'
+
+      - name: Upload Trivy scan results to GitHub Security
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: 'trivy-results-receiptwitness.sarif'
+
+      - name: Push Docker image
+        if: github.event_name == 'push'
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: ./receiptwitness/Dockerfile
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+
  build-and-push-api:
    runs-on: runners-cartsnitch
    if: github.event_name == 'push'
@@ -335,15 +413,41 @@ jobs:
            type=raw,value=${{ steps.calver.outputs.version }},enable=${{ github.ref == 'refs/heads/main' }}
            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}

-      - name: Build and push API Docker image
+      - name: Build Docker image
        uses: docker/build-push-action@v6
        with:
          context: ./api
          file: ./api/Dockerfile
-          push: ${{ github.event_name == 'push' }}
+          load: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}

+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@0.28.0
+        with:
+          image-ref: ${{ env.REGISTRY }}/${{ env.API_IMAGE_NAME }}:sha-${{ github.sha }}
+          format: 'sarif'
+          output: 'trivy-results-api.sarif'
+          severity: 'CRITICAL,HIGH'
+          exit-code: '1'
+
+      - name: Upload Trivy scan results to GitHub Security
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: 'trivy-results-api.sarif'
+
+      - name: Push Docker image
+        if: github.event_name == 'push'
+        uses: docker/build-push-action@v6
+        with:
+          context: ./api
+          file: ./api/Dockerfile
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+
  deploy-dev:
    runs-on: runners-cartsnitch
    needs: [build-and-push, build-and-push-auth, build-and-push-receiptwitness, build-and-push-api]
@@ -1,26 +1,51 @@
 """Redis/DragonflyDB caching helpers."""

+import redis.asyncio as redis
+
 from cartsnitch_api.config import settings


 class CacheClient:
-    """Stub for Redis/DragonflyDB caching.
+    """Redis/DragonflyDB caching with connection pooling.

    Will be used for expensive queries: price trends, product comparisons.
    Cache invalidation via Redis pub/sub events from other services.
    """

    def __init__(self) -> None:
-        self.url = settings.redis_url
+        self._pool: redis.ConnectionPool | None = None
+        self._client: redis.Redis | None = None
+
+    async def initialize(self) -> None:
+        """Initialize the Redis connection pool."""
+        self._pool = redis.ConnectionPool.from_url(
+            settings.redis_url,
+            max_connections=20,
+            decode_responses=True,
+        )
+        self._client = redis.Redis(connection_pool=self._pool)
+
+    async def close(self) -> None:
+        """Close the Redis connection pool."""
+        if self._client:
+            await self._client.aclose()
+        if self._pool:
+            await self._pool.aclose()

    async def get(self, key: str) -> str | None:
-        # TODO: implement with redis-py async
-        return None
+        if not self._client:
+            return None
+        return await self._client.get(key)

    async def set(self, key: str, value: str, ttl_seconds: int = 300) -> None:
-        # TODO: implement with redis-py async
-        pass
+        if not self._client:
+            return
+        await self._client.set(key, value, ex=ttl_seconds)

    async def delete(self, key: str) -> None:
-        # TODO: implement with redis-py async
-        pass
+        if not self._client:
+            return
+        await self._client.delete(key)
+
+
+cache_client = CacheClient()
@@ -6,7 +6,14 @@ from sqlalchemy.ext.asyncio import AsyncSession, async_sessionmaker, create_asyn

 from cartsnitch_api.config import settings

-engine = create_async_engine(settings.database_url, echo=False)
+engine = create_async_engine(
+    settings.database_url,
+    echo=False,
+    pool_size=10,
+    max_overflow=20,
+    pool_pre_ping=True,
+    pool_recycle=3600,
+)
 async_session_factory = async_sessionmaker(engine, class_=AsyncSession, expire_on_commit=False)


@@ -14,3 +21,8 @@ async def get_db() -> AsyncGenerator[AsyncSession, None]:
    """FastAPI dependency that yields an async DB session."""
    async with async_session_factory() as session:
        yield session
+
+
+async def dispose_engine() -> None:
+    """Dispose the database engine, closing all pooled connections."""
+    await engine.dispose()
@@ -5,6 +5,8 @@ from contextlib import asynccontextmanager
 from fastapi import APIRouter, FastAPI

 from cartsnitch_api.auth.routes import router as auth_router
+from cartsnitch_api.cache import cache_client
+from cartsnitch_api.database import dispose_engine
 from cartsnitch_api.middleware.cors import add_cors_middleware
 from cartsnitch_api.middleware.error_handler import add_error_handlers, add_error_monitor_middleware
 from cartsnitch_api.middleware.rate_limit import add_rate_limit_middleware
@@ -23,9 +25,10 @@ from cartsnitch_api.routes.user import router as user_router

@asynccontextmanager
 async def lifespan(app: FastAPI):
-    # TODO: initialize DB session pool, Redis connection, service clients
+    await cache_client.initialize()
    yield
-    # TODO: cleanup connections
+    await cache_client.close()
+    await dispose_engine()


 def create_app() -> FastAPI:
Author	SHA1	Message	Date
Paperclip	c85c9b12a7	feat(ci): add Trivy image vulnerability scanning to all Docker builds Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-14 15:21:08 +00:00
cartsnitch-cto[bot]	adfa34f2c2	Merge pull request #186 from cartsnitch/fix/receiptwitness-config-validation fix: add startup validation to ReceiptWitness config	2026-04-14 14:07:48 +00:00
cartsnitch-cto[bot]	5825174f0d	Merge pull request #179 from cartsnitch/feature/cart-550-api-lifespan-pooling feat(api): implement FastAPI lifespan with connection pooling (CAR-550)	2026-04-14 13:48:17 +00:00
Barcode Betty	68e6be1985	feat(api): implement FastAPI lifespan with connection pooling - Add connection pool config to SQLAlchemy async engine (pool_size=10, max_overflow=20, pool_pre_ping, pool_recycle) - Implement Redis connection pool in CacheClient with initialize/close lifecycle - Wire lifespan startup/shutdown to initialize and dispose pools - Add dispose_engine() for graceful DB pool cleanup on shutdown Closes CAR-550 Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-14 13:12:46 +00:00