Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

✨(ci) add security scan #429

Merged
merged 4 commits into from
Nov 5, 2024
Merged

✨(ci) add security scan #429

merged 4 commits into from
Nov 5, 2024

Conversation

rouja
Copy link
Contributor

@rouja rouja commented Sep 27, 2024

Add a security scan for CVE with trivy

@mjeammet mjeammet force-pushed the add-trivy-scan branch 2 times, most recently from 52db560 to fd9a1ec Compare September 30, 2024 13:07
@Morendil Morendil force-pushed the add-trivy-scan branch 2 times, most recently from 09662b3 to ce884b3 Compare October 30, 2024 10:36
@Morendil Morendil mentioned this pull request Oct 30, 2024
Closed
@Morendil Morendil self-requested a review October 30, 2024 10:52
Morendil
Morendil reviewed Oct 30, 2024
View reviewed changes
Copy link
Collaborator

@Morendil Morendil left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I notice that the build jobs frequently fail with the following error message (reformatted for clarity):

2024-10-30T10:48:12Z	FATAL	Fatal error
  image scan error:
  scan error:
  scan failed:
  failed analysis:
  analyze error:
  pipeline error:
  failed to analyze layer (sha256:e4e85ef47ed5564337c653adcb6f9f3760ead021d1cd0691a29a1ac57fd6f5b0):
  post analysis error: Unable to initialize the Java DB:
  Java DB update failed: DB download error: oci download error:
  failed to fetch the layer:
  GET https://ghcr.io/v2/aquasecurity/trivy-java-db/blobs/sha256:a18f04a942e33d9ffd8cf1ab4d35a09f88936e0729cdd4171dea0aa15a0e457c:
  TOOMANYREQUESTS: retry-after: 80.883µs, allowed: 44000/minute

This is troublesome, we've been trying to reduce noise/instability in the build…

This is a known Trivy issue aquasecurity/trivy#7538

I don't think the issue this can be fixed within this PR, it will require changing the trivy action.

.github/workflows/docker-hub.yml
@@ -1,4 +1,5 @@
name: Docker Hub Workflow
run-name: Docker Hub Workflow
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any particular reason to use run-name over name ? (I don't think this is a blocker for merging the PR but if there is a practical reason it might be useful to document it…)

@Morendil
Copy link
Collaborator

See #500 for a version of this PR without the fixes applied, showing the Trivy report with CVEs.

@Morendil
Copy link
Collaborator

Morendil commented Nov 4, 2024

After discussion with @mjeammet a good solution would be to make this an optional check in CI. Will look into that.

rouja added 3 commits November 5, 2024 14:54
@rouja
✨(ci) add security scan
9560832 
Add a security scan for CVE with trivy
@rouja
🚑️(frontend) fixe CVEs in frontend image
b7d1e12 
Use alpine version for production image instead of debian in order
tohave less CVEs.
@rouja
🚑️(backend) fixe CVEs in backend image
0ab465c 
Use alpine version for production image instead of debian in order
to have less CVEs.
✨(ci) add security scan
2dc0d51 
Separate security scan from build-and-push, so we can make it optional in CI
Morendil
Morendil approved these changes Nov 5, 2024
View reviewed changes
Copy link
Collaborator

@Morendil Morendil left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Extracted the scan from build-and-push so an occasional failure for non-security reasons will not block from merging or require re-running jobs.

@Morendil Morendil merged commit 821db27 into main Nov 5, 2024
20 checks passed
@Morendil Morendil deleted the add-trivy-scan branch November 5, 2024 14:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Morendil Morendil Morendil approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@rouja @Morendil