Fix remaining moderate & low security issues [BW-774] #730
Conversation
|
LGTM for now! Btw it's not necessary to use blessed in all stages of a Dockerfile, we only care about the last stage (which is used at runtime). |
@dinvlad TIL, thanks. It can't hurt though, right? If someone compromises an image used in a non-final stage, that could still contaminate the end product, I would think. |
|
Yep, good point! Trivy is mostly a runtime requirement on our side, since it reveals vulnerabilities that could potentially be exploited once the service is deployed in prod. It does not scan for "malicious" images afaik (although some have reported it detects things like cryptomining bots). In addition, we're only scanning for OS-level dependencies and omit others (e.g. Python/Java packages etc., for which we use SourceClear instead). So you can treat it as just a "compliance checkmark" :-) |
|
Makes sense. To be honest, I didn't know that much about how Docker image building worked before this ticket, so I cast a wide net. |
| @@ -1,12 +1,11 @@ | |||
| # Job Manager | |||
|
|
|||
| [](https://circleci.com/gh/DataBiosphere/job-manager/tree/master) | |||
|  | |||
|  | |||
There was a problem hiding this comment.
I'm surprised that cromwell-sub is still showing.
There was a problem hiding this comment.
I think that only updates after merge
There was a problem hiding this comment.
You can preview it by checking out the branch and viewing in IntelliJ markdown split view
The more base images we can convert to blessed ones, the better.