-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: monitor OS vulnerability in Skaffold LTS images. #6964
Conversation
Codecov Report
@@ Coverage Diff @@
## main #6964 +/- ##
==========================================
- Coverage 70.48% 68.77% -1.72%
==========================================
Files 515 551 +36
Lines 23150 25370 +2220
==========================================
+ Hits 16317 17447 +1130
- Misses 5776 6740 +964
- Partials 1057 1183 +126
Continue to review full report at Codecov.
|
steps: | ||
- id: Get github token. | ||
name: gcr.io/cloud-builders/gcloud | ||
entrypoint: 'bash' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should use /bin/bash
to be consistent with line 8
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
deploy/lts-vuln-monitor/report.sh
Outdated
check_existing_issue() { | ||
label=$1 | ||
if [ $(gh issue list --label="$label" --repo="$_REPO" | wc -c) -ne 0 ]; then | ||
echo "There is already an issue opened for the vulnerabilities that are found in the LTS images." && exit 0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What if there are new, more severe, vulnerabilities reported?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The github issue only serves as a reminder for skaffold team to look up the vulnerabilities in the report that is created by container analysis.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Except that you're listing the images with vulnerabilities, and a new vulnerability could have been discovered in a different image.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added the code to update the existing issue.
# If changed, also change the same variable in report.sh. | ||
OS_VULN_FILE=/workspace/os_vuln.txt | ||
GREP_TEMPLATE="-e " | ||
append() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Feels like there should be a blank line to separate the unrelated variables from this function
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
|
||
set -x | ||
|
||
# Variables that will be substituted in cloudbuild.yaml. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note that these substitutions must be explicitly propagated into the environment with an env:
section on a step in the cloudbuild.yaml
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ah, I only tested with default values before. Added the substitutions section.
Thanks. This is looking pretty solid.
|
|
…ound in the LTS images. Reference: go/cd-lts-image-security.
Update author.
Can you copy the logs and share a gpaste/ link? |
I have added the gpaste link. |
Nice! looks like issues are getting created here https://github.com/ChrisGe4/cd-lts-test/issues |
Address google cloud API warning and then LGTM!. Thank you for your patience.
|
Add a Cloud Build job to monitor the vulnerabilities that are found in the LTS images.
Reference: go/cd-lts-image-security.