Investigating impact of Trivy compromise

[jamietanna]

Although Renovate is unaffected (renovatebot/renovate#42067) we can see that Containerbase is using, with very low permissions on the repo.

We do not believe there is currently any impact. Investigating further

[jamietanna]

When we noticed Trivy was running on this repo (~5m ago), we immediately disabled the Workflow

[jamietanna]

Important

Reviewing this further - we believe no compromise has occurred.

I'll leave this issue open for a week for visibility

[jamietanna]

If we continue working with Trivy, I'd prefer we look at whether aquasecurity/trivy-action#464 can be something we do, or if we start to pin our binaries themselves

Users who checksum pinned their trivy binaries will have had build failures, blocking compromise

(That being said, if Renovate updated us to a new binary version, that checksum would be correct as it's a new release)

[viceice]

I don't see a benefit of using trivie, so I would suggest to just drop it.

[jamietanna]

I do see that we do have Code Scanning alerts (https://github.com/containerbase/base/security/code-scanning?query=branch%3Amain+tool%3ATrivy) that have been good to keep an eye on findings

That being said (cc @nabeelsaabna) we should be able to get this onto the Mend SCA tooling, which should give us a similar view