[feat][ci] Add Trivy container scan Github workflow #22063
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This commit introduces a Github Actions workflow that runs a Trivy container scan on the following Docker containers: - apachepulsar/pulsar:3.2.0 - apachepulsar/pulsar-all:3.2.0 The workflow runs daily @ 0800 UTC and if it finds any vulnerabilities of HIGH or CRITICAL severity it sends an email including the report to the Pulsar DEV mailing list as well as upload the report to the workflow run in Github.
onobc
added
type/feature
onobc
commented
Feb 16, 2024
onobc
commented
Feb 16, 2024
onobc
commented
Feb 16, 2024
onobc
commented
Feb 16, 2024
onobc
commented
Feb 16, 2024
merlimat
approved these changes
Feb 29, 2024
lhotari
requested changes
Feb 29, 2024
- removed email - removed choice of report format
- removed upload report step
merlimat
reviewed
Mar 28, 2024
lhotari
approved these changes
Mar 28, 2024
Technoboy-
pushed a commit
to Technoboy-/pulsar
that referenced
this pull request
Apr 1, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This commit introduces a Github Actions workflow that runs a Trivy container scan on the following Docker containers:
The workflow runs daily @ 0800 UTC and if it finds any vulnerabilities of HIGH or CRITICAL severity it sends an email including the report to the Pulsar DEV mailing list as well as upload the report to the workflow run in Github.
Motivation
Our dependencies are currently scanned via the OWASP dependency checker but we have nothing checking on the vulnerability of our published Docker containers.
Modifications
As described in the summary, this adds a scheduled workflow that uses Trivy to run a scan against our published Docker containers.
Verifying this change
As always, Github Actions workflow are a pain to test. I have tested this one in isolation in prototype repository and it works well. We will not be able to verify it until it gets merged into mainline branch.
Does this pull request potentially affect one of the following parts:
If the box was checked, please highlight the changes
Documentation
docdoc-requireddoc-not-neededdoc-completeMatching PR in forked repository
PR in forked repository: onobc#4
I tested this thoroughly in a personal repo before submitting this PR. Here is what the output looks like:
Github Actions UI
Generated email
Attached email report
Note
This is the report in
tableformat, we could instead usejson