From 8961cbf262684b7e000fec6ee659dcbd3eb9a89b Mon Sep 17 00:00:00 2001 From: Jean-Philippe Evrard Date: Thu, 10 Sep 2020 14:35:39 +0200 Subject: [PATCH] feat: Add security scanning into CI Without this patch, there is no way we can see, in the development process, if the image we are about to publish is insecure. This is a problem as we might be releasing new versions of kured with outdated base image which contains vulnerabilities. This fixes it by creating a job which will show any eventual vulnerability. --- .github/containerscan/allowedlist.yaml | 7 +++++++ .github/workflows/vulnerability-scan.yaml | 14 ++++++++++++++ 2 files changed, 21 insertions(+) create mode 100644 .github/containerscan/allowedlist.yaml create mode 100644 .github/workflows/vulnerability-scan.yaml diff --git a/.github/containerscan/allowedlist.yaml b/.github/containerscan/allowedlist.yaml new file mode 100644 index 0000000..843f197 --- /dev/null +++ b/.github/containerscan/allowedlist.yaml @@ -0,0 +1,7 @@ +general: + bestPracticeViolations: + # We violate this rule because we add kubectl from a remote location + # Instead of building it from source/copying it. + # Until we change our practices (e.g. have Dockerfile build kubectl + # in a multi-staged manner), we should skip this check + - CIS-DI-0009 diff --git a/.github/workflows/vulnerability-scan.yaml b/.github/workflows/vulnerability-scan.yaml new file mode 100644 index 0000000..b5bb93b --- /dev/null +++ b/.github/workflows/vulnerability-scan.yaml @@ -0,0 +1,14 @@ +# This should not be made a mandatory test +# It is only used to make us aware of any potential security failure, that +# should trigger a bump of the image in build/. +name: "Image vulnerability scan" +on: [push, pull_request] +jobs: + build-and-scan: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@master + - run: make DH_ORG="${{ github.repository_owner }}" VERSION="${{ github.sha }}" image + - uses: Azure/container-scan@v0 + with: + image-name: docker.io/${{ github.repository_owner }}/kured:${{ github.sha }}