Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add trivy image scanning #1663

Merged
merged 4 commits into from
Dec 1, 2022
Merged

add trivy image scanning #1663

merged 4 commits into from
Dec 1, 2022

Conversation

firefly2442
Copy link
Contributor

What type of PR is this?

  • feature
  • devops

What this PR does / why we need it:

This adds support for Trivy container scanning as a Github Action. This can help with identifying security issues in underlying software, libraries, dependencies, etc.

Which issue(s) this PR fixes:

N/A

Testing

Review the Github Security tab and look at the Code Scanning section.

Release Notes

None

@hay-kot
Copy link
Collaborator

hay-kot commented Sep 25, 2022

Thanks! This looks like a good addition for security scanning. Could you implement this as a partial workflow and add it only to the PR reviews? You can see the partial-backend.yml workflow as an example on how to implement this. Basically you set the on value as below

on:
    workflow_call:

And then include it in the pull-request.yml workflow. Making it dependent on the backend/frontend tests helps reduce unnecessary compute resources when the build fails anyways.

hay-kot
hay-kot requested changes Sep 25, 2022
View reviewed changes
Copy link
Collaborator

@hay-kot hay-kot left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! This looks like a good addition for security scanning. Could you implement this as a partial workflow and add it only to the PR reviews? You can see the partial-backend.yml workflow as an example on how to implement this. Basically you set the on value as below

on:
    workflow_call:

And then include it in the pull-request.yml workflow. Making it dependent on the backend/frontend tests helps reduce unnecessary compute resources when the build fails anyways.

Sorry about the double comment!

@firefly2442
Copy link
Contributor Author

I think I restructured it as a partial as you requested but I'm not sure why the Dockerfile didn't build in the Github Action listed in this PR. It seems to build fine on my local machine.

@firefly2442
Copy link
Contributor Author

Also it looks like you've split into two services now, ./Dockerfile and ./frontend/Dockerfile. I don't think Trivy can run both and upload both results files. If you're wanting to keep the separation of services and scan each we might need to add another partial action. Are you intending to keep them separate in the future?

@hay-kot
Copy link
Collaborator

hay-kot commented Oct 3, 2022

I don't think Trivy can run both and upload both results files. If you're wanting to keep the separation of services and scan each we might need to add another partial action. Are you intending to keep them separate in the future?

Yes, we'll be using both docker files for the foreseeable future.

@firefly2442
Copy link
Contributor Author

@hay-kot Apologies for the delay. I believe I've refactored to scan both the frontend and backend Dockerfiles. Take a look and let me know what you think. Cheers.

@hay-kot hay-kot merged commit 0801f0a into mealie-recipes:mealie-next Dec 1, 2022
@firefly2442 firefly2442 deleted the trivy-container-scanning branch December 1, 2022 06:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hay-kot hay-kot hay-kot requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@firefly2442 @hay-kot