Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added trivy-scan for plugins #856

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

yashsingh74
Copy link

@yashsingh74 yashsingh74 commented Mar 18, 2023

This PR introduces the security scanning for plugins repository. This job will run once any pull and push request changes made on the main branch.

1. Why is this pull request needed and what does it do?
The CVE scanning for the plugins repository will be enabled by this PR. It will make it easier to track down the HIGH and CRITICAL CVE being used.

Test result:
Screenshot 2023-03-18 at 8 55 14 PM

@yashsingh74
Copy link
Author

cc: @squeed @dcbw

@squeed
Copy link
Member

squeed commented Apr 11, 2023

I'm willing to try this; but I'm concerned about endless false positives. the CNI plugins make no HTTP or TLS requests, provide no network services, and and don't parse end-user-provided input. Dealing with the output of security scanners is, in my experience, a tiring exercise in pulling signal from noise.

CNI, as a volunteer-operated project, only has so many resources, and dealing with spurious false positives might not be a good use of that time.

Does trivy do any sort of code path analysis to determine if CVEs are applicable in the style of govulncheck?

@yashsingh74
Copy link
Author

Yes, we are not testing any HTTP or TLS requests. But this will help to test the overall code.
Also, it does make some noise but would be good to look on it as there are so many different user who will be contributing or using the plugins.
Overall it will help to catch the CVEs before merging any new PRs.

@yashsingh74
Copy link
Author

@squeed Please review the PR.

@github-advanced-security
Copy link

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

Signed-off-by: Yash Singh <syash@vmware.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants