Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ubuntu vulnerability container image scan #1637

Open
wants to merge 14 commits into
base: master
Choose a base branch
from
Open

Ubuntu vulnerability container image scan #1637

wants to merge 14 commits into from

Conversation

rfuelsh
Copy link
Member

@rfuelsh rfuelsh commented Jan 29, 2024

Implement ubuntu vunerability container scan into container image build-publish process

actions is based on: https://github.com/marketplace/actions/container-scan#scan-image

@rfuelsh rfuelsh requested a review from Voxelot January 29, 2024 20:55
@rfuelsh rfuelsh self-assigned this Jan 29, 2024
@Voxelot Voxelot added the no changelog Skip the CI check of the changelog modification label Jan 29, 2024
@rfuelsh rfuelsh requested a review from xgreenx January 30, 2024 00:57
xgreenx
xgreenx reviewed Jan 30, 2024
View reviewed changes
Copy link
Collaborator

@xgreenx xgreenx left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, since the crazy-max/ghaction-container-scan@v3 action is maintained by someone else, it potentially allows them to nullify this check by updating the action to do nothing. Maybe it may make sense to fork this action into the Fuel organization and use it instead.

@rfuelsh
Copy link
Member Author

rfuelsh commented Jan 30, 2024

@xgreenx - maybe that is something @Voxelot can chime in- i don't have those github permissions to fork repos I believe

@Voxelot
Copy link
Member

Voxelot commented Jan 30, 2024

Agree - this action seems to have a small community. We should audit the action and likely fork it to ensure it doesn't become a malicious attack vector.

@rfuelsh
Copy link
Member Author

rfuelsh commented Jan 31, 2024

@Voxelot - would it better to investigate another action or can you assist with the forking on this action code repo? (I don't have the fork repo permissions I think)

@Voxelot
Copy link
Member

Voxelot commented Feb 5, 2024

I've created a fork here: https://github.com/FuelLabs/ghaction-container-scan

Looking through the code it seems like a pretty lightweight wrapper around trivy, but we could have appsec review it as well.

@rfuelsh rfuelsh mentioned this pull request Feb 7, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@xgreenx xgreenx xgreenx left review comments

@Voxelot Voxelot Awaiting requested review from Voxelot

At least 1 approving review is required to merge this pull request.

Assignees

@rfuelsh rfuelsh

Labels
no changelog Skip the CI check of the changelog modification security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@rfuelsh @Voxelot @xgreenx