Add scanning to released images and process to track vulnerabilities #28087
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #28087 +/- ##
=======================================
Coverage 64.00% 64.00%
=======================================
Files 1780 1780
Lines 170729 170729
Branches 4883 4883
=======================================
+ Hits 109268 109275 +7
+ Misses 52848 52841 -7
Partials 8613 8613
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
lucasmrod
requested review from
lukeheath,
georgekarrv,
sharon-fdm,
mostlikelee and
a team
as code owners
|
@sharon-fdm I'll defer to you to approve the workflow changes. |
.github/workflows/check-vulnerabilities-in-released-docker-images.yml
Outdated
Show resolved
Hide resolved
| mkdir trivy-download | ||
| cd trivy-download | ||
| curl -L https://github.com/aquasecurity/trivy/releases/download/v0.61.0/trivy_0.61.0_Linux-64bit.tar.gz --output trivy_0.61.0_Linux-64bit.tar.gz | ||
| tar -xf trivy_0.61.0_Linux-64bit.tar.gz | ||
| mv trivy .. | ||
| cd .. | ||
| chmod +x ./trivy |
There was a problem hiding this comment.
seems like a candidate for github action caching, but nbd if it doesn't take a long time
There was a problem hiding this comment.
Seems this step takes 13s. So maybe a-ok for now.
| run: | | ||
| RELEASES="${{ steps.get_latest_releases.outputs.FLEET_LATEST_RELEASES }}" | ||
| for version in $RELEASES; do | ||
| docker pull fleetdm/fleet:$version |
There was a problem hiding this comment.
where are we getting $version from here?
There was a problem hiding this comment.
for loop line above :)
|
Is the |
I added a comment around the |
| @@ -15,10 +15,6 @@ defaults: | |||
| # fail-fast using bash -eo pipefail. See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference | |||
There was a problem hiding this comment.
Chat with Lucas:
We have Docker images to cross compile fleetd packages.
This is a github action check for vulns in them.
| @@ -0,0 +1,124 @@ | |||
| name: Check vulnerabilities in released docker images | |||
There was a problem hiding this comment.
Check for vulns in docker images that we have already released. (Fleet server)
| @@ -16,6 +16,8 @@ on: | |||
| - "website/**" | |||
There was a problem hiding this comment.
Check for vulns in fleet server docker images that were not yet released (As part of the release process)
| chmod +x ./trivy | ||
| ./trivy image \ | ||
| --exit-code=1 \ | ||
| --ignore-unfixed \ |
There was a problem hiding this comment.
From Lucas: Let's remove it cause we do want to see vulns that do not have a fix.
| @@ -0,0 +1,58 @@ | |||
| package main | |||
There was a problem hiding this comment.
A tool to get the N last Github releases of fleet.
| @@ -0,0 +1,102 @@ | |||
| package main | |||
There was a problem hiding this comment.
A tool to parse the CVE jsons and generates the status.md
For #25902.