Critical
High
Medium
Low
Secrets
Misconfig
| Severity | CVE ID | Package | Installed | Fixed In | Description |
|---|---|---|---|---|---|
| ✅ No vulnerabilities found | |||||
| Type | File | Line | Match |
|---|---|---|---|
| ✅ No secrets found | |||
| Severity | ID | Check | File | Message |
|---|---|---|---|---|
| HIGH | DS-0002 | Image user should not be 'root' | Dockerfile | Specify at least 1 USER command in Dockerfile with non-root user as argument |
| HIGH | DS-0017 | 'RUN |
Dockerfile | The instruction 'RUN |
{
"SchemaVersion": 2,
"Trivy": {
"Version": "0.69.0"
},
"ReportID": "019cfaea-51a0-76d7-a71b-7c6447e9fe3d",
"CreatedAt": "2026-03-17T08:29:46.27245102Z",
"ArtifactID": "sha256:876a373dc123be80568ff1c0a27ebab4b6cc03496250f43585191ec4ff06f02d",
"ArtifactName": "/src",
"ArtifactType": "repository",
"Metadata": {
"RepoURL": "https://github.com/eizen-ai/eizen-vip-rag-based-llm.git",
"Branch": "refactor/vulnerability-fix",
"Commit": "88fdfeb9bbbef918cf9b7641e8a7b3fd73ff72a5",
"CommitMsg": "feat: add security middleware layer and production hardening\n\n- Add API key authentication middleware (X_API_Key header)\n- Add security response headers (CSP, Cache-Control, X-Frame-Options, etc.)\n- Add HTTPS redirect middleware with X-Forwarded-Proto support\n- Add rate limiting via slowapi with configurable thresholds\n- Add IP/CIDR blocking middleware\n- Add CORS middleware with origin whitelist\n- Add media URL validation utility for SSRF prevention\n- Add request logging middleware with X-Request-ID correlation\n- Add global exception handler for unhandled errors\n- Add liveness (/health) and readiness (/health/ready) probes\n- Add environment-driven config with production safety defaults\n- Control /docs, /redoc, /openapi.json exposure via API_DOCS flag\n- Lazy-init MongoDB with thread-safe connection\n- Thread-safe FAISS index loading with lock\n- Validate required env vars at startup\n- Make agentId required with input validation\n- Enforce response models on all endpoints\n- Add .env.example with all configuration options\n- Pin all dependencies in requirements.txt\n- Remove legacy main.py",
"Author": "eizen-jenil <jenil.patel@eizen.ai>",
"Committer": "eizen-jenil <jenil.patel@eizen.ai>"
},
"Results": [
{
"Target": "requirements.txt",
"Class": "lang-pkgs",
"Type": "pip",
"Packages": [
{
"Name": "faiss-cpu",
"Identifier": {
"PURL": "pkg:pypi/faiss-cpu@1.13.2",
"UID": "688c183c9330bce"
},
"Version": "1.13.2",
"Locations": [
{
"StartLine": 12,
"EndLine": 12
}
],
"AnalyzedBy": "pip"
},
{
"Name": "fastapi",
"Identifier": {
"PURL": "pkg:pypi/fastapi@0.135.1",
"UID": "f9fcc5abebbfb30"
},
"Version": "0.135.1",
"Locations": [
{
"StartLine": 2,
"EndLine": 2
}
],
"AnalyzedBy": "pip"
},
{
"Name": "langchain-community",
"Identifier": {
"PURL": "pkg:pypi/langchain-community@0.4.1",
"UID": "fa345632e48e2777"
},
"Version": "0.4.1",
"Locations": [
{
"StartLine": 8,
"EndLine": 8
}
],
"AnalyzedBy": "pip"
},
{
"Name": "langchain-huggingface",
"Identifier": {
"PURL": "pkg:pypi/langchain-huggingface@1.2.1",
"UID": "46bca73ae98c7a3a"
},
"Version": "1.2.1",
"Locations": [
{
"StartLine": 7,
"EndLine": 7
}
],
"AnalyzedBy": "pip"
},
{
"Name": "loguru",
"Identifier": {
"PURL": "pkg:pypi/loguru@0.7.3",
"UID": "32d6807876922762"
},
"Version": "0.7.3",
"Locations": [
{
"StartLine": 4,
"EndLine": 4
}
],
"AnalyzedBy": "pip"
},
{
"Name": "numpy",
"Identifier": {
"PURL": "pkg:pypi/numpy@1.26.4",
"UID": "37784df659fe6703"
},
"Version": "1.26.4",
"Locations": [
{
"StartLine": 10,
"EndLine": 10
}
],
"AnalyzedBy": "pip"
},
{
"Name": "pymongo",
"Identifier": {
"PURL": "pkg:pypi/pymongo@4.16.0",
"UID": "dea6d0107ee52c50"
},
"Version": "4.16.0",
"Locations": [
{
"StartLine": 5,
"EndLine": 5
}
],
"AnalyzedBy": "pip"
},
{
"Name": "python-dotenv",
"Identifier": {
"PURL": "pkg:pypi/python-dotenv@1.2.2",
"UID": "6db41bd0240d987a"
},
"Version": "1.2.2",
"Locations": [
{
"StartLine": 3,
"EndLine": 3
}
],
"AnalyzedBy": "pip"
},
{
"Name": "requests",
"Identifier": {
"PURL": "pkg:pypi/requests@2.32.5",
"UID": "204b5091499434e3"
},
"Version": "2.32.5",
"Locations": [
{
"StartLine": 6,
"EndLine": 6
}
],
"AnalyzedBy": "pip"
},
{
"Name": "sentence-transformers",
"Identifier": {
"PURL": "pkg:pypi/sentence-transformers@5.3.0",
"UID": "d2bffd7deb9519c3"
},
"Version": "5.3.0",
"Locations": [
{
"StartLine": 9,
"EndLine": 9
}
],
"AnalyzedBy": "pip"
},
{
"Name": "slowapi",
"Identifier": {
"PURL": "pkg:pypi/slowapi@0.1.9",
"UID": "b9f755443a567243"
},
"Version": "0.1.9",
"Locations": [
{
"StartLine": 13,
"EndLine": 13
}
],
"AnalyzedBy": "pip"
},
{
"Name": "torch",
"Identifier": {
"PURL": "pkg:pypi/torch@2.10.0",
"UID": "c2e61769b24baf58"
},
"Version": "2.10.0",
"Locations": [
{
"StartLine": 11,
"EndLine": 11
}
],
"AnalyzedBy": "pip"
},
{
"Name": "uvicorn",
"Identifier": {
"PURL": "pkg:pypi/uvicorn@0.42.0",
"UID": "7b3bbe9a917ac7be"
},
"Version": "0.42.0",
"Locations": [
{
"StartLine": 1,
"EndLine": 1
}
],
"AnalyzedBy": "pip"
}
]
},
{
"Target": "Dockerfile",
"Class": "config",
"Type": "dockerfile",
"MisconfSummary": {
"Successes": 22,
"Failures": 2
},
"Misconfigurations": [
{
"Type": "Dockerfile Security Check",
"ID": "DS-0002",
"Title": "Image user should not be 'root'",
"Description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.",
"Message": "Specify at least 1 USER command in Dockerfile with non-root user as argument",
"Namespace": "builtin.dockerfile.DS002",
"Query": "data.builtin.dockerfile.DS002.deny",
"Resolution": "Add 'USER <non root user name>' line to the Dockerfile",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ds-0002",
"References": [
"https://docs.docker.com/develop/develop-images/dockerfile_best-practices/",
"https://avd.aquasec.com/misconfig/ds-0002"
],
"Status": "FAIL",
"CauseMetadata": {
"Provider": "Dockerfile",
"Service": "general"
}
},
{
"Type": "Dockerfile Security Check",
"ID": "DS-0017",
"Title": "'RUN <package-manager> update' instruction alone",
"Description": "The instruction 'RUN <package-manager> update' should always be followed by '<package-manager> install' in the same RUN statement.",
"Message": "The instruction 'RUN <package-manager> update' should always be followed by '<package-manager> install' in the same RUN statement.",
"Namespace": "builtin.dockerfile.DS017",
"Query": "data.builtin.dockerfile.DS017.deny",
"Resolution": "Combine '<package-manager> update' and '<package-manager> install' instructions to single one",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ds-0017",
"References": [
"https://docs.docker.com/develop/develop-images/instructions/#run",
"https://avd.aquasec.com/misconfig/ds-0017"
],
"Status": "FAIL",
"CauseMetadata": {
"Provider": "Dockerfile",
"Service": "general",
"StartLine": 6,
"EndLine": 7,
"Code": {
"Lines": [
{
"Number": 6,
"Content": "RUN apt-get update && \\",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[38;5;64mRUN\u001b[0m apt-get update \u001b[38;5;245m&&\u001b[0m \u001b[38;5;124m\\",
"FirstCause": true,
"LastCause": false
},
{
"Number": 7,
"Content": " pip install --no-cache-dir -r requirements.txt",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m pip install --no-cache-dir -r requirements.txt",
"FirstCause": false,
"LastCause": true
}
]
}
}
}
]
}
]
}