Implement Anchore pass/fail in CI/CD #1223
Comments
|
@godfreykutumela, I'm happy to own this, and work on the development side, but I need someone with more experience in the security side to help with analyzing the vulnerability files and set the baseline for passing vs failing. |
lewisdaly
changed the title
lewisdaly
changed the title
|
@pedrosousabarreto we spoke about turning this story into a more generic "define baseline requirements for code security", but I think I would like to keep this specifically about Anchore image scanning and our CI/CD process. Perhaps we can open another ticket about setting goals in Mojaloop around application security (as we talked about), or roll it into #1222, which talks about a tool summary. |
|
How are doing on this one @lewisdaly |
|
I've started by comparing the anchore vuln.json files against the base docker image of |
|
I think we're going to spend a little more time evaluating the business goals on this one and how it can fit into our developer workflow with minimal overhead. |
|
From what we've discussed in meeting and on Slack, I'm going to go ahead with the following: Base Image Scanning
Scan every release
|
|
Yes that was basically the agreement in principle @lewisdaly please go ahead with the implementation. I have put more issues into this sprint so please review and let me know if feasible to archive them all. |
|
I've started working on a global anchore policy, based on the docker CIS 1.14 guidelines. I'm also working on a tool which will 'diff' anchore reports, so we can determine if an issue has been added to a docker image that isn't present in the base image. You can see these works in progress here: |
|
The Anchore CircleCI orb fails to load our custom policies. I'm trying to debug it, but it looks like an issue with Anchore itself. If I don't make any progress, I'll follow up with the anchore devs. Noted @lewisdaly thanks for the update |
|
It appears that I'm not the only one with this issue: anchore/ci-tools#27 It could be that the error message is a red herring, and the actual policy file is invalid. This wouldn't be a crazy situation because there's not much documentation about creating policy files. |
|
I'll work on opening some the proper PRs across the repos over the next few days. |
|
Great news and well done for the persistence on this one @lewisdaly |
|
All builds passing, so ready for reviews now. |
|
This is awesome news.
…On Tue, Apr 14, 2020 at 5:19 AM Lewis Daly ***@***.***> wrote:
All builds passing, so ready for reviews now.
—
You are receiving this because you were assigned.
Reply to this email directly, view it on GitHub
<#1223 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AMQFXH35MENSD3ZCEWTW6Z3RMPB2TANCNFSM4KTW6KAA>
.
--
Know thy enemy and know thyself, and you shall survive the outcome of a
thousand battles.
|
Goal:
As an "OSS Developer", I want to "define a security policy for pass/fails on Anchore-cli docker image scans" so I can "address container security concerns as part of the CI/CD process"
In the last PI, we added anchore image scanning to most of the containers' CI/CD process. This scanning produces a vulnerability file, which lists a number of potential security issues with the given container. We currently ignore this file in the CI/CD process.
In this task, we need to understand that vulnerability file, and develop a security policy for setting a PASS/FAIL action in the CI/CD process so we can start to reduce the number of potential vulnerabilities.
Tasks:
ml-api-adapter, and resolve potential issues.mojaloop/documentationand link in thereadme.mdfiles of the projects.Acceptance Criteria:
Pull Requests:
Follow-up:
Dependencies:
Accountability:
The text was updated successfully, but these errors were encountered: