Security: triage May 2026 code scanning alerts

[lukeheath]

Summary

Addresses 6 of 10 open code scanning alerts on main (Trivy + Scorecard), and locks every entry in package.json to an exact version while we're in there.

CVEs

• Alert 1686 — CVE-2026-33532 (yaml DoS). Add "**/yaml": "1.10.3" to resolutions, bumps transitive yaml 1.10.2 → 1.10.3. Source path was cosmiconfig (build/dev tooling only — no untrusted YAML parsing at runtime), but patching is cheap.

Supply-chain pinning (Scorecard)

• Alert 1796 trivy-close-legacy.yml — pin codeql-action/upload-sarif@v3 to SHA 8a470fdd… (same pin used elsewhere in this repo).
• Alert 1688 tools/fleetd-linux/fedora-43/Dockerfile — pin FROM fedora:43 to digest.
• Alert 1687 tools/fleetd-linux/debian-13.4/Dockerfile — pin FROM debian:13.4 to digest.
• Alert 1557 test-go.yaml — go install gotest.tools/gotestsum@latest → @c4a0df2e75a225d979a444342dd3db752b53619f (commit SHA for v1.13.0).
• Alert 1556 test-go-suite.yaml — same.

False positive

• Alert 1640 Stripe pk_test_ token in ee/fleet-agent-downloader/config/custom.js. It's a commented-out publishable key (public by design) in a Sails config template. Added the path to the existing skip-files list in trivy-scan.yml, alongside the identical website/config/custom.js skip that's already there.

Dependency hygiene

• Replaced every ^ and ~ range in package.json with the exact version currently in yarn.lock. Affects postcss, @tsconfig/recommended, typescript, and four resolutions entries (css-node-extract, css-node-extract/postcss, css-selector-extract, wait-on/axios). One side effect: wait-on/axios had been silently floating to 0.28.1 under the previous ^0.28.0; pinned at 0.28.1.

Test plan

• CI passes on this branch (especially test-go / test-go-suite after gotestsum SHA pin).
• Confirm yarn install produces a clean lockfile (now has yaml@1.10.3 and exact pins).
• Next nightly Trivy scan shows alerts 1686 and 1640 closed.
• Next Scorecard run shows alerts 1796, 1688, 1687, 1557, 1556 closed.

Summary by CodeRabbit

• Chores
  • Pinned dependency and build tool versions for consistent, reproducible builds across all environments
  • Updated CI/CD workflow configurations with specific version references
  • Enhanced security scanning settings to exclude additional files from vulnerability assessments
  • Pinned container image digests to ensure deterministic build base environments

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 66.76%. Comparing base (1c945df) to head (3c30ca0).
⚠️ Report is 13 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #45740      +/-   ##
==========================================
+ Coverage   66.75%   66.76%   +0.01%     
==========================================
  Files        2745     2747       +2     
  Lines      219339   219724     +385     
  Branches    10848    11010     +162     
==========================================
+ Hits       146420   146709     +289     
- Misses      59691    59763      +72     
- Partials    13228    13252      +24     

Flag	Coverage Δ
backend	68.59% <ø> (+0.02%)	⬆️
backend-activity	86.35% <ø> (ø)
frontend	55.61% <ø> (-0.03%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}

[coderabbitai]

Walkthrough

This PR applies deterministic pinning across the build system infrastructure. GitHub Actions workflows now reference specific versions of gotestsum (v1.13.0) and github/codeql-action/upload-sarif (commit SHA) instead of floating tags. The npm package manifest pins exact versions for postcss, @tsconfig/recommended, typescript, webpack tooling, and resolution entries like yaml and serialize-javascript. Docker base images for Debian 13.4 and Fedora 43 are pinned to specific SHA256 digests. The Trivy scan workflow gains an additional file exclusion for ee/fleet-agent-downloader/config/custom.js. All changes remove version range operators (caret, etc.) in favor of exact or digest-based references.

Possibly related PRs

• fleetdm/fleet#45621: Modifies trivy-scan.yml to add custom.js paths to the skip-files exclusion list, directly overlapping with this PR's Trivy configuration changes.
• fleetdm/fleet#44942: Updates github/codeql-action/upload-sarif reference in trivy-close-legacy.yml, same workflow step modified in this PR to use commit SHA pinning.
• fleetdm/fleet#45164: Also extends the Trivy skip-files exclusions in trivy-scan.yml, aligning with the file exclusion changes in this PR.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Security: triage May 2026 code scanning alerts' directly describes the main purpose of the PR, which is to address and resolve code scanning security alerts.
Description check	✅ Passed	The description comprehensively covers the six alerts addressed, supply-chain pinning changes, false positive handling, and dependency hygiene updates, with clear test plan items.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch security/triage-may-2026

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/trivy-close-legacy.yml:
- Line 28: The GitHub Action pin
`github/codeql-action/upload-sarif@8a470fddafa5cbb6266ee11b37ef4d8aae19c571` is
labeled v3.24.6 but the SHA doesn't match; update the reference for consistency
by either replacing the pinned SHA with the correct v3.24.6 commit
`dafdd0a215b77395467a765b26d982dfc030f847` or change the comment/tag to reflect
the actual commit you intend to pin (edit the `uses:` entry
`github/codeql-action/upload-sarif@...` and the adjacent version comment
accordingly).

In `@tools/fleetd-linux/debian-13.4/Dockerfile`:
- Line 1: The FROM line in the Dockerfile uses the wrong digest for debian:13.4;
update the Dockerfile's FROM statement (the image reference beginning with "FROM
debian:13.4@sha256:...") to use the correct amd64 digest
sha256:3352c2e13876c8a5c5873ef20870e1939e73cb9a3c1aeba5e3e72172a85ce9ed so the
image reference matches the debian:13.4 tag.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 074d0c3c-1777-4179-b0bc-16ed869bd481

📥 Commits

Reviewing files that changed from the base of the PR and between 15a4b16 and 3c30ca0.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (7)

• .github/workflows/test-go-suite.yaml
• .github/workflows/test-go.yaml
• .github/workflows/trivy-close-legacy.yml
• .github/workflows/trivy-scan.yml
• package.json
• tools/fleetd-linux/debian-13.4/Dockerfile
• tools/fleetd-linux/fedora-43/Dockerfile

[Copilot]

Pull request overview

This PR addresses code scanning and supply-chain pinning alerts by pinning selected dependencies/actions/images and updating the JavaScript lockfile for security-related dependency resolution.

Changes:

• Pins GitHub Actions, Go tooling installation, and Linux Docker base images to immutable references.
• Locks selected package.json dependency/resolution ranges and updates yarn.lock, including yaml 1.10.3.
• Adds the fleet agent downloader Sails config template to Trivy’s skipped files for known placeholder Stripe keys.

Reviewed changes

Copilot reviewed 7 out of 8 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
yarn.lock	Updates lockfile entries to match exact pins and resolve yaml to 1.10.3.
tools/fleetd-linux/fedora-43/Dockerfile	Pins the Fedora 43 base image to a digest.
tools/fleetd-linux/debian-13.4/Dockerfile	Pins the Debian 13.4 base image to a digest.
package.json	Replaces selected dependency and resolution ranges with exact versions and adds a yaml resolution.
.github/workflows/trivy-scan.yml	Adds the fleet agent downloader config template to Trivy skipped files.
.github/workflows/trivy-close-legacy.yml	Pins github/codeql-action/upload-sarif to a commit SHA.
.github/workflows/test-go.yaml	Pins gotestsum installation to a commit SHA.
.github/workflows/test-go-suite.yaml	Pins reusable Go suite gotestsum installation to the same commit SHA.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.