Merge pull request #214 from cartsnitch/fix/car-620-grype-ignore-and-cache-bust

fix: add Grype CVE ignores and cache-bust Debian apt-get upgrade layers

.github/workflows/ci.yml

@@ -166,6 +166,8 @@ jobs:
       - name: Scan frontend image for vulnerabilities
         uses: anchore/scan-action@v5
         id: scan
+        env:
+          GRYPE_CONFIG: .grype.yaml
         with:
           image: "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:sha-${{ github.sha }}"
           fail-build: true
@@ -263,6 +265,8 @@ jobs:
       - name: Scan auth image for vulnerabilities
         uses: anchore/scan-action@v5
         id: scan
+        env:
+          GRYPE_CONFIG: .grype.yaml
         with:
           image: "${{ env.REGISTRY }}/${{ env.AUTH_IMAGE_NAME }}:sha-${{ github.sha }}"
           fail-build: true
@@ -343,12 +347,16 @@ jobs:
           load: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+          build-args: |
+            APT_CACHE_BUST=${{ github.run_id }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
 
       - name: Scan receiptwitness image for vulnerabilities
         uses: anchore/scan-action@v5
         id: scan
+        env:
+          GRYPE_CONFIG: .grype.yaml
         with:
           image: "${{ env.REGISTRY }}/${{ env.RECEIPTWITNESS_IMAGE_NAME }}:sha-${{ github.sha }}"
           fail-build: true
@@ -371,6 +379,8 @@ jobs:
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+          build-args: |
+            APT_CACHE_BUST=${{ github.run_id }}
           cache-from: type=gha
 
   build-and-push-api:
@@ -429,12 +439,16 @@ jobs:
           load: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+          build-args: |
+            APT_CACHE_BUST=${{ github.run_id }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
 
       - name: Scan api image for vulnerabilities
         uses: anchore/scan-action@v5
         id: scan
+        env:
+          GRYPE_CONFIG: .grype.yaml
         with:
           image: "${{ env.REGISTRY }}/${{ env.API_IMAGE_NAME }}:sha-${{ github.sha }}"
           fail-build: true
@@ -457,6 +471,8 @@ jobs:
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+          build-args: |
+            APT_CACHE_BUST=${{ github.run_id }}
           cache-from: type=gha
 
   deploy-dev:

.grype.yaml

@@ -0,0 +1,4 @@
+ignore:
+  # Python 3.12 CVEs — only fixed in 3.13+, cannot upgrade major version safely
+  - vulnerability: CVE-2025-13836
+  - vulnerability: CVE-2026-4519

api/Dockerfile

@@ -1,5 +1,6 @@
 FROM python:3.12-slim AS build
 
+ARG APT_CACHE_BUST=0
 RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends \
     libpq-dev \
     build-essential \
@@ -12,6 +13,7 @@ RUN pip install --no-cache-dir --prefix=/install .
 
 FROM python:3.12-slim AS prod
 
+ARG APT_CACHE_BUST=0
 RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends libpq5 && rm -rf /var/lib/apt/lists/*
 
 WORKDIR /app

receiptwitness/Dockerfile

@@ -5,6 +5,7 @@ WORKDIR /app
 
 # build-essential and libpq-dev are needed to compile any C-extension wheels
 # (e.g. psycopg2 fallback).  No git needed — common/ is copied from the repo root.
+ARG APT_CACHE_BUST=0
 RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends \
     libpq-dev \
     build-essential \
@@ -25,6 +26,7 @@ FROM python:3.12-slim AS prod
 WORKDIR /app
 
 # Install Playwright system dependencies for Chromium
+ARG APT_CACHE_BUST=0
 RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends \
     libnss3 \
     libatk1.0-0 \