Re-introduce container vulnerability scanning #171
Comments
|
Note: let's run this after merges to the |
|
This was attempted in #172, but the resulting GitHub Actions jobs are failing, including after some fixup attempts. Reverting for now. |
|
After attempting all that and reviewing some of the build log failure messages: I'm not sure that Snyk's container scanning action supports OCI images - I think it assumes that a local Docker daemon will be available as a registry. That's fine; theoretically it'd be possible to run a registry service, push the However I think it's worth pausing to do a bit of research to see whether there's a more streamlined approach that does support OCI containers, Snyk or otherwise. |
jayaddison
changed the title
jayaddison
changed the title
|
Anchore's scan action looks like an alternative that is worth considering; it supports OCI image scanning and is open source. I'm going to experiment with introducing it into the container publication workflow. |
|
The scanning rules used by the scan action come from a tool called Grype (also developed by Anchore), and their rule database is compiled from a list of publicly available sources: https://github.com/anchore/grype#grypes-database |
|
Container scanning is now enabled at release-time using the With reference to one of the tradeoffs from earlier in this thread:
Some visibility is currently configured; job logs include output to indicate whether the scan found medium-or-higher vulnerabilities, but details are not provided, by default (maintainers are able to see more). That seems reasonable currently. Thank you to @some-natalie for discussing a bunch of the practicalities of getting this working - I was going around in circles. |
...but during GitHub Actions workflows instead of the previous approach that relied upon local running of the script by users/developers.
The tradeoffs:
grocy-dockerusersReferences: #109 (comment), #170
The text was updated successfully, but these errors were encountered: