feat(deps): automated Remediation Strategy for Trivy-Detected NPM vulnerabilities

[piyushsinghgaur1]

This pull request introduces an automated workflow for remediating HIGH and CRITICAL vulnerabilities detected by Trivy, along with supporting scripts and configuration changes. The main focus is on integrating Trivy scans with dependency upgrades and lockfile updates, and enabling scheduled or manual remediation via GitHub Actions.

Automated security remediation workflow:

• Added .github/workflows/trivy-remediation.yml to run a scheduled or manual Trivy scan, remediate vulnerabilities, and create a pull request with fixes.

Dependency remediation scripts:

• Introduced scripts/trivy-remediation.sh, which orchestrates Trivy scanning, npm audit fixes, dependency upgrades, and lockfile updates.
• Added scripts/trivy-scan.sh for running Trivy scans and outputting results in JSON format.
• Added scripts/audit-remediation.sh for running npm audit fix and updating the lockfile.
• Created scripts/dependency-fix.js to programmatically upgrade vulnerable dependencies based on Trivy reports, using safe version upgrades and npm overrides.

Configuration updates:

• Updated .eslintrc.js to disable certain TypeScript linting rules for plain Node.js scripts under scripts/.
• Added semver as a dev dependency in package.json for version comparison and manipulation.

[sonarqubecloud]

SonarQube reviewer guide

Summary: Add automated security vulnerability remediation via Trivy scanning and npm audit fixes, with a new GitHub Actions workflow to detect and patch HIGH/CRITICAL vulnerabilities.

Review Focus:

• The dependency-fix.js script implements complex logic for resolving vulnerabilities through direct upgrades, parent dependency updates, and npm overrides. Verify the semver comparison logic and safety checks are robust.
• The GitHub Actions workflow runs on a schedule with write permissions to main branch—ensure the automation doesn't introduce breaking changes or bypass necessary reviews.
• ESLint configuration changes to handle plain Node.js scripts in the scripts/ directory are appropriate but confirm no TypeScript rules are inadvertently disabled elsewhere.

Start review at: scripts/dependency-fix.js. This is the core remediation logic that modifies package.json and determines upgrade strategies. Its correctness directly impacts production dependencies and stability.

💬 Please send your feedback

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[yeshamavani]

should not the base be master

[yeshamavani]

for now we are assuming that always a greater version will not have vulnerabilities
might not always be true but its okay for mow

[Tyagi-Sunny]

what if after one execution, stills there are trivy vulenrabilties left.