-
Notifications
You must be signed in to change notification settings - Fork 44
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add trivy vulnerability check #1159
base: master
Are you sure you want to change the base?
Conversation
1bab9bf
to
6207067
Compare
6207067
to
cec5ca1
Compare
e734261
to
a1967a1
Compare
trivy-results.sarif
Outdated
@@ -0,0 +1,185 @@ | |||
{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think this file should be added, rather added to .gitignore
?
# separate terms of service, privacy policy, and support | ||
# documentation. | ||
|
||
name: Trivy vulnerability scanner |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since we need a built hale studio to scan in rootfs
mode I think it would make more sense to integrate the scan into a workflow that anyway already creates a hale studio artifact.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sure. But this can be done as well after we understood which tool we like the most, right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you refer to trivy and codeql?
In my view both serve different purposes so both should be included.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also in my view Trivy and CodeQL have different focuses, they complement each other very well and using them both we can cover both dependency vulnerabilities and code-level issues, but I thought that trivy is favourite and we care less about the rest :-)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@emanuelaepure10 So can we proceed in that you adapt the trivy scan to scan the product, or what would be your plan?
Trivy and CodeQL vulnerabilities check are added the GitHub Actions workflows. ING-4183
a1967a1
to
39a97bc
Compare
Trivy vulnerability check is added the GitHub Actions workflows.
ING-4183