Add trivy vulnerability scanning to GHA#5683
Merged
Merged
Conversation
sipsma
changed the title
sipsma
force-pushed
the
update-go-x-net
branch
3 times, most recently
from
1ae9b65 to
5ec65fc
Compare
Contributor
Author
|
Failing jobs are once again the dagger runners, not related to this PR |
jpadams
approved these changes
Aug 24, 2023
Contributor
jpadams
left a comment
jpadams
left a comment
There was a problem hiding this comment.
LGTM! Great improvement.
I did the local version of this with
git clone https://github.com/dagger/dagger
cd dagger
gh pr checkout 5683
./hack/dev
trivy image --input ./bin/engine.tar
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
Will be great to get this into a Zenith check in the near future! 🚀
Signed-off-by: Erik Sipsma <erik@dagger.io>
Signed-off-by: Erik Sipsma <erik@dagger.io>
Signed-off-by: Erik Sipsma <erik@dagger.io>
sipsma
force-pushed
the
update-go-x-net
branch
from
5ec65fc to
10d2462
Compare
Signed-off-by: Erik Sipsma <erik@dagger.io>
kpenfound
pushed a commit
to kpenfound/dagger
that referenced
this pull request
Aug 24, 2023
* engine: upgrade golang.org/x/net Signed-off-by: Erik Sipsma <erik@dagger.io> * Add trivy vulnerability scanning to GHA workflows. Signed-off-by: Erik Sipsma <erik@dagger.io> * use more readable format for gha trivy output Signed-off-by: Erik Sipsma <erik@dagger.io> * add guidance on addressing vulnerabilities to CONTRIBUTING.md Signed-off-by: Erik Sipsma <erik@dagger.io> --------- Signed-off-by: Erik Sipsma <erik@dagger.io> Signed-off-by: kpenfound <kyle@dagger.io>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds trivy scanning of our engine image to GHA workflows:
./bin/engine.tarCurrently, the job only scans for
CRITICALandHIGHvulnerabilities, cc @samalba @jpadams easy to change if we care about lower severities; after the fix earlier today trivy no longer reports any vulnerabilities at any level so we could safely scan for all severities if it's important to us.Obviously though there's a balance to be made between scanning for all severities and not forcing devs to spend time hunting down random dependencies that have vulnerabilities below
HIGH(which can become extremely non-trivial if it's a many layers deep transitive dep that we can't just fix by upgrading our go.mod).I earlier tried docker scout, but backed out because:
out of boundspanic, so seems to be still in an early rough state (it did work on Linux for me FWIW).If there's strong reasons to prefer it, then we can obviously add some dockerhub credentials to our GHA jobs and take the risk it might cost us money in the future, but didn't seem like the right starting place at this exact moment.
I verified the PR GHA job works by temporarily reverting my earlier fix, it failed as expected: https://github.com/dagger/dagger/actions/runs/5957590220/job/16160498504?pr=5683