Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ci: add trivy scan in ci workflow #403

Merged
merged 2 commits into from
Mar 27, 2023
Merged

ci: add trivy scan in ci workflow #403

merged 2 commits into from
Mar 27, 2023

Conversation

phisco
Copy link
Contributor

@phisco phisco commented Mar 21, 2023

Description of your changes

Adding a trivy scan to the ci workflow, as already done for Crossplane, crossplane/crossplane#3665.

I have:

  • Read and followed Crossplane's contribution process.
  • Run make reviewable test to ensure this PR is ready for review.

How has this code been tested

Already running on Crossplane.

lsviben
lsviben approved these changes Mar 22, 2023
View reviewed changes
Copy link
Contributor

@lsviben lsviben left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good addition to our security pipeline @phisco !

turkenh
turkenh reviewed Mar 27, 2023
View reviewed changes
.github/workflows/ci.yml
ignore-unfixed: true
skip-dirs: design
scan-ref: '.'
severity: 'CRITICAL,HIGH'
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you think if it makes sense to exit 1 in case of critical? I am a bit worried that information is lost when we have a green check at the end?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure I got your suggestion. This setting means that it is going to exit with exit code 1 in case of critical or high vulnerabilities detected.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not high but critical.

AFAIU, it currently outputs the scan result and always return success no matter what it found, right?
I am wondering if it makes sense to exit 1 in case of critical one to make it more visible.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

right, yes, I'd leave it for both HIGH and CRITICAL:

Suggested change
severity: 'CRITICAL,HIGH'
exit-code: '1'
severity: 'CRITICAL,HIGH'

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not sure about high.
For example, right now there is 1 high, and CI will be failing until we resolve it. It could be reasonable when there is a critical one may be.

Total: 1 (HIGH: 1, CRITICAL: 0)

┌──────────────────┬────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│     Library      │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                            Title                            │
├──────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2022-41723 │ HIGH     │ 0.4.0             │ 0.7.0         │ golang.org/x/net/http2: avoid quadratic complexity in HPACK │
│                  │                │          │                   │               │ decoding                                                    │
│                  │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-41723                  │

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we should fix it then 😉 #388

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, let's go with that and consider softening later if needed.

@phisco
ci: add trivy scan in ci workflow
e620c20 
Signed-off-by: Philippe Scorsolini <p.scorsolini@gmail.com>
@phisco
ci: exit code 1 if trivy finds vulnerabilities
d68c678 
Signed-off-by: Philippe Scorsolini <p.scorsolini@gmail.com>
@turkenh turkenh merged commit 2bc6c4e into crossplane:master Mar 27, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@turkenh turkenh turkenh approved these changes

@lsviben lsviben lsviben approved these changes

@ezgidemirel ezgidemirel Awaiting requested review from ezgidemirel

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@phisco @turkenh @lsviben