fix(scanner): arm64 ramparts GLIBC_2.39 + trivy vuln-DB pre-cache (MCP-2150)

[Dumbris]

Problem

Two scanner images fail at runtime on arm64 (Apple Silicon macOS):

1. ramparts exits with GLIBC_2.39 not found on aarch64. The ramparts Dockerfile was already fixed (PR fix(scanner): pin ramparts builder to rust:1-slim-bookworm (MCP-2395) #665 pinned the Rust builder to debian:bookworm-slim to match the runtime glibc), but the CI only built linux/amd64. The old stale linux/arm64 manifest (built against the trixie-era rust:1-slim with glibc 2.39+) remained in GHCR and was served to arm64 Docker clients.

2. trivy-mcp exits 1 with no output: the ghcr.io/aquasecurity/trivy:latest image downloads its ~96 MiB vuln DB on first scan, which races the per-scanner timeout on slow connections.

Fix

ramparts — native arm64 runner (MCP-2150 / MCP-2395)

Split the ramparts CI matrix into two per-arch entries:

• ubuntu-latest (amd64 native) → pushes :latest-amd64
• ubuntu-24.04-arm (arm64 native) → pushes :latest-arm64

Add a merge-ramparts job that uses docker buildx imagetools create to assemble the multi-arch :latest and :<sha> manifests. This replaces the stale arm64 manifest. The Dockerfile itself is unchanged — the bookworm pin from PR #665 is correct.

trivy-mcp — pre-cached vuln DB

Add docker/scanners/trivy/Dockerfile: extends ghcr.io/aquasecurity/trivy:latest and runs trivy image --download-db-only at build time. TRIVY_CACHE_DIR=/trivy-cache is baked into the image so the runtime binary reads the pre-cached DB without needing --cache-dir flags.

• Update registry_bundled.go: DockerImage → ghcr.io/smart-mcp-proxy/scanner-trivy:latest, Timeout 300s → 120s (no download for trivy fs), NetworkReq comment updated (still true for trivy image scanning remote registries).
• Add trivy to the scanner-images matrix (linux/amd64,linux/arm64).
• Add weekly cron schedule (Monday 03:00 UTC) to keep the pre-cached DB reasonably current.

Testing

• go test ./internal/security/scanner/... — PASS
• golangci-lint — 0 issues
• CI will build and push the new trivy wrapper image + multi-arch ramparts on merge

Related

• MCP-2150 — this fix
• MCP-2395 — original QEMU timeout / bookworm-pin ticket

[cloudflare-workers-and-pages]

Deploying mcpproxy-docs with    Cloudflare Pages

Latest commit:	1a84190
Status:	✅  Deploy successful!
Preview URL:	https://7b508c74.mcpproxy-docs.pages.dev
Branch Preview URL:	https://fix-mcp-2150-scanner-arm64-t.mcpproxy-docs.pages.dev

View logs

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[github-actions]

📦 Build Artifacts

Workflow Run: View Run
Branch: fix/mcp-2150-scanner-arm64-trivy-db

Available Artifacts

• archive-darwin-amd64 (28 MB)
• archive-darwin-arm64 (25 MB)
• archive-linux-amd64 (16 MB)
• archive-linux-arm64 (14 MB)
• archive-windows-amd64 (28 MB)
• archive-windows-arm64 (25 MB)
• frontend-dist-pr (0 MB)
• installer-dmg-darwin-amd64 (21 MB)
• installer-dmg-darwin-arm64 (19 MB)

How to Download

Option 1: GitHub Web UI (easiest)

1. Go to the workflow run page linked above
2. Scroll to the bottom "Artifacts" section
3. Click on the artifact you want to download

Option 2: GitHub CLI

gh run download 27934996620 --repo smart-mcp-proxy/mcpproxy-go

Note: Artifacts expire in 14 days.

[mcpproxy-gatekeeper]

✅ Gatekeeper approval — MCP-2150 scanner arm64 fix. KimiReviewer verdict ACCEPT (model-diverse fallback). CI fully green incl. scanner-image builds (trivy + ramparts per-arch). Diff: trivy → pre-cached scanner-trivy image (DB baked, 300→120s timeout), per-arch native runners avoid QEMU timeout. Author (ReleaseEngineer) ≠ approver.