ADR-0005 Vulnerability Scanning Strategy

ADR-0005: Vulnerability Scanning Strategy¶

Context¶

As part of Devflow’s “Hardened by Default” initiative (ADR-0004), we need a comprehensive strategy for identifying vulnerabilities in code, dependencies, and container images. The goal is to maximize security coverage while minimizing CI friction and developer cognitive load.

Decision¶

We have decided to adopt a multi-layered scanning strategy anchored by Trivy as our primary scanner for dependencies and infrastructure.

1. Choice of Scanner: Why Trivy?¶

We evaluated Trivy, Snyk, and Docker Scout. We chose Trivy because:

• Comprehensive Coverage: Scans OS packages, language-specific dependencies (Rust, Node, Python), and IaC (Dockerfiles).

• Speed & Efficiency: Significantly faster than Snyk for local and ephemeral CI runs.

• Standalone/Offline Support: Works perfectly in restricted CI environments without requiring account management or third-party cloud connectivity for basic scans.

• Simplicity: Single binary with minimal dependencies, ideal for embedding into the dwf setup phase.

2. “Push-Left” Implementation¶

To catch issues earlier:

• Local Dev: The dwf check:security command is provided to allow developers to run the identical verification suite used in CI on their local machines.

• IDE Integration: We recommend the Trivy VS Code extension for real-time dependency auditing.

3. Operational Efficiency (Friction Reduction)¶

To prevent security from slowing down the PR loop:

• Scan-on-Change: Full image scans are only triggered in CI when the Dockerfile or toolchain manifests (Cargo.lock, package-lock.json) are modified.

• Filesystem Scanning: During standard PRs, we prioritize trivy fs (filesystem) scans over full image scans to reduce restoration overhead.

• Nightly Guardrails: We execute an exhaustive image-based scan nightly on the main branch to identify “Zero-Day” vulnerabilities in base images that haven’t changed.

Consequences¶

Positive¶

• Consistency: The same scanner is used locally and in CI, eliminating “it works on my machine” security issues. Inline with the “Push-Left” security philosophy and devflow’s philosophy of “developer experience first”.

• Zero Cost: Open-source core reduces vendor lock-in and per-seat license costs for small teams.

• High Signal: Policy to fail only on CRITICAL or HIGH severities ensures developers are not overwhelmed by noise.

Negative¶

• Manual Updates: Developers must occasionally update their local trivy binary to get the latest CVE databases. However, because Trivy auto-updates the VDB on every run, the local and CI results remain functionally synchronized with the same upstream data sources.