Scan Before Push Policy

Beginner

Mandate Trivy scanning of all container images before pushing to registries — no image enters production without passing vulnerability and misconfiguration checks.

File Patterns

**/Dockerfile***/.trivyignore**/.github/workflows/****/docker-compose*

This rule applies to files matching the patterns above.

Rule Content

rule-content.md

# Scan Before Push Policy

## Rule
Every container image MUST pass a Trivy vulnerability scan before being pushed to any container registry. Images with unresolved CRITICAL vulnerabilities are blocked.

## Enforcement
```bash
# Build → Scan → Push workflow
docker build -t myapp:v1.2.3 .
trivy image --exit-code 1 --severity CRITICAL,HIGH myapp:v1.2.3
docker push registry.example.com/myapp:v1.2.3  # Only if scan passes
```

## CI/CD Gate
```yaml
- name: Build image
  run: docker build -t app:${{ github.sha }} .

- name: Scan image (MUST pass)
  run: trivy image --exit-code 1 --severity CRITICAL,HIGH app:${{ github.sha }}

- name: Push image (only if scan passed)
  run: docker push registry.example.com/app:${{ github.sha }}
```

## Severity Policies
| Severity | Action | Timeline |
|----------|--------|----------|
| CRITICAL | Block push, fix immediately | Same day |
| HIGH | Block push, fix within sprint | 1 week |
| MEDIUM | Warn, track in backlog | 30 days |
| LOW | Log, review quarterly | 90 days |

## Ignore Rules (Exceptions)
```
# .trivyignore — document every exception
# CVE-2023-44487: HTTP/2 rapid reset — mitigated by WAF rules
# Review date: 2026-06-01
CVE-2023-44487
```

## Anti-Patterns
- Pushing images without scanning
- Scanning after push (too late — image is already deployable)
- Disabling exit-code to "get the build green"
- Permanent ignore rules without review dates
- Scanning only in production pipeline (scan in development too)

FAQ

Discussion

Loading comments...

# Scan Before Push Policy ## Rule Every container image MUST pass a Trivy vulnerability scan before being pushed to any container registry. Images with unresolved CRITICAL vulnerabilities are blocked. ## Enforcement ```bash # Build → Scan → Push workflow docker build -t myapp:v1.2.3 . trivy image --exit-code 1 --severity CRITICAL,HIGH myapp:v1.2.3 docker push registry.example.com/myapp:v1.2.3 # Only if scan passes ``` ## CI/CD Gate ```yaml - name: Build image run: docker build -t app:${{ github.sha }} . - name: Scan image (MUST pass) run: trivy image --exit-code 1 --severity CRITICAL,HIGH app:${{ github.sha }} - name: Push image (only if scan passed) run: docker push registry.example.com/app:${{ github.sha }} ``` ## Severity Policies | Severity | Action | Timeline | |----------|--------|----------| | CRITICAL | Block push, fix immediately | Same day | | HIGH | Block push, fix within sprint | 1 week | | MEDIUM | Warn, track in backlog | 30 days | | LOW | Log, review quarterly | 90 days | ## Ignore Rules (Exceptions) ``` # .trivyignore — document every exception # CVE-2023-44487: HTTP/2 rapid reset — mitigated by WAF rules # Review date: 2026-06-01 CVE-2023-44487 ``` ## Anti-Patterns - Pushing images without scanning - Scanning after push (too late — image is already deployable) - Disabling exit-code to "get the build green" - Permanent ignore rules without review dates - Scanning only in production pipeline (scan in development too)