Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add dependency security check using trivy #1163

Merged
merged 10 commits into from
Sep 3, 2022
Merged

Add dependency security check using trivy #1163

merged 10 commits into from
Sep 3, 2022

Conversation

lafriks
Copy link
Contributor

@lafriks lafriks commented Sep 3, 2022
edited
Loading

Fixes #899

This could be also done for docker image security check but that would probably require building docker image to tar file so I did not add that in this PR.

I usually do this with such steps:

  docker-dryrun:
    image: thegeeklab/drone-docker-buildx:20
    settings:
      registry: xxx
      username:
        from_secret: docker_username
      password:
        from_secret: docker_password
      repo: xxx/${CI_REPO_OWNER}/${CI_REPO_NAME}
      tags: test
      dry_run: true
      output: type=oci,dest=${CI_REPO_OWNER}-${CI_REPO_NAME}.tar
    when:
      event:
      - pull_request

  docker-image-security-check:
    image: aquasec/trivy:latest
    commands:
      - trivy image --exit-code 0 --severity UNKNOWN,LOW --input ${CI_REPO_OWNER}-${CI_REPO_NAME}.tar
      - trivy image --exit-code 1 --severity MEDIUM,HIGH,CRITICAL --input ${CI_REPO_OWNER}-${CI_REPO_NAME}.tar
    when:
      event:
        - pull_request

@6543 6543 added security build CI pipeline related labels Sep 3, 2022
6543
6543 reviewed Sep 3, 2022
View reviewed changes
.woodpecker/test.yml Outdated Show resolved Hide resolved
6543
6543 reviewed Sep 3, 2022
View reviewed changes
.woodpecker/docs.yml Outdated Show resolved Hide resolved
6543
6543 reviewed Sep 3, 2022
View reviewed changes
.woodpecker/docs.yml Outdated Show resolved Hide resolved
6543
6543 reviewed Sep 3, 2022
View reviewed changes
.woodpecker/docs.yml Outdated Show resolved Hide resolved
@6543 6543 added this to the 1.0.0 milestone Sep 3, 2022
@6543
Copy link
Member

6543 commented Sep 3, 2022

well before we can merge it, I guess we have to bump frontend deps ...

... witch we also should do for release branch as long as possible ...

@lafriks
Copy link
Contributor Author

lafriks commented Sep 3, 2022

should I fix security issues here or on other PR?

@6543
Copy link
Member

6543 commented Sep 3, 2022
edited
Loading

I dont mind ...

... a seperate pull might be better in terms of backporting

@lafriks
Copy link
Contributor Author

lafriks commented Sep 3, 2022

I changed not to fail security check step for docs as it does not seems to be fixable at the moment 😕

@woodpecker-bot
Copy link
Collaborator

woodpecker-bot commented Sep 3, 2022
edited
Loading

Deployment of preview was successful: https://woodpecker-ci-woodpecker-pr-1163.surge.sh

@6543 6543 merged commit d5cdd2b into woodpecker-ci:master Sep 3, 2022
@6543 6543 deleted the feat/trivy_deps_check branch September 3, 2022 18:46
@6543
Copy link
Member

6543 commented Sep 4, 2022

-> https://github.com/aquasecurity/trivy/pull/2823

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@6543 6543 6543 approved these changes

Assignees
No one assigned
Labels
build CI pipeline related security
Projects
None yet
Milestone
1.0.0
Development

Successfully merging this pull request may close these issues.

Add tool to check vulnerabilities in go dependencies
3 participants
@lafriks @6543 @woodpecker-bot