ci(cve): Scan the war and docker images with grype #1432
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR introduces grype as another vulnerability check, next to Snyk. It's being implemented as an informational action right now. It's not as convenient as Snyk, but it seems as it's used frequently in the corporate world. Part of the reasons are, it's open source and way more picky in terms of what is being reported and what not.
The check is executed as the following action:
There are two checks now with that action that check for the docker image as well as for the war file.
The results are first printed to the runner's log and as well uploaded as a SARIF file with
github/codeql-action
. The results of the SARIF file can then be viewed in the code scanning GitHub overview:https://github.com/GIScience/openrouteservice/security/code-scanning?query=pr%3A1432+tool%3AGrype+is%3Aopen
Additionally, it runs each Sunday at 00:00 am.
The goal for now is to just inform us of detected vulnerabilities to be able to react in time.