-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement uds scan
in our release processes
#63
Comments
This will require new uds - defenseunicorns/uds-common#148 |
We should probably just upload this as a release artifact when the release is created - I would advocate not including the vuln information in a package (or bundle) because it will get stale and people inspecting it later (out of context of the GitHub action / release that generated it) may get a false sense of their vulnerability posture. |
That is a good point @Racer159 . Do you have a better idea on how to share/give to users? People in the air gap will likely have limited data sets and work this way right now. There is likely a blend between a known state with a timestamp to notifying how long it has been since a new scan with an updated DB |
The thought was to just place the csv in the release in GitHub and then for now we could aggregate them per customer (if that was desired by that customer) - right now the only bundle we make is for uds-prod and given it is an automated deployment the inclusion of these artifacts would not really get a chance to review. |
Couple of questions:
I was expecting to be able to scan a package from local filesystem as part of build/release, but it looks like I might need to publish the package first and then let I think it would be nice to be able to scan a package without publishing it, especially for a dev workflow where a package maintainer is trying to get quick feedback on resolution of CVEs. |
@ericwyles I would appreciate it if you could create that as an issue in https://github.com/defenseunicorns/uds-security-hub |
@naveensrinivasan Added that here: defenseunicorns/uds-security-hub#61 Thanks! |
@naveensrinivasan FYI the changes in defenseunicorns/uds-cli#622 for adding |
We now have an option to pass local zarf packages. Also please use
|
@naveensrinivasan A couple things we ran into implementing this, let me know if you want me to make issues for them:
Issue 2 above is actually less important if Issue 1 is fixed because it won't be trying to pull images anyway then. Thanks! |
@ericwyles With the change that @partkyle is making, we would address both. Thanks defenseunicorns/uds-security-hub#138 |
Describe what should be investigated or refactored
We should start to test out the new
uds scan
command as a part of our release process for each application package.Links to any relevant code
https://uds.defenseunicorns.com/cli/quickstart-and-usage/#scan
Additional context
Needed for @naveensrinivasan and @eddiezane to get feedback on the tool.
Tasks
The text was updated successfully, but these errors were encountered: