eSlider/flamingo-tech-test
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 11 Wiki Activity

Add Trivy CVE scan, container registry docs, and update diagrams
Helm Chart CI & Release / Lint Helm Chart (push) Successful in 9s
Details
Helm Chart CI & Release / Semantic Release (push) Successful in 2m1s
Details

Browse Source 
- Add Trivy vulnerability scan step to CI (HIGH/CRITICAL, warn-only)
- Add Container Registry section to README with pull examples
- Update architecture doc and HLD with crane + Trivy details

Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
Andrey
2026-02-19 21:38:05 +00:00
parent bd723dbd05
commit 8e99fe7614
4 changed files with 40 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
docs/architecture-design-company-inc.md
+1 -1
View File
@@ -147,7 +147,7 @@ All container images are stored in **GCP Artifact Registry** in the `company-inc
- **Image retention policy** — keep the latest 10 tagged images per service; automatically garbage-collect untagged manifests older than 30 days.
- **Access control** — CI service account has `roles/artifactregistry.writer`; GKE node service accounts have `roles/artifactregistry.reader`. No human push access.
*For self-hosted Git platforms (e.g. Gitea), the built-in OCI container registry can serve the same role at zero additional cost, with Trivy added as a CI step for vulnerability scanning.*
*For self-hosted Git platforms (e.g. Gitea), the built-in OCI container registry can serve the same role at zero additional cost. In the practical part of this project, this is demonstrated: the CI pipeline mirrors the upstream FleetDM image to the Gitea OCI registry using `crane` (a daemonless image tool), then scans it with **Trivy** for HIGH/CRITICAL CVEs before publishing the release.*
#### Deployment Pipelines (CI/CD Integration)
docs/architecture-hld.md
+4 -3
View File
@@ -29,7 +29,7 @@ flowchart TB
Blue[Blue — new release<br/>smoke tests]
end
subgraph Workloads
API[Backend — Python / Flask<br/>HPA · 23 replicas]
API[Backend — Python / Flask<br/>HPA · 2-3 replicas]
SPA[Frontend — React SPA<br/>Nginx]
end
Redis[Redis — Memorystore<br/>Session / Cache]
@@ -94,8 +94,9 @@ flowchart LR
flowchart LR
Dev[Developer] -->|push| Repo[Git Repo]
Repo -->|webhook| CI[CI Pipeline<br/>lint · test · build]
CI -->|docker build + push| Registry[Container Registry<br/>Artifact Registry / Gitea OCI]
CI -->|scan image| Trivy[Trivy<br/>CVE scan]
CI -->|crane copy / docker push| Registry[Container Registry<br/>Artifact Registry / Gitea OCI]
Registry -->|scan image| Trivy[Trivy<br/>HIGH + CRITICAL CVEs]
Trivy -->|pass| CI2[Publish Release]
CI -->|update manifests| GitOps[GitOps Repo]
GitOps -->|sync| Argo[ArgoCD]
Argo -->|blue-green deploy| GKE[GKE Cluster]