ci(security): add Trivy filesystem scan to code scanning

Streamyfin ships no container image, so this runs a Trivy *filesystem* scan (vulnerable deps, secrets, misconfig) and uploads SARIF to GitHub code scanning, complementing CodeQL and dependency-review. Runs on push to develop/master, weekly, and on demand (not on PRs — fork PRs can't upload SARIF, and dependency-review already gates PR dependencies). Reports findings (CRITICAL/HIGH, ignore-unfixed) without failing the build; the Security tab surfaces them.
2026-06-03 04:28:31 +01:00 · 2026-06-01 17:31:29 +02:00
6 changed files with 79 additions and 23 deletions
--- a/.github/workflows/trivy-scan.yml
+++ b/.github/workflows/trivy-scan.yml
@@ -0,0 +1,62 @@
 name: 🛡️ Trivy Security Scan
 # Filesystem scan (Streamyfin ships no container image): finds vulnerable dependencies,
 # leaked secrets and misconfigurations, and reports them to GitHub code scanning.
 # Runs post-merge + weekly (not on PRs — dependency-review already gates PRs, and SARIF
 # upload needs a write token that fork PRs don't get).
 on:
  push:
    branches: [develop, master]
    paths:
      - "package.json"
      - "bun.lock"
      - "**/*.ts"
      - "**/*.tsx"
      - "**/*.js"
      - "**/*.jsx"
      - ".github/workflows/trivy-scan.yml"
  schedule:
    - cron: "50 7 * * 5" # Weekly, Friday 07:50 UTC
  workflow_dispatch:
 permissions:
  contents: read
 concurrency:
  group: trivy-${{ github.ref }}
  cancel-in-progress: true
 jobs:
  trivy:
    name: 🔎 Filesystem scan
    runs-on: ubuntu-24.04
    permissions:
      contents: read
      security-events: write # upload SARIF to code scanning
    steps:
      - name: 📥 Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: 💾 Cache Trivy vulnerability DB
        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: ~/.cache/trivy
          key: trivy-db-${{ github.run_id }}
          restore-keys: trivy-db-
      - name: 🔎 Run Trivy filesystem scan
        uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
        with:
          scan-type: fs
          scan-ref: .
          scanners: vuln,secret,misconfig
          ignore-unfixed: true
          severity: CRITICAL,HIGH
          format: sarif
          output: trivy-results.sarif
      - name: 📤 Upload results to code scanning
        uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
        with:
          sarif_file: trivy-results.sarif
          category: trivy-fs
--- a/app/(auth)/(tabs)/(libraries)/_layout.tsx
+++ b/app/(auth)/(tabs)/(libraries)/_layout.tsx
@@ -166,7 +166,7 @@ export default function IndexLayout() {
                open={dropdownOpen}
                onOpenChange={setDropdownOpen}
                trigger={
-                  <View>
+                  <View className='pl-1.5'>
                    <Ionicons
                      name='ellipsis-horizontal-outline'
                      size={24}
--- a/components/home/Home.tsx
+++ b/components/home/Home.tsx
@@ -133,6 +133,7 @@ const HomeMobile = () => {
          onPress={() => {
            router.push("/(auth)/downloads");
          }}
          className='ml-1.5'
          style={{ marginRight: Platform.OS === "android" ? 16 : 0 }}
        >
          <Feather
--- a/components/search/TVJellyseerrSearchResults.tsx
+++ b/components/search/TVJellyseerrSearchResults.tsx
@@ -401,6 +401,10 @@ export const TVJellyseerrSearchResults: React.FC<
 }) => {
  const { t } = useTranslation();
  const hasMovies = movieResults && movieResults.length > 0;
  const hasTv = tvResults && tvResults.length > 0;
  const hasPersons = personResults && personResults.length > 0;
  if (loading) {
    return null;
  }
@@ -427,26 +431,22 @@ export const TVJellyseerrSearchResults: React.FC<
  return (
    <View>
      {/* No section requests `hasTVPreferredFocus`: the native search field
          keeps focus while typing, otherwise the first result would re-grab
          focus on every keystroke as results re-render. The user navigates
          down to the grid manually. */}
      <TVJellyseerrMovieSection
        title={t("search.request_movies")}
        items={movieResults}
-        isFirstSection={false}
+        isFirstSection={hasMovies}
        onItemPress={onMoviePress}
      />
      <TVJellyseerrTvSection
        title={t("search.request_series")}
        items={tvResults}
-        isFirstSection={false}
+        isFirstSection={!hasMovies && hasTv}
        onItemPress={onTvPress}
      />
      <TVJellyseerrPersonSection
        title={t("search.actors")}
        items={personResults}
-        isFirstSection={false}
+        isFirstSection={!hasMovies && !hasTv && hasPersons}
        onItemPress={onPersonPress}
      />
    </View>
--- a/components/search/TVSearchPage.tsx
+++ b/components/search/TVSearchPage.tsx
@@ -235,13 +235,10 @@ export const TVSearchPage: React.FC<TVSearchPageProps> = ({
            module). It renders the native search bar + grid keyboard and
            forwards typed text into the existing query pipeline via setSearch;
            our own results grid renders below. */}
        {/* No horizontal margin here: the native tvOS search bar centers itself
            and renders a trailing "Hold to Dictate in <Language>" hint. Extra
            margins squeeze the bar's width and clip that trailing hint, so let
            the native view span the full width and own its own insets. */}
        <View
          style={{
            marginBottom: 24,
            marginHorizontal: HORIZONTAL_PADDING,
            height: SEARCH_AREA_HEIGHT,
          }}
        >
@@ -283,17 +280,13 @@ export const TVSearchPage: React.FC<TVSearchPageProps> = ({
        {/* Library Search Results */}
        {isLibraryMode && !loading && (
          <View style={{ gap: SECTION_GAP }}>
-            {sections.map((section) => (
+            {sections.map((section, index) => (
              <TVSearchSection
                key={section.key}
                title={section.title}
                items={section.items!}
                orientation={section.orientation || "vertical"}
-                // Never auto-focus a result. The native search field owns focus
+                isFirstSection={index === 0}
                // while typing; `hasTVPreferredFocus` here would re-grab focus on
                // every keystroke as results re-render. User navigates down to the
                // grid manually.
                isFirstSection={false}
                onItemPress={onItemPress}
                onItemLongPress={onItemLongPress}
                imageUrlGetter={
--- a/components/search/TVSearchSection.tsx
+++ b/components/search/TVSearchSection.tsx
@@ -297,12 +297,12 @@ export const TVSearchSection: React.FC<TVSearchSectionProps> = ({
        removeClippedSubviews={false}
        getItemLayout={getItemLayout}
        style={{ overflow: "visible" }}
-        // Edge padding via contentContainerStyle, NOT contentInset+contentOffset.
+        contentInset={{
-        // contentOffset only applies on initial mount; since this FlatList is
+          left: edgePadding,
-        // reused across searches (stable key), a second search left the inset
+          right: edgePadding,
-        // without the offset and the grid snapped flush to the left edge.
+        }}
        contentOffset={{ x: -edgePadding, y: 0 }}
        contentContainerStyle={{
          paddingHorizontal: edgePadding,
          paddingVertical: SCALE_PADDING,
        }}
      />