DefGuard · wojcik91 · Apr 23, 2026 · Apr 22, 2026 · Apr 22, 2026 · Apr 22, 2026
diff --git a/.github/workflows/build-docker.yml b/.github/workflows/build-docker.yml
@@ -70,6 +70,9 @@ jobs:
 
       - name: Scan image with Trivy
         uses: aquasecurity/trivy-action@v0.36.0
+        env:
+          TRIVY_SHOW_SUPPRESSED: 1
+          TRIVY_IGNOREFILE: "./.trivyignore.yaml"
         with:
           image-ref: "${{ env.GHCR_REPO }}:${{ github.sha }}-${{ matrix.tag }}"
           format: "table"

diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml
@@ -34,6 +34,9 @@ jobs:
 
       - name: Create SBOM with Trivy
         uses: aquasecurity/trivy-action@v0.36.0
+        env:
+          TRIVY_SHOW_SUPPRESSED: 1
+          TRIVY_IGNOREFILE: "./.trivyignore.yaml"
         with:
           scan-type: 'fs'
           format: 'spdx-json'
@@ -44,6 +47,9 @@ jobs:
 
       - name: Create Docker image SBOM with Trivy
         uses: aquasecurity/trivy-action@v0.36.0
+        env:
+          TRIVY_SHOW_SUPPRESSED: 1
+          TRIVY_IGNOREFILE: "./.trivyignore.yaml"
         with:
           image-ref: "ghcr.io/defguard/defguard-proxy:${{ steps.vars.outputs.VERSION }}"
           scan-type: 'image'
@@ -54,6 +60,9 @@ jobs:
 
       - name: Create security advisory file with Trivy
         uses: aquasecurity/trivy-action@v0.36.0
+        env:
+          TRIVY_SHOW_SUPPRESSED: 1
+          TRIVY_IGNOREFILE: "./.trivyignore.yaml"
         with:
           scan-type: 'fs'
           format: 'json'
@@ -64,6 +73,9 @@ jobs:
 
       - name: Create Docker image security advisory file with Trivy
         uses: aquasecurity/trivy-action@v0.36.0
+        env:
+          TRIVY_SHOW_SUPPRESSED: 1
+          TRIVY_IGNOREFILE: "./.trivyignore.yaml"
         with:
           image-ref: "ghcr.io/defguard/defguard-proxy:${{ steps.vars.outputs.VERSION }}"
           scan-type: 'image'

diff --git a/.trivyignore.yaml b/.trivyignore.yaml
@@ -1,4 +1,4 @@
 vulnerabilities:
   - id: GHSA-w5hq-g745-h8pq
-    expired_at: 2026-04-30
-    statement: 'Not yet fixed in dependencies'
+    expired_at: 2026-05-23
+    statement: "Waiting for upstream patch in paraglide"
diff --git a/Cargo.toml b/Cargo.toml
@@ -25,7 +25,7 @@ axum-server = { version = "0.8", features = ["tls-rustls"] }
 time = { version = "0.3", default-features = false }
 tokio = { version = "1", features = ["macros", "rt-multi-thread", "sync", "time"] }
 tokio-stream = "0.1"
-tower-http = { version = "0.6", features = ["fs", "trace"] }
+tower-http = { version = "0.6", features = ["fs", "trace", "timeout"] }
 # logging/tracing
 tracing = "0.1"
 tracing-subscriber = { version = "0.3", features = ["env-filter"] }

diff --git a/example-config.toml b/example-config.toml
@@ -7,6 +7,6 @@ http_port = 8080
 grpc_port = 50051
 
 log_level = "info"
-rate_limit_per_second = 0
-rate_limit_burst = 0
+rate_limit_per_second = 10
+rate_limit_burst = 100
 acme_staging = false
diff --git a/flake.lock b/flake.lock
diff --git a/flake.nix b/flake.nix
@@ -40,6 +40,7 @@
           buf
           # image signarute verification
           cosign
+          trivy
         ];
 
         # Specify the rust-src path (many editors rely on this)

diff --git a/package.json b/package.json
@@ -1,5 +1,5 @@
 {
 	"devDependencies": {
-		"@tanstack/devtools-vite": "^0.3.11"
+		"@tanstack/devtools-vite": "^0.3.12"
 	}
 }
-Original file line number
+Diff line change
@@ Expand Up / @@ -40,6 +40,7 @@ @@
               buf
               # image signarute verification
               cosign
+              trivy
             ];
             # Specify the rust-src path (many editors rely on this)
@@ Expand Down @@