I've played a bit with https://github.com/marketplace/actions/anchore-container-scan , and it seems quite easy to run it as a GitHub Action; here's an initial idea:

1. Copy publish-docker.sh into build-docker.sh, to take care of the local build of the image
2. Change the release.yml logic to 1) build docker image 2) scan it 3) publish it
3. Add build:docker script to package.json

This is what I came up with - finos/legend-studio@master...maoo:master

@akphi @epsstan - wdyt?

@maoo Great idea! My only wish is they have some automation like Whitesource to scan from the Dockerfile instead of having to build :D. Seems like for us now we need to write a little bash script to build from our Dockerfile (or use docker actions). Then run this action I think.

Studio image is a mere wrapper around finos/legend-engine-server image. So maybe scanning it wouldn't be necessary. But maybe it is :D, I'll see if I can experiment with it

@maoo I just added some PRs for this. Our images are fairly basic 😭 But yep, after toying around with anchore for a while, I consider this anchore/scan-action#87 a deal-breaker to me so I have moved on to try out https://github.com/Azure/container-scan which uses trivy underneath and seems like a pretty solid choice. I'm still testing out a bit, but I think these PRs are quite ready to go.

I'll check with @pierredebelen to see what he thinks, and go on to implement this with the rest of the stack

Great progress @akphi !

Re. the simplicity of containers and the importance of scanning, I believe that scanning everything would consumers peace of mind even before knowing how these images are built (and their inherited security); if there's a badge that states that images are (continuously) scanned, I think it will help consumption a lot.

Great to hear about container-scan , I'm looking forward to seeing it in action. Please let me know if you need some help!

I've played a bit with https://github.com/marketplace/actions/anchore-container-scan , and it seems quite easy to run it as a GitHub Action; here's an initial idea:

1. Copy publish-docker.sh into build-docker.sh, to take care of the local build of the image
2. Change the release.yml logic to 1) build docker image 2) scan it 3) publish it
3. Add build:docker script to package.json

This is what I came up with - finos/legend-studio@master...maoo:master

@akphi @epsstan - wdyt?

I've played a bit with https://github.com/marketplace/actions/anchore-container-scan , and it seems quite easy to run it as a GitHub Action; here's an initial idea:

1. Copy publish-docker.sh into build-docker.sh, to take care of the local build of the image
2. Change the release.yml logic to 1) build docker image 2) scan it 3) publish it
3. Add build:docker script to package.json

This is what I came up with - finos/legend-studio@master...maoo:master

@akphi @epsstan - wdyt?

@maoo I have not heard about anchore. Clair and klar seem to be popular options. Gitlab has switched from Clair to Trivy [1].
I suggest we use one of the popular tools with the most comprehensive CVE database.

[1] https://docs.gitlab.com/ee/user/application_security/container_scanning/

@epsstan container-scan is used by Azure and it uses Trivy underneath, it also has Dockle to help scan the code quality for Docker image.

This issue is stale because it has been open for 30 days with no activity. Please remove stale label or add any comment to keep this open. Otherwise this will be closed in 5 days.

This issue was closed because it has been inactive for 35 days. Please re-open if this issue is still relevant.