-
Notifications
You must be signed in to change notification settings - Fork 98
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ci: add trivy scan in ci workflow #403
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good addition to our security pipeline @phisco !
ignore-unfixed: true | ||
skip-dirs: design | ||
scan-ref: '.' | ||
severity: 'CRITICAL,HIGH' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you think if it makes sense to exit 1 in case of critical? I am a bit worried that information is lost when we have a green check at the end?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure I got your suggestion. This setting means that it is going to exit with exit code 1 in case of critical or high vulnerabilities detected.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not high but critical.
AFAIU, it currently outputs the scan result and always return success no matter what it found, right?
I am wondering if it makes sense to exit 1 in case of critical
one to make it more visible.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
right, yes, I'd leave it for both HIGH and CRITICAL:
severity: 'CRITICAL,HIGH' | |
exit-code: '1' | |
severity: 'CRITICAL,HIGH' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am not sure about high
.
For example, right now there is 1 high, and CI will be failing until we resolve it. It could be reasonable when there is a critical
one may be.
Total: 1 (HIGH: 1, CRITICAL: 0)
┌──────────────────┬────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├──────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2022-41723 │ HIGH │ 0.4.0 │ 0.7.0 │ golang.org/x/net/http2: avoid quadratic complexity in HPACK │
│ │ │ │ │ │ decoding │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-41723 │
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we should fix it then 😉 #388
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, let's go with that and consider softening later if needed.
Signed-off-by: Philippe Scorsolini <p.scorsolini@gmail.com>
Signed-off-by: Philippe Scorsolini <p.scorsolini@gmail.com>
Description of your changes
Adding a trivy scan to the ci workflow, as already done for Crossplane, crossplane/crossplane#3665.
I have:
make reviewable test
to ensure this PR is ready for review.How has this code been tested
Already running on Crossplane.