feat: add trivy vulnerability check #1159
Conversation
emanuelaepure10
force-pushed
the
feat/ING-4183
branch
16 times, most recently
from
1bab9bf
to
6207067
Compare
emanuelaepure10
force-pushed
the
feat/ING-4183
branch
from
6207067
to
cec5ca1
Compare
emanuelaepure10
force-pushed
the
feat/ING-4183
branch
4 times, most recently
from
e734261
to
a1967a1
Compare
trivy-results.sarif
Outdated
| @@ -0,0 +1,185 @@ | |||
| { | |||
There was a problem hiding this comment.
I don't think this file should be added, rather added to .gitignore?
| # separate terms of service, privacy policy, and support | ||
| # documentation. | ||
|
|
||
| name: Trivy vulnerability scanner |
There was a problem hiding this comment.
Since we need a built hale studio to scan in rootfs mode I think it would make more sense to integrate the scan into a workflow that anyway already creates a hale studio artifact.
There was a problem hiding this comment.
sure. But this can be done as well after we understood which tool we like the most, right?
There was a problem hiding this comment.
Do you refer to trivy and codeql?
In my view both serve different purposes so both should be included.
There was a problem hiding this comment.
Also in my view Trivy and CodeQL have different focuses, they complement each other very well and using them both we can cover both dependency vulnerabilities and code-level issues, but I thought that trivy is favourite and we care less about the rest :-)
There was a problem hiding this comment.
@emanuelaepure10 So can we proceed in that you adapt the trivy scan to scan the product, or what would be your plan?
Trivy and CodeQL vulnerabilities check are added the GitHub Actions workflows. ING-4183
emanuelaepure10
force-pushed
the
feat/ING-4183
branch
from
a1967a1
to
39a97bc
Compare
Trivy vulnerability check is added the GitHub Actions workflows.
ING-4183