[NX-201] Enforce container vulnerability scan gate in CI #11

New Issue

Closed

opened 2026-02-13 13:16:35 +00:00 by nessi · 1 comment

nessi commented 2026-02-13 13:16:35 +00:00

Owner

Copy Link

Goal

Block releases with unresolved high/critical container vulnerabilities.

Scope

• Add image scanning job for backend/frontend images.
• Fail workflow on high/critical findings (with explicit allowlist support).

Acceptance Criteria

• CI fails on new high/critical vulnerabilities.
• Allowlist process is documented and auditable.

## Goal Block releases with unresolved high/critical container vulnerabilities. ## Scope - Add image scanning job for backend/frontend images. - Fail workflow on high/critical findings (with explicit allowlist support). ## Acceptance Criteria - CI fails on new high/critical vulnerabilities. - Allowlist process is documented and auditable.

nessi added this to the v1.0 - Stability, Reliability & Security (P0) milestone 2026-02-13 13:16:35 +00:00

nessi added the P0 label 2026-02-13 13:16:35 +00:00

nessi commented 2026-02-14 22:18:06 +00:00

Author

Owner

Copy Link

NX-201 Completed

Implemented CI enforcement to prevent shipping releases with unresolved container risks.

What was delivered

• Added container image security scanning for both:
  • backend
  • frontend
• Integrated scan execution in CI with machine-readable outputs and human-readable summaries.
• Implemented policy gate behavior:
  • workflow can fail on HIGH/CRITICAL findings for release-quality pipelines.
• Added controlled exception path:
  • explicit allowlist mechanism for acknowledged findings (time-bound and reviewable).
• Kept development scan visibility and reporting to support early remediation before release.

Acceptance Criteria Mapping

• CI fails on new high/critical vulnerabilities
  Achieved via severity-based scan gating in CI policy for release flows.

• Allowlist process is documented and auditable
  Achieved via explicit allowlist workflow and traceable CI/report outputs (artifacts + logs) for review history.

Notes

• This closes NX-201 from an implementation perspective.
• Recommended ongoing practice:
  • treat allowlist entries as temporary,
  • require owner + expiry + issue link for each exception.

## NX-201 Completed Implemented CI enforcement to prevent shipping releases with unresolved container risks. ### What was delivered - Added container image security scanning for both: - `backend` - `frontend` - Integrated scan execution in CI with machine-readable outputs and human-readable summaries. - Implemented policy gate behavior: - workflow can fail on `HIGH`/`CRITICAL` findings for release-quality pipelines. - Added controlled exception path: - explicit allowlist mechanism for acknowledged findings (time-bound and reviewable). - Kept development scan visibility and reporting to support early remediation before release. ### Acceptance Criteria Mapping - **CI fails on new high/critical vulnerabilities** Achieved via severity-based scan gating in CI policy for release flows. - **Allowlist process is documented and auditable** Achieved via explicit allowlist workflow and traceable CI/report outputs (artifacts + logs) for review history. ### Notes - This closes NX-201 from an implementation perspective. - Recommended ongoing practice: - treat allowlist entries as temporary, - require owner + expiry + issue link for each exception.

nessi closed this issue 2026-02-14 22:18:06 +00:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

development

0.2.4

0.2.3

0.2.2

0.2.1

0.2.0

0.1.8

0.1.7

0.1.6

0.1.5

0.1.4

0.1.3

0.1.2

0.1.1

0.1.0

Labels

Clear labels

P0

High priority

P1

Medium priority

P2

Low priority

No Label P0

Milestone

No items

No Milestone v1.0 - Stability, Reliability & Security (P0)

Projects

Clear projects

No project

Assignees

Clear assignees

nessi

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: nessi/NexaPG#11