ci: add container scanning to default checks #2870
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
zondervancalvez
requested review from
petermetz,
takeutak,
izuru0,
jagpreetsinghsasan,
VRamakrishna and
sandeepnRES
as code owners
zondervancalvez
force-pushed
the
zondervancalvez/issue1876
branch
from
606d9a5
to
dba6d22
Compare
takeutak
approved these changes
Nov 13, 2023
jagpreetsinghsasan
requested changes
Nov 14, 2023
zondervancalvez
force-pushed
the
zondervancalvez/issue1876
branch
from
dba6d22
to
229502f
Compare
petermetz
requested changes
Dec 1, 2023
There was a problem hiding this comment.
@zondervancalvez ^^ Please see @jagpreetsinghsasan 's comment above!
zondervancalvez
force-pushed
the
zondervancalvez/issue1876
branch
from
229502f
to
24c7850
Compare
zondervancalvez
force-pushed
the
zondervancalvez/issue1876
branch
from
24c7850
to
a6bb8b4
Compare
petermetz
requested changes
Feb 21, 2024
There was a problem hiding this comment.
@zondervancalvez Please enable the trivy scanning for the production images (right now I see some AIO test images that are being tested that we can omit and save resources - but I also see one or two of the production images listed below that do not have the trivy scan added)
ghcr-cmd-api-server
ghcr-connector-besu
ghcr-connector-corda-server
ghcr-connector-fabric
ghcr-keychain-vault-server
zondervancalvez
force-pushed
the
zondervancalvez/issue1876
branch
3 times, most recently
from
d10e3ee
to
043d86c
Compare
zondervancalvez
force-pushed
the
zondervancalvez/issue1876
branch
5 times, most recently
from
6c496c3
to
d820fa3
Compare
petermetz
requested changes
Mar 28, 2024
zondervancalvez
force-pushed
the
zondervancalvez/issue1876
branch
from
d820fa3
to
2eeca3f
Compare
zondervancalvez
force-pushed
the
zondervancalvez/issue1876
branch
from
2eeca3f
to
273b859
Compare
petermetz
requested changes
Apr 4, 2024
zondervancalvez
force-pushed
the
zondervancalvez/issue1876
branch
2 times, most recently
from
d7fa656
to
f8b00ff
Compare
petermetz
approved these changes
Apr 4, 2024
|
@jagpreetsinghsasan Have your review points been addressed? I think I saw that the trivy checks are now part of the same job that builds the container so there is no duplicate builds being performed. |
petermetz
requested changes
May 20, 2024
There was a problem hiding this comment.
@jagpreetsinghsasan Great, thank you!
@zondervancalvez Please resolve the merge conflicts and pass it back for review and then we can merge!
Trivy is a cutting-edge security tool designed to enhance the safety of containerized applications by conducting thorough vulnerability assessments. Specifically developed for scanning container images, ranging from low-severity issues to critical threats. It employs an intelligent rating system to categorize vulnerabilities based on their severity levels, ensuring that high to critical vulnerabilities are given special attention. Upon detecting vulnerabilities that fall within this elevated range, Trivy will throw an error. By integrating Trivy into our deployment pipeline, we can proactively mitigate security risks and enhance the resilience of our repository. Fixes hyperledger#1876 Depends On: hyperledger#2865 Depends On: hyperledger#2864 Depends On: hyperledger#2863 Depends On: hyperledger#2862 Signed-off-by: zondervancalvez <zondervan.v.calvez@accenture.com>
zondervancalvez
force-pushed
the
zondervancalvez/issue1876
branch
from
f8b00ff
to
eb6dbdf
Compare
petermetz
approved these changes
May 21, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Trivy is a cutting-edge security tool designed to enhance the safety of containerized applications by conducting thorough vulnerability assessments. Specifically developed for scanning container images, ranging from low-severity issues to critical threats. It employs an intelligent rating system to categorize vulnerabilities based on their severity levels, ensuring that high to critical vulnerabilities are given special attention. Upon detecting vulnerabilities that fall within this elevated range, Trivy will throw an error.
By integrating Trivy into our deployment pipeline, we can proactively mitigate security risks and enhance the resilience of our repository.
Fixes #1876
Depends On: #2865
Depends On: #2864
Depends On: #2863
Depends On: #2862
Pull Request Requirements
upstream/mainbranch and squashed into single commit to help maintainers review it more efficient and to avoid spaghetti git commit graphs that obfuscate which commit did exactly what change, when and, why.-sflag when usinggit commitcommand. You may refer to this link for more information.Character Limit
A Must Read for Beginners
For rebasing and squashing, here's a must read guide for beginners.