ci: add container scanning to default checks #1876

petermetz · 2022-02-23T06:01:32Z

Description

As a maintainer I want to have automated security scans running on our containers so that I'm a tiny bit more confident that we are doing a good job of keeping our code as secure as possible.

https://github.com/Azure/container-scan

Acceptance Criteria

Add a GH Action workflow that uses the container scanning action linked above
The scan must run through all the images that are currently being built by the CI (see all the files matching the path pattern .github/workflows/*-publish.yaml for a list of these)
If the scans return errors, then create sub-tasks for each scanning error that is of a high or critical severity security issue.
The check itself must be passing
The checks must run on every PR that builds images - if the checks take too long (e.g. hours) then we might consider only running them upon merge onto main but this is not preferred.

2023-06-14 Update:

The azure container scan [1] project has been deprecated in the meantime so we have to look for another alternative that is free, open source software that we can use for the same purpose.
[1] https://github.com/Azure/container-scan

The text was updated successfully, but these errors were encountered:

zondervancalvez · 2022-03-01T06:01:09Z

Hi @petermetz, please assign this to me. Thanks.

Signed-off-by: aldousalvarez <aldousss.alvarez@gmail.com>

petermetz · 2022-03-31T07:23:07Z

@zondervancalvez More info I discovered while doing the scans: It might be more practical to have our own workflow that runs trivy (a part of the azure container scan tool I linked in the description of the issue above).
Not saying that this is the way for sure, but it might be a more flexible option. I'll let you investigate the details of it.

Fixes hyperledger-cacti#1876 Signed-off-by: zondervancalvez <zondervan.v.calvez@accenture.com>

Trivy is a cutting-edge security tool designed to enhance the safety of containerized applications by conducting thorough vulnerability assessments. Specifically developed for scanning container images, ranging from low-severity issues to critical threats. It employs an intelligent rating system to categorize vulnerabilities based on their severity levels, ensuring that high to critical vulnerabilities are given special attention. Upon detecting vulnerabilities that fall within this elevated range, Trivy will throw an error. By integrating Trivy into our deployment pipeline, we can proactively mitigate security risks and enhance the resilience of our repository. Fixes hyperledger-cacti#1876 Depends On: hyperledger-cacti#2121 Depends On: hyperledger-cacti#2135 Signed-off-by: zondervancalvez <zondervan.v.calvez@accenture.com>

zondervancalvez · 2023-09-21T07:43:06Z

I'll continue to work on this ticket but using Trivy container scan. I will redo the vulnerability scan using Trivy for the closed tickets that used Azure scan before.

the safety of containerized applications by conducting thorough vulnerability assessments. Specifically developed for scanning container images, ranging from low-severity issues to critical threats. It employs an intelligent rating system to categorize vulnerabilities based on their severity levels, ensuring that high to critical vulnerabilities are given special attention. Upon detecting vulnerabilities that fall within this elevated range, Trivy will throw an error. By integrating Trivy into our deployment pipeline, we can proactively mitigate security risks and enhance the resilience of our repository. Fixes hyperledger#1876 Depends On: hyperledger#2865 Depends On: hyperledger#2864 Depends On: hyperledger#2863 Depends On: hyperledger#2862 Signed-off-by: zondervancalvez <zondervan.v.calvez@accenture.com>

Trivy is a cutting-edge security tool designed to enhance the safety of containerized applications by conducting thorough vulnerability assessments. Specifically developed for scanning container images, ranging from low-severity issues to critical threats. It employs an intelligent rating system to categorize vulnerabilities based on their severity levels, ensuring that high to critical vulnerabilities are given special attention. Upon detecting vulnerabilities that fall within this elevated range, Trivy will throw an error. By integrating Trivy into our deployment pipeline, we can proactively mitigate security risks and enhance the resilience of our repository. Fixes hyperledger#1876 Depends On: hyperledger#2865 Depends On: hyperledger#2864 Depends On: hyperledger#2863 Depends On: hyperledger#2862 Signed-off-by: zondervancalvez <zondervan.v.calvez@accenture.com>

Trivy is a cutting-edge security tool designed to enhance the safety of containerized applications by conducting thorough vulnerability assessments. Specifically developed for scanning container images, ranging from low-severity issues to critical threats. It employs an intelligent rating system to categorize vulnerabilities based on their severity levels, ensuring that high to critical vulnerabilities are given special attention. Upon detecting vulnerabilities that fall within this elevated range, Trivy will throw an error. By integrating Trivy into our deployment pipeline, we can proactively mitigate security risks and enhance the resilience of our repository. Fixes hyperledger-cacti#1876 Depends On: hyperledger-cacti#2121 Depends On: hyperledger-cacti#2135 Signed-off-by: zondervancalvez <zondervan.v.calvez@accenture.com>

Trivy is a cutting-edge security tool designed to enhance the safety of containerized applications by conducting thorough vulnerability assessments. Specifically developed for scanning container images, ranging from low-severity issues to critical threats. It employs an intelligent rating system to categorize vulnerabilities based on their severity levels, ensuring that high to critical vulnerabilities are given special attention. Upon detecting vulnerabilities that fall within this elevated range, Trivy will throw an error. By integrating Trivy into our deployment pipeline, we can proactively mitigate security risks and enhance the resilience of our repository. Fixes hyperledger#1876 Depends On: hyperledger#2865 Depends On: hyperledger#2864 Depends On: hyperledger#2863 Depends On: hyperledger#2862 Signed-off-by: zondervancalvez <zondervan.v.calvez@accenture.com>

aldousalvarez added a commit to aldousalvarez/cactus that referenced this issue Mar 22, 2022

ci: add container scanning to default checks hyperledger-cacti#1876

0d6bc5c

Signed-off-by: aldousalvarez <aldousss.alvarez@gmail.com>

petermetz assigned zondervancalvez Mar 31, 2022

zondervancalvez added a commit to zondervancalvez/cactus that referenced this issue Apr 20, 2022

ci: add container scanning to default checks

403ed9d

Fixes hyperledger-cacti#1876 Signed-off-by: zondervancalvez <zondervan.v.calvez@accenture.com>

zondervancalvez added a commit to zondervancalvez/cactus that referenced this issue Apr 21, 2022

ci: add container scanning to default checks

f1686a5

Fixes hyperledger-cacti#1876 Signed-off-by: zondervancalvez <zondervan.v.calvez@accenture.com>

zondervancalvez added a commit to zondervancalvez/cactus that referenced this issue Apr 21, 2022

ci: add container scanning to default checks

2d14f4b

Fixes hyperledger-cacti#1876 Signed-off-by: zondervancalvez <zondervan.v.calvez@accenture.com>

zondervancalvez added a commit to zondervancalvez/cactus that referenced this issue Apr 29, 2022

ci: add container scanning to default checks

259a56e

Fixes hyperledger-cacti#1876 Signed-off-by: zondervancalvez <zondervan.v.calvez@accenture.com>

zondervancalvez added a commit to zondervancalvez/cactus that referenced this issue May 6, 2022

ci: add container scanning to default checks

9e624d7

Fixes hyperledger-cacti#1876 Signed-off-by: zondervancalvez <zondervan.v.calvez@accenture.com>

zondervancalvez added a commit to zondervancalvez/cactus that referenced this issue May 6, 2022

ci: add container scanning to default checks

67b509e

Fixes hyperledger-cacti#1876 Signed-off-by: zondervancalvez <zondervan.v.calvez@accenture.com>

zondervancalvez added a commit to zondervancalvez/cactus that referenced this issue May 6, 2022

ci: add container scanning to default checks

5027524

Fixes hyperledger-cacti#1876 Signed-off-by: zondervancalvez <zondervan.v.calvez@accenture.com>

zondervancalvez added a commit to zondervancalvez/cactus that referenced this issue May 6, 2022

ci: add container scanning to default checks

f785b18

Fixes hyperledger-cacti#1876 Signed-off-by: zondervancalvez <zondervan.v.calvez@accenture.com>

zondervancalvez added a commit to zondervancalvez/cactus that referenced this issue May 6, 2022

ci: add container scanning to default checks

1030e6b

Fixes hyperledger-cacti#1876 Signed-off-by: zondervancalvez <zondervan.v.calvez@accenture.com>

zondervancalvez added a commit to zondervancalvez/cactus that referenced this issue May 6, 2022

ci: add container scanning to default checks

8742ac7

Fixes hyperledger-cacti#1876 Signed-off-by: zondervancalvez <zondervan.v.calvez@accenture.com>

zondervancalvez added a commit to zondervancalvez/cactus that referenced this issue May 6, 2022

ci: add container scanning to default checks

1328efb

Fixes hyperledger-cacti#1876 Signed-off-by: zondervancalvez <zondervan.v.calvez@accenture.com>

zondervancalvez added a commit to zondervancalvez/cactus that referenced this issue May 6, 2022

ci: add container scanning to default checks

eea5e89

Fixes hyperledger-cacti#1876 Signed-off-by: zondervancalvez <zondervan.v.calvez@accenture.com>

zondervancalvez added a commit to zondervancalvez/cactus that referenced this issue May 11, 2022

ci: add container scanning to default checks

716bcde

Fixes hyperledger-cacti#1876 Signed-off-by: zondervancalvez <zondervan.v.calvez@accenture.com>

zondervancalvez added a commit to zondervancalvez/cactus that referenced this issue May 11, 2022

ci: add container scanning to default checks

f4d5be7

Fixes hyperledger-cacti#1876 Signed-off-by: zondervancalvez <zondervan.v.calvez@accenture.com>

zondervancalvez added a commit to zondervancalvez/cactus that referenced this issue May 11, 2022

ci: add container scanning to default checks

58fdfb4

Fixes hyperledger-cacti#1876 Signed-off-by: zondervancalvez <zondervan.v.calvez@accenture.com>

zondervancalvez added a commit to zondervancalvez/cactus that referenced this issue May 11, 2022

ci: add container scanning to default checks

82e7175

Fixes hyperledger-cacti#1876 Signed-off-by: zondervancalvez <zondervan.v.calvez@accenture.com>

zondervancalvez added a commit to zondervancalvez/cactus that referenced this issue May 11, 2022

ci: add container scanning to default checks

a3e0534

Fixes hyperledger-cacti#1876 Signed-off-by: zondervancalvez <zondervan.v.calvez@accenture.com>

zondervancalvez added a commit to zondervancalvez/cactus that referenced this issue May 11, 2022

ci: add container scanning to default checks

af728ed

Fixes hyperledger-cacti#1876 Signed-off-by: zondervancalvez <zondervan.v.calvez@accenture.com>

zondervancalvez added a commit to zondervancalvez/cactus that referenced this issue May 11, 2022

ci: add container scanning to default checks

a5d7cfb

Fixes hyperledger-cacti#1876 Signed-off-by: zondervancalvez <zondervan.v.calvez@accenture.com>

zondervancalvez added a commit to zondervancalvez/cactus that referenced this issue May 11, 2022

ci: add container scanning to default checks

fcccc30

Fixes hyperledger-cacti#1876 Signed-off-by: zondervancalvez <zondervan.v.calvez@accenture.com>

jagpreetsinghsasan moved this from Done to In Progress in Cacti_Scrum_Project_v2_Release Sep 21, 2023

jagpreetsinghsasan reopened this Oct 20, 2023

zondervancalvez mentioned this issue Nov 10, 2023

ci: add container scanning to default checks #2870

Merged

5 tasks

zondervancalvez moved this from In Progress to In review in Cacti_Scrum_Project_v2_Release Nov 14, 2023

petermetz closed this as completed in #2870 May 21, 2024

github-project-automation bot moved this from In review to Done in Cacti_Scrum_Project_v2_Release May 21, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ci: add container scanning to default checks #1876

ci: add container scanning to default checks #1876

petermetz commented Feb 23, 2022 •

edited

Loading

zondervancalvez commented Mar 1, 2022

petermetz commented Mar 31, 2022

zondervancalvez commented Sep 21, 2023

ci: add container scanning to default checks #1876

ci: add container scanning to default checks #1876

Comments

petermetz commented Feb 23, 2022 • edited Loading

Description

Acceptance Criteria

zondervancalvez commented Mar 1, 2022

petermetz commented Mar 31, 2022

zondervancalvez commented Sep 21, 2023

petermetz commented Feb 23, 2022 •

edited

Loading