Skip to content

chore(security): suppress sigstore CVE-2026-48815 in npm's bundle#62

Merged
adamdaw merged 1 commit into
masterfrom
chore/trivy-ignore-sigstore-cve
Jul 9, 2026
Merged

chore(security): suppress sigstore CVE-2026-48815 in npm's bundle#62
adamdaw merged 1 commit into
masterfrom
chore/trivy-ignore-sigstore-cve

Conversation

@adamdaw

@adamdaw adamdaw commented Jul 9, 2026

Copy link
Copy Markdown
Owner

Summary

Add a targeted .trivyignore entry for CVE-2026-48815 so the docker job's Trivy scan stops failing CI on a HIGH CVE inside npm's own bundled dependency.

Motivation

Closes #61. The docker job fails on every open PR and on master at the Trivy step — the only finding is sigstore@3.1.0 / CVE-2026-48815 (HIGH) at usr/lib/node_modules/npm/node_modules/sigstore/package.json. That's npm's internal bundle (NodeSource Node 22 / npm 10), not project code, and unreachable by package.json overrides — identical to the existing picomatch precedent. The image never invokes sigstore.verify() with certificateOIDs, so the (integrity-only) bypass is not exercised. This also unblocks the 6 Dependabot PRs (#55#60), which are red solely because of this shared job.

Changes

  • Add CVE-2026-48815 targeted-ignore entry to .trivyignore, scoped to usr/lib/node_modules/npm/node_modules/sigstore/package.json, with a justification comment (mechanism, reachability, why overrides can't fix it, removal condition).

Test plan

  • Single-file change; mirrors the verified picomatch suppression pattern already in .trivyignore
  • CI passes (link to run): pending this PR's run — the docker/Trivy job going green is the verification

Notes for reviewers

  • Justification verified against the primary advisory (GHSA-52v5-jr5w-gjxr / NVD), not a summary.
  • Separate, unrelated: the local fix/pebble-trivy-cves branch has 2 unmerged commits removing pebble for Go stdlib CVEs — out of scope here.
  • If this PR's Trivy job still fails after the sigstore suppression, that pebble/Go work is likely also needed on master; I'll surface it.

Trivy fails the docker job on sigstore 3.1.0 (CVE-2026-48815, HIGH) at
usr/lib/node_modules/npm/node_modules/sigstore — npm's own bundled
provenance dependency, not project code and unreachable by package.json
overrides. The image never invokes sigstore.verify() with certificateOIDs,
so the bypass is not exercised. Add a targeted .trivyignore entry mirroring
the existing picomatch precedent.
@adamdaw
adamdaw merged commit 03a8a99 into master Jul 9, 2026
8 checks passed
@adamdaw
adamdaw deleted the chore/trivy-ignore-sigstore-cve branch July 9, 2026 12:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

chore(security): docker CI fails on sigstore CVE-2026-48815 in npm's bundled dependency

1 participant