-
Notifications
You must be signed in to change notification settings - Fork 15
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement Anchore pass/fail in CI/CD #1223
Comments
@godfreykutumela, I'm happy to own this, and work on the development side, but I need someone with more experience in the security side to help with analyzing the vulnerability files and set the baseline for passing vs failing. |
@pedrosousabarreto we spoke about turning this story into a more generic "define baseline requirements for code security", but I think I would like to keep this specifically about Anchore image scanning and our CI/CD process. Perhaps we can open another ticket about setting goals in Mojaloop around application security (as we talked about), or roll it into #1222, which talks about a tool summary. |
How are doing on this one @lewisdaly |
I've started by comparing the anchore vuln.json files against the base docker image of |
I think we're going to spend a little more time evaluating the business goals on this one and how it can fit into our developer workflow with minimal overhead. |
From what we've discussed in meeting and on Slack, I'm going to go ahead with the following: Base Image Scanning
Scan every release
|
Yes that was basically the agreement in principle @lewisdaly please go ahead with the implementation. I have put more issues into this sprint so please review and let me know if feasible to archive them all. |
I've started working on a global anchore policy, based on the docker CIS 1.14 guidelines. I'm also working on a tool which will 'diff' anchore reports, so we can determine if an issue has been added to a docker image that isn't present in the base image. You can see these works in progress here: |
The Anchore CircleCI orb fails to load our custom policies. I'm trying to debug it, but it looks like an issue with Anchore itself. If I don't make any progress, I'll follow up with the anchore devs. Noted @lewisdaly thanks for the update |
It appears that I'm not the only one with this issue: anchore/ci-tools#27 It could be that the error message is a red herring, and the actual policy file is invalid. This wouldn't be a crazy situation because there's not much documentation about creating policy files. |
I'll work on opening some the proper PRs across the repos over the next few days. |
Great news and well done for the persistence on this one @lewisdaly |
All builds passing, so ready for reviews now. |
This is awesome news.
…On Tue, Apr 14, 2020 at 5:19 AM Lewis Daly ***@***.***> wrote:
All builds passing, so ready for reviews now.
—
You are receiving this because you were assigned.
Reply to this email directly, view it on GitHub
<#1223 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AMQFXH35MENSD3ZCEWTW6Z3RMPB2TANCNFSM4KTW6KAA>
.
--
Know thy enemy and know thyself, and you shall survive the outcome of a
thousand battles.
|
Goal:
As an "OSS Developer", I want to "define a security policy for pass/fails on Anchore-cli docker image scans" so I can "address container security concerns as part of the CI/CD process"
In the last PI, we added anchore image scanning to most of the containers' CI/CD process. This scanning produces a vulnerability file, which lists a number of potential security issues with the given container. We currently ignore this file in the CI/CD process.
In this task, we need to understand that vulnerability file, and develop a security policy for setting a PASS/FAIL action in the CI/CD process so we can start to reduce the number of potential vulnerabilities.
Tasks:
ml-api-adapter
, and resolve potential issues.mojaloop/documentation
and link in thereadme.md
files of the projects.Acceptance Criteria:
Pull Requests:
Follow-up:
Dependencies:
Accountability:
The text was updated successfully, but these errors were encountered: