Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IT-3421: Add vulnerability scanning to repo #6

Merged
merged 75 commits into from
Jul 30, 2024
Merged

IT-3421: Add vulnerability scanning to repo #6

merged 75 commits into from
Jul 30, 2024

Conversation

brucehoff
Copy link
Contributor

@brucehoff brucehoff commented Jul 25, 2024
edited
Loading

This PR adds vulnerability scanning to the repo' using Trivy.
The workflow to build and publish a container will fail if there are HIGH or CRITICAL findings.
There is also a daily scan to see if there are new, major vulnerabilities for already published containers.
When a container image IS published, in addition to being published to the tag major.minor.patch,
it is published to the tag major.minor. This allows us to make security updates to existing containers.

brucehoff added 30 commits July 7, 2024 12:19
@brucehoff
IT-3421 Add Trivy source code vulnerability scan
f488f21
@brucehoff
IT-3421 Make Trivy more sensitive
5cf5b24
@brucehoff
IT-3421: Add workflow steps to run Trivy on built image, publish resu…
9ad58e0 
…lts, and stop if Trivy fails
@brucehoff
IT-3421: fix build for non-tagged push
0f3f7f6
@brucehoff
IT-3421: use format; check for failure in trivy step
5d955e3
@brucehoff
IT-3421: fix syntax error
216ca1f
@brucehoff
IT-3421: fix syntax error
417ad58
@brucehoff
IT3421: change exit 1 to 0 as a test
d0ca03c
@brucehoff
IT3421: formatting
5d269e0
@brucehoff
IT3421: set permissions for writing security events
585de74
@brucehoff
IT-3421 trim down permissions
cbd4ab4
@brucehoff
IT-3421 experiment: don't stop on Trivy failure
86b0d1d
@brucehoff
IT-3421 pass tags to both Docker steps
376131d
@brucehoff
IT-3421 Determine default tags earlier in workflow
6fe1bc0
@brucehoff
IT-3421: printing mmp, mm values
0ab8f7f
@brucehoff
IT-3421: printing mmp, mm values
a12d9c3
@brucehoff
IT-3421 debug: reverse the order for defining mm and mmp
9ff4092
@brucehoff
IT-3421: Debugging output vars
d77878a
@brucehoff
IT-3421: Debugging output vars
d4eca18
@brucehoff
IT-3421 use metadata-action to create Mm and Mmp Docker tags
2b2922c
@brucehoff
IT-3421 whitespace
99ae85a
@brucehoff
IT-3421: added periodic scan and .trivyignore
f873eec
@brucehoff
IT-3421 fix sarif file name
979d4a4
@brucehoff
IT-3421 add start and end chars to .yml
9935fb3
@brucehoff
IT-3421 change cron frequency
8b3bf52
@brucehoff
IT-3421: Suppress private key finding
d6019b9
@brucehoff
IT-3421: Add skip-files
ae4a328
@brucehoff
IT_3421: debugging cron
2e8b5be
@brucehoff
IT-3421: factored trivy into separate GitHub workflow file
f1065a1
@brucehoff
IT-3421: cleaned up workflows
7e2dd99
brucehoff added 23 commits July 23, 2024 21:04
@brucehoff
IT-3421: fixed image-ref
b58e0ed
@brucehoff
IT-3421: fixed image-ref
3d7d944
@brucehoff
IT-3421: fixed image-ref
040e482
@brucehoff
IT-3421: try changing 'tar' to 'osi' in Docker output
9490ce1
@brucehoff
IT-3421: try changing 'tar' to 'oci' in Docker output
d4f656f
@brucehoff
IT-3421: back to 'tar'
220559c
@brucehoff
IT-3421: load docker image instead of reading .tar
54efa92
@brucehoff
IT-3421: use docker import not docker load
64cb354
@brucehoff
IT-3421: Revert to docker 'load'; download .tar to /tmp; export from …
a25b9e6 
…docker using 'type=docker'
@brucehoff
IT-3421: Trying type=tar & docker load & download to /tmp
f837fe5
@brucehoff
IT-3421: Switch load to import again
181ca83
@brucehoff
IT-3421: Use 'docker import' in 'push-image' job
a3644b4
@brucehoff
IT-3421: Fixed error in 'push-image' job
8849d44
@brucehoff
IT-3421: Fixed line breaks
5891670
@brucehoff
IT-3421: Added build to needs for push-image job
7fe6e1f
@brucehoff
IT-3421: Adding checkout to push job
aeb7f64
@brucehoff
IT-3421: list images
2160adf
@brucehoff
IT-3421: push built image
aa0bee8
@brucehoff
IT-3421: testing failure; adding Readme doc'
77540cc
@brucehoff
IT-3421: fixed passing of EXIT_CODE; added comments
eee6dc6
@brucehoff
IT-3421 clean up white space
671c540
@brucehoff
performed TODOs
d47c52a
@brucehoff
fixed comment
1430396
@brucehoff brucehoff requested a review from a team July 25, 2024 21:57
zaro0508
zaro0508 requested changes Jul 26, 2024
View reviewed changes
.github/workflows/docker_build_push.yml Show resolved Hide resolved
.github/workflows/trivy.yml Show resolved Hide resolved
.github/workflows/trivy.yml Show resolved Hide resolved
.github/workflows/trivy_periodic_image_scan.yml Show resolved Hide resolved
@brucehoff brucehoff requested review from zaro0508 and a team July 28, 2024 23:04
zaro0508
zaro0508 approved these changes Jul 29, 2024
View reviewed changes
.github/workflows/trivy.yml Show resolved Hide resolved
.github/workflows/trivy.yml Show resolved Hide resolved
.github/workflows/trivy_periodic_image_scan.yml Show resolved Hide resolved
@brucehoff brucehoff merged commit 8e3f938 into Sage-Bionetworks-IT:main Jul 30, 2024
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zaro0508 zaro0508 zaro0508 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@brucehoff @zaro0508