Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create security scan script #2731

Merged
merged 3 commits into from
Jun 11, 2024
Merged

Create security scan script #2731

merged 3 commits into from
Jun 11, 2024

Conversation

hansinikarunarathne
Copy link
Member

@hansinikarunarathne hansinikarunarathne commented May 26, 2024
edited
Loading

Pull Request Template for Kubeflow manifests Issues

  • Please include a summary of changes and the related issue.
  • List any dependencies that are required for this change.
  • Please delete the options that are not relevant.
  • The following checklist will help you to satisfy the requirements.

✏️ A brief description of the changes

  1. I added a script for the security vulnerability scan with Trivy.

  2. I added the extracting images part in the extract_images.sh to the trivy_scan.sh.

  3. The script creates security scanning reports for each image in WG. Those scan reports are saved in JSON in the docs/image_lists/security_scan_reports/{WG_names} .

  4. Security counts of all images related to the WG groups are saved in the docs/image_lists/severity_counts_with_images_for_WG.

  5. Summary of all security scan counts is saved in the summary_of_severity_counts_for_WG as JSON and table formats.

  6. Created the Github action run when PR merges to a master to automate the whole process and print the table.

  7. Also can run the trivy_scan.sh file inside the hack folder manually.

✅ Contributor checklist

You can join our slack channel wg-manifests here. This link also contains our meeting schedule.

@juliusvonkohout juliusvonkohout self-assigned this May 27, 2024
@juliusvonkohout
Copy link
Member

juliusvonkohout commented May 27, 2024
edited
Loading

Please extend and rename the extract_images script to provide all of this information at once. You can still name it trivy_scan.sh
Please provide per workinggroup and total information similar to the extract_images scripts.

So trivy_scan.sh should do all of this.

For non pullable images you can just output a warning and ignore them otherwise.

@google-oss-prow google-oss-prow bot added size/M and removed size/S labels May 27, 2024
@juliusvonkohout
Copy link
Member

juliusvonkohout commented May 27, 2024
edited
Loading

You need to generate per working group lists and total list and generate this table

image

WG1_ images.txt WG1_CVEs.json
WG2_ images.txt WG2_CVEs.json
...
total_ images.txt total_CVEs.json

afterwards you can add a github action workflow to generate this table on merges to master.

@juliusvonkohout
Copy link
Member

Please be aware of #2733

@google-oss-prow google-oss-prow bot added size/XS and removed size/M labels Jun 2, 2024
@hansinikarunarathne
Automate the scanning security vulnerabilities in images of WGs
b127acc 
Signed-off-by: Hansini Karunarathne <hansini.20@cse.mrt.ac.lk>
@hansinikarunarathne
Fixed a issue in trivy_scan.yaml and trivy_scan.sh
98581ec 
Signed-off-by: Hansini Karunarathne <hansini.20@cse.mrt.ac.lk>
@google-oss-prow google-oss-prow bot added size/L and removed size/XS labels Jun 8, 2024
@hansinikarunarathne
Copy link
Member Author

You need to generate per working group lists and total list and generate this table

image

WG1_ images.txt WG1_CVEs.json WG2_ images.txt WG2_CVEs.json ... total_ images.txt total_CVEs.json

afterwards you can add a github action workflow to generate this table on merges to master.

I automated the trivy_scan process and created a github action to run the trivy_scanning process and print the table.
You can find my github action in my forked repository of Kubeflow https://github.com/hansinikarunarathne/kubeflow-manifests/actions/runs/9431495509

screenshot of the table

image

juliusvonkohout
juliusvonkohout reviewed Jun 10, 2024
View reviewed changes
.github/workflows/trivy.yaml Outdated
chmod +x trivy_scan.sh
./trivy_scan.sh

# Upload the artifact
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you comment out the upload part for now? we do not want external dependencies.

juliusvonkohout
juliusvonkohout reviewed Jun 10, 2024
View reviewed changes
.github/workflows/trivy.yaml Outdated
- name: Setup Python
uses: actions/setup-python@v5
with:
python-version: '3.10'
Copy link
Member

@juliusvonkohout juliusvonkohout Jun 10, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please use the latest Python available in the base image

juliusvonkohout
juliusvonkohout reviewed Jun 10, 2024
View reviewed changes
hack/trivy_scan.sh
@@ -0,0 +1,248 @@
# !/usr/bin/env bash
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we want to migrate to python entirely for that script? What do you think @hansinikarunarathne

@juliusvonkohout
Copy link
Member

juliusvonkohout commented Jun 10, 2024
edited
Loading

the dependencies should be checked and installed if not available, e.g. prettytable and trivy if someone runs this locally on ubuntu or fedora

@hansinikarunarathne hansinikarunarathne force-pushed the master branch 3 times, most recently from 5cb4768 to d840117 Compare June 10, 2024 14:02
@hansinikarunarathne
Did requested changes in trivy.yaml
bdada60 
Signed-off-by: Hansini Karunarathne <hansini.20@cse.mrt.ac.lk>
@juliusvonkohout
Copy link
Member

/lgtm
/approve

lets follow up with the remaining stuff in a new PR.

@google-oss-prow google-oss-prow bot added the lgtm label Jun 11, 2024
@google-oss-prow Google OSS Prow
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: juliusvonkohout

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@google-oss-prow google-oss-prow bot merged commit 94c6135 into kubeflow:master Jun 11, 2024
3 checks passed
@juliusvonkohout juliusvonkohout mentioned this pull request Jun 11, 2024
Closed
@juliusvonkohout
Copy link
Member

https://github.com/kubeflow/manifests/actions/runs/9463132552/job/26067629950 will be interesting.

@juliusvonkohout juliusvonkohout mentioned this pull request Jun 25, 2024
Closed
10 tasks
@hansinikarunarathne hansinikarunarathne mentioned this pull request Jul 7, 2024
Merged
doncorsean pushed a commit to doncorsean/kubeflow-manifests that referenced this pull request Jul 18, 2024
@hansinikarunarathne
Create security scan script (kubeflow#2731)
4f433bc 
* Automate the scanning security vulnerabilities in images of WGs

Signed-off-by: Hansini Karunarathne <hansini.20@cse.mrt.ac.lk>

* Fixed a issue in trivy_scan.yaml and trivy_scan.sh

Signed-off-by: Hansini Karunarathne <hansini.20@cse.mrt.ac.lk>

* Did requested changes in trivy.yaml

Signed-off-by: Hansini Karunarathne <hansini.20@cse.mrt.ac.lk>

---------

Signed-off-by: Hansini Karunarathne <hansini.20@cse.mrt.ac.lk>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@juliusvonkohout juliusvonkohout juliusvonkohout left review comments

@kimwnasptd kimwnasptd Awaiting requested review from kimwnasptd

Assignees

@rimolive rimolive

@juliusvonkohout juliusvonkohout

Labels
approved lgtm size/L
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@hansinikarunarathne @juliusvonkohout @rimolive