# ADR 047: Trivy Security Scanner

- HTML version: https://robbiepalmer.me/projects/recipe-site/adrs/044-trivy
- Project: Recipe Site (https://robbiepalmer.me/projects/recipe-site.md)
- Status: Accepted
- Date: 2026-06-21
- Inherited from project: personal-site (https://robbiepalmer.me/projects/personal-site/adrs/047-trivy.md)

# Additional Context for Recipe Site

The recipe site extends the Trivy security scanning baseline to cover Neon Postgres infrastructure in addition to Cloudflare.

## Neon-Specific IaC Scanning

Trivy scans the Neon Terraform configurations for:

* **Database access controls**: Overly permissive connection strings, exposed endpoints, or weak authentication configurations
* **Backup and recovery**: Missing backup configurations that could lead to data loss
* **Resource limits**: Misconfigurations that could lead to unexpected costs or resource exhaustion
* **Network exposure**: Database endpoints inadvertently exposed to the public internet

## Why This Matters for Recipe Site

The recipe site stores user data (accounts, households, saved recipes) in Neon Postgres. Misconfigurations in the database infrastructure pose:

* **Data breach risk**: User account data could be exposed
* **Financial risk**: Unauthorized database access could lead to unexpected Neon usage costs
* **Availability risk**: Misconfigured resources could fail under load or during incident recovery

Trivy provides automated detection of these misconfigurations before they reach production.

# Consequences

## Positive

* **Database security posture**: Neon Postgres configurations are scanned for common misconfigurations alongside Cloudflare infrastructure
* **Unified tooling**: Single security scanner covers both Cloudflare and Neon IaC—no need for separate database-specific scanners

## Negative

* **Neon-specific rule coverage**: Trivy's Terraform rules are generic and may not catch Neon-specific best practices or edge cases. Manual review of Neon configurations remains necessary.

## Notes for Recipe Site

# Additional Context for Recipe Site

The recipe site extends the Trivy security scanning baseline to cover Neon Postgres infrastructure in addition to Cloudflare.

## Neon-Specific IaC Scanning

Trivy scans the Neon Terraform configurations for:

* **Database access controls**: Overly permissive connection strings, exposed endpoints, or weak authentication configurations
* **Backup and recovery**: Missing backup configurations that could lead to data loss
* **Resource limits**: Misconfigurations that could lead to unexpected costs or resource exhaustion
* **Network exposure**: Database endpoints inadvertently exposed to the public internet

## Why This Matters for Recipe Site

The recipe site stores user data (accounts, households, saved recipes) in Neon Postgres. Misconfigurations in the database infrastructure pose:

* **Data breach risk**: User account data could be exposed
* **Financial risk**: Unauthorized database access could lead to unexpected Neon usage costs
* **Availability risk**: Misconfigured resources could fail under load or during incident recovery

Trivy provides automated detection of these misconfigurations before they reach production.

# Consequences

## Positive

* **Database security posture**: Neon Postgres configurations are scanned for common misconfigurations alongside Cloudflare infrastructure
* **Unified tooling**: Single security scanner covers both Cloudflare and Neon IaC—no need for separate database-specific scanners

## Negative

* **Neon-specific rule coverage**: Trivy's Terraform rules are generic and may not catch Neon-specific best practices or edge cases. Manual review of Neon configurations remains necessary.

---

Markdown index of this site: https://robbiepalmer.me/llms.txt