Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Image scanning #1291

Merged
merged 10 commits into from
May 24, 2022
Merged

Image scanning #1291

merged 10 commits into from
May 24, 2022

Conversation

HarshCasper
Copy link
Contributor

Think of this PR as more of a discussion.

Changes introduced in this PR:

  • Move Dockerfile linting before the Docker build process
  • Add security scanning using trivy

Types of changes

What types of changes does your PR introduce?

Put an x in the boxes that apply

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds a feature)
  • Breaking change (fix or feature that would cause existing features to not work as expected)
  • Documentation Update
  • Code style update (formatting, renaming)
  • Refactoring (no functional changes, no API changes)
  • Build related changes
  • Other (please describe):

Testing

Requires testing

  • Yes
  • No

In case you checked yes, did you write tests?

  • Yes
  • No

Further comments

This PR is a step ahead for DevSecOps tooling integration for QHub CI, as discussed in this issue #891.

For implementing container scan, I looked into various tools:

By going through blogs and resource materials, it appeared that Trivy might suit our needs to implement a container security CI before publishing Docker images. In this regard, the Azure Container Scan was a good option, but its timeout failure while scanning large images was a serious blocker.

To tackle this, I looked into the official Trivy action and given the fact that it is open-source and fairly easy to set up, I have integrated it.

I would love to hear what others have to say about this proposed change!

@viniciusdc
Copy link
Contributor

viniciusdc commented May 19, 2022
edited
Loading

Hi @HarshCasper it seems I was able to fix the issue, you were passing an array to the image-ref filed which is not supported. I added an extra var to pick the first one*. Also, there is two things I just noticed:

  • Updating the Trivy DB takes some time, if it's not cached we might need to transform this step into a CRON job -- separated from PRs
  • There are no current error logs from Trivy step, is there a debug mode we can use?

*we might need to pick the second now that I think because the sha is more detailed than the tag

@viniciusdc
Copy link
Contributor

As a matter of fact, code-server seems to be using trivy as well and looks really good as a policy standard https://github.com/coder/code-server/security/policy

@costrouc costrouc merged commit 37e5fb4 into main May 24, 2022
@costrouc costrouc deleted the image-scanning branch May 24, 2022 15:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
area: CI/CD 👷🏽‍♀️ area: security 🔐 needs: review 👀 This PR is complete and ready for reviewing
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@HarshCasper @viniciusdc @costrouc @trallard