Implement a security scanner in the repository #329
Assignees
Labels
area/build
Relates to the build process
effort/medium
kind/build
Changes to the build plans or similar
priority/high
triage/accepted
The issue was accepted and will be done
Comments
Michaelpalacce
added
area/build
Michaelpalacce
added
triage/accepted
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
A suggestion is to use trivy it's free and works pretty well.
Running it locally like so:
trivy fs --severity HIGH,CRITICAL --exit-code 1 --ignore-unfixed --skip-dirs "**/target/*" .provides a lot of information about potential issues, most of which are fixed with newer versions of packages.How To Integrate
Suggestion is to detect changes done in the current PR and fail the build if PR changes have a HIGH or CRITICAL vulnerability (Up for debate, CRITICAL may be enough).
This is how you can generate a report for a specific directory, works with a file too
trivy fs --severity HIGH,CRITICAL --exit-code 1 --ignore-unfixed --skip-dirs "**/target/*" --scanners vuln,secret,misconfig common/artifact-manager/src/main/java/com/vmware/pscoe/iac/artifactTrivy supports
--format githubthat can later be published to github "Security" tab, check out: https://docs.github.com/en/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning for more infoGithub Action
Potentially this can be used to fullfil the abovementioned requirements
report.log
The text was updated successfully, but these errors were encountered: