Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use Trivy more effectively #68

Merged
merged 5 commits into from
Apr 12, 2023
Merged

Use Trivy more effectively #68

merged 5 commits into from
Apr 12, 2023

Conversation

jnschaeffer
Copy link
Contributor

The current image scanning workflow leads to Trivy scans being run twice because the test action is run on both PRs and pushes to main. To rectify this, a new security action has been added in this PR that only runs on PRs to scan both the permissions-api Git repository and Docker image. Additionally, repo scanning has been added to the image-build action and a typo in the image tag to be scanned has been fixed.

@jnschaeffer
Use Trivy more effectively
e91753d 
The current image scanning workflow leads to Trivy scans being run
twice because the test action is run on both PRs and pushes to
main. To rectify this, a new security action has been added in this
commit that only runs on PRs to scan both the permissions-api Git
repository and Docker image. Additionally, repo scanning has been
added to the image-build action and a typo in the image tag to be
scanned has been fixed.

Signed-off-by: John Schaeffer <[email protected]>
@jnschaeffer
Set exit code for Trivy jobs since they seem to run now
e2d6dc6 
Signed-off-by: John Schaeffer <[email protected]>
fishnix
fishnix previously approved these changes Apr 12, 2023
View reviewed changes
Copy link
Contributor

@fishnix fishnix left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm! :shipit:

@jnschaeffer
Copy link
Contributor Author

Doesn't look good to me - turns out Trivy caught some things it didn't like in the repo code 👼 It just didn't fail because I didn't have the exit code set.

fishnix
fishnix approved these changes Apr 12, 2023
View reviewed changes
Copy link
Contributor

@fishnix fishnix left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice!

@jnschaeffer
Copy link
Contributor Author

Decided to disable the config scanner on @JAORMX's advice and because DS0017 is yielding false positives, which seems to be a known issue: https://github.com/aquasecurity/defsec/issues/1235

@jnschaeffer jnschaeffer merged commit fa28655 into infratographer:main Apr 12, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fishnix fishnix fishnix approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jnschaeffer @fishnix