ci(cve): Scan the war and docker images with grype #1432
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
3 tasks
MichaelsJP
force-pushed
the
feat/1420-integrate-grype
branch
from
0c7974a
to
dfa9a42
Compare
MichaelsJP
changed the title
MichaelsJP
force-pushed
the
feat/1420-integrate-grype
branch
8 times, most recently
from
6ddfc50
to
861ad15
Compare
MichaelsJP
force-pushed
the
feat/1420-integrate-grype
branch
from
861ad15
to
2c49b8d
Compare
MichaelsJP
force-pushed
the
feat/1420-integrate-grype
branch
14 times, most recently
from
5eec325
to
86fa648
Compare
MichaelsJP
force-pushed
the
feat/1420-integrate-grype
branch
2 times, most recently
from
4dee031
to
fb43e69
Compare
MichaelsJP
changed the title
MichaelsJP
force-pushed
the
feat/1420-integrate-grype
branch
2 times, most recently
from
68a909d
to
59bcb4e
Compare
The check tests for all CVEs but doesn't fail if one is found. The checks are only for information right now.
MichaelsJP
force-pushed
the
feat/1420-integrate-grype
branch
from
59bcb4e
to
f7e0e88
Compare
takb
approved these changes
May 23, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR introduces grype as another vulnerability check, next to Snyk. It's being implemented as an informational action right now. It's not as convenient as Snyk, but it seems as it's used frequently in the corporate world. Part of the reasons are, it's open source and way more picky in terms of what is being reported and what not.
The check is executed as the following action:
There are two checks now with that action that check for the docker image as well as for the war file.
The results are first printed to the runner's log and as well uploaded as a SARIF file with
github/codeql-action. The results of the SARIF file can then be viewed in the code scanning GitHub overview:https://github.com/GIScience/openrouteservice/security/code-scanning?query=pr%3A1432+tool%3AGrype+is%3Aopen
Additionally, it runs each Sunday at 00:00 am.
The goal for now is to just inform us of detected vulnerabilities to be able to react in time.