🎉 implement trivy scanner #11892
🎉 implement trivy scanner #11892
Conversation
DryRun Security SummaryA new GitHub Actions workflow for Trivy vulnerability scanning is implemented, along with configuration files that include some security considerations around ignored vulnerabilities and excluded test directories. Expand for full summaryThe PR introduces a new GitHub Actions workflow for Trivy vulnerability scanning, adds a Security Findings:
Code AnalysisWe ran |
manuel-sommer
force-pushed
the
implement_trivy
branch
from
5a7aece to
e27f997
Compare
|
Feedback welcome @valentijnscholten @Maffooch @mtesauro |
manuel-sommer
force-pushed
the
implement_trivy
branch
from
7d7b752 to
e6a0ca6
Compare
|
Rebased because of #11891 |
|
I understand that it could be useful to scan applications with Trivy for vulnerabilities. What exact use case / process would we follow here and what goal do we want to achieve? Does it generate a report that is visible on the PR or Security Tab? Will it show a difference between existing vulnerabilities and new ones introduced by the PR? Or is it just a tool that generates some output that may or may not assist us in making decisions? |
|
WIth this PR we can get feedback about new introduced vulnerabilities within the upgrade process. With some packages (.e.g yarn) we are behind. In case we once work on upgrading these, it would be nice to have feedback which vulnerabilities are introduced with new packages. |
|
I wonder if this would be something better to run outside of PRs. Here's why. I'm a new contributor who writes a new parser for DefectDojo. It just so happens that libFoo.js has a vulnerability discovered right before I do my PR and it's used to create the charts in DefectDojo's metrics pages. I fail this test which has NOTHING to do with the code I'm trying to contribute. I'm just worried we're going to cause pain to our community for things that didn't do and don't have control over. Honestly, I'd rather write a cron job that pulls the containers we have in Docker Hub and runs Trivy and whatever else against those containers and pushes the results to a DefectDojo install. It might surprise you but DefectDojo Inc actually runs DefectDojo internally to manage our scan data. I'd be happy to add this to our automation and create PRs to update things that show up. The key difference is I'm choosing to take on that effort vs it getting dropped in the lap of a community contributor. Does that make sense? |
|
Thank you for the clarification @mtesauro. It does not surprise me that you use also DefectDojo yourself. |
Talking internally with Matt, we believe this would likely still be more churn than we would benefit from - even when running Trivy only on package updates from renovate/dependabot |
CVE-2024-37891 --> #11891
CVE-2024-6484 --> https://github.com/DefectDojo/django-DefectDojo/actions/runs/13506024016/job/37735642044?pr=11892 --> components/yarn.lock (bootstrap 3.4.1)