[TEP-0079] Image Scanning for CVEs #871
Conversation
tekton-robot
added
the
size/L
tekton-robot
requested review from
jerop,
piyush-garg,
vdemeester and
vinamra28
|
/kind tep |
tekton-robot
added
the
kind/tep
|
/assign @jerop |
|
Here is a demo video I did in last week's Catalog WG: https://drive.google.com/file/d/1AKH2tPTp_LIeTT49BA4bWkIHgQKqqUzy/view |
| ``` | ||
| the container images used in the `pipelineTask` (i.e. `build-and-push`) will **not** be included in the security report. | ||
|
|
||
| If the `image` value (or part of the value) is specified by `params`, the default value of the `params` (if provided) are collected and used to run the security report. For example, `gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.40.2` is extracted from the following `task`: |
There was a problem hiding this comment.
how will you know that a given param is an image?
There was a problem hiding this comment.
We actually cannot really know if a given param is an image or not. The assumptions we are making are that:
- If a
step.imagefield exist and does not use a param, we use the value of thestep.imagedirectly - If a
step.imagereferences to a param, we assume the default value of the referenced param is a container image
If wrong values are specified in the step.image (either a wrong param pointer or invalid container value), the resource itself is invalid and therefore no vulnerability report will be generated for this step.
There was a problem hiding this comment.
makes sense, could you please include this detail to the TEP?
There was a problem hiding this comment.
Added in the latest commit, PTAL 😁
|
|
||
| #### Design Evaluation | ||
|
|
||
| This design builds on the existing infrastructure and the security report UI design of the Artifact Hub. A significant amount of engineering effort can be saved by leveraging the out-of-box features provided by the Artifact Hub. |
| ```yaml | ||
| apiVersion: tekton.dev/v1beta1 | ||
| kind: Pipeline | ||
| metadata: | ||
| name: demo-pipeline | ||
| ... |
There was a problem hiding this comment.
should we use Pipeline as an example here? Asking as we haven't laid out guidelines as how pipelines should be organised within the catalog. This might create confusion. @jerop @vdemeester please let me know your thoughts.
There was a problem hiding this comment.
I tend to agree with @vinamra28 on this. I feel we should give the example on the Task to start with 👼🏼
There was a problem hiding this comment.
Thanks for the feedback @vinamra28 and @vdemeester! I will use Task as the first example
I agree that pipeline is not the main focus of Catalog, but it is already surfaced as a "kind" in Artifact Hub, so I think it still worth adding a pipeline example and callout what tasks in the pipeline will/ won't be scanned?
| If a `pipeline` resource contains `pipelineTask` specified by `taskRef` for example: | ||
|
|
||
| ```yaml | ||
| tasks: | ||
| - name: build-image | ||
| taskRef: | ||
| name: build-and-push | ||
| ``` | ||
| the container images used in the `pipelineTask` (i.e. `build-and-push`) will **not** be included in the security report. |
There was a problem hiding this comment.
same as above. I guess we should avoid referring Pipeline here 🤔
| ```yaml | ||
| apiVersion: tekton.dev/v1beta1 | ||
| kind: Pipeline | ||
| metadata: | ||
| name: demo-pipeline | ||
| ... |
There was a problem hiding this comment.
I tend to agree with @vinamra28 on this. I feel we should give the example on the Task to start with 👼🏼
tekton-robot
added
the
approved
QuanZhang-William
force-pushed
the
tep-0079-CVEs-scanning
branch
from
e259a36
to
b822c07
Compare
There was a problem hiding this comment.
Cool demo 👏🏾
Happy to see the benefits of moving to Artifact Hub which has most of the functionality we need!
Thank you @QuanZhang-William!
|
|
||
| #### Extract Container Images from Catalogs | ||
|
|
||
| We propose to extract and collect all the container images used in the Tekton resource (`task` or `pipeline`) by iterating through all the values in the `tasks.steps.image` fields of the resource, for example, `bash:latest` and `alpine` are extracted in the following `task`: |
There was a problem hiding this comment.
Where are all the values going stored? How does this integrate with ArtifactHub?
Is the collection done per tag / release, on main?
There was a problem hiding this comment.
Hi @afrittoli, the container image strings will be stored in the Artifact Hub DB. There is a Tracker component in the Artifact Hub that will periodically pull the yaml files from the Github repo, do the above mentioned processing, and store the images in the DB.
And another component Scanner will also run periodically to generate the vulnerability report based on the container images prepared by Tracker
And yes, the collection is done per tag/release 😄
There was a problem hiding this comment.
Sounds good, thank you. Mind adding this info to the TEP? Thank you!!
There was a problem hiding this comment.
Hi @afrittoli, I did some minor update to explain the process better. PTAL
This commit updates the "Image Scanning for Common Vulnerabilities and Exposures" section of TEP-0079, which proposes to use Trivy as the CVEs scanning tool. It also proposes to integrate Tekton Catalogs to the Artifact Hub Scanner service to run the reports periodically and show the reports in the Artifact Hub UI. Signed-off-by: Quan Zhang <zhangquan@google.com>
QuanZhang-William
force-pushed
the
tep-0079-CVEs-scanning
branch
from
b822c07
to
d6df142
Compare
|
Hi @afrittoli, I added some clarification based on your questions, can you please take another look 😁 ? |
|
|
||
| #### Extract Container Images from Catalogs | ||
|
|
||
| We propose to extract and collect all the container images used in the Tekton resource (`task` or `pipeline`) by iterating through all the values in the `tasks.steps.image` fields of the resource, for example, `bash:latest` and `alpine` are extracted in the following `task`: |
There was a problem hiding this comment.
Sounds good, thank you. Mind adding this info to the TEP? Thank you!!
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: afrittoli, jerop, vdemeester The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
API WG - ready to merge ... /lgtm |
This commit updates the "Image Scanning for Common Vulnerabilities and Exposures" section of TEP-0079, which proposes to use Trivy as the CVEs scanning tool. It also proposes to integrate Tekton Catalogs to the Artifact Hub Scanner service to run the reports periodically and show the reports in the Artifact Hub UI.
Signed-off-by: Quan Zhang zhangquan@google.com