New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GitHub action for Security scanning of sdlc, engine and studio containers #360
Comments
I've played a bit with https://github.com/marketplace/actions/anchore-container-scan , and it seems quite easy to run it as a GitHub Action; here's an initial idea:
This is what I came up with - finos/legend-studio@master...maoo:master |
@maoo Great idea! My only wish is they have some automation like Whitesource to scan from the Dockerfile instead of having to build :D. Seems like for us now we need to write a little bash script to build from our Dockerfile (or use docker actions). Then run this action I think. Studio image is a mere wrapper around |
@maoo I just added some PRs for this. Our images are fairly basic 😭 But yep, after toying around with I'll check with @pierredebelen to see what he thinks, and go on to implement this with the rest of the stack |
Great progress @akphi ! Re. the simplicity of containers and the importance of scanning, I believe that scanning everything would consumers peace of mind even before knowing how these images are built (and their inherited security); if there's a badge that states that images are (continuously) scanned, I think it will help consumption a lot. Great to hear about container-scan , I'm looking forward to seeing it in action. Please let me know if you need some help! |
@maoo I have not heard about anchore. Clair and klar seem to be popular options. Gitlab has switched from Clair to Trivy [1]. [1] https://docs.gitlab.com/ee/user/application_security/container_scanning/ |
@epsstan |
This issue is stale because it has been open for 30 days with no activity. Please remove stale label or add any comment to keep this open. Otherwise this will be closed in 5 days. |
This issue was closed because it has been inactive for 35 days. Please re-open if this issue is still relevant. |
Feature Request
Description of Problem:
All images published on https://hub.docker.com/u/finos are not scanned for security vulnerabilities ; it seems a rather simple feature to enable, given the large amount of tools available, especially for open source projects, which nicely integrate into GitHub Actions.
Tasks:
The text was updated successfully, but these errors were encountered: