kong icon indicating copy to clipboard operation
kong copied to clipboard

Published 20 hours ago verified publisher icon Kong

chore(security): add .grype.yaml to ignore negeligible vulnerabilities

Open outsinre opened this issue 1 year ago • 1 comments

Summary

Our release GHA workflow scans generated Docker images and reports vulnerabilities.

Some of the vulnerabilities are negligible and some won't be fixed by upstream. This PR adds a Grype configuration to ignore those vulnerabilities.

According to https://github.com/anchore/grype#configuration and https://github.com/marketplace/actions/anchore-container-scan#additional-configuration, we put the .grype.yaml in the root of the repo.

Checklist

  • [n/a] The Pull Request has tests
  • [n/a] There's an entry in the CHANGELOG
  • [n/a] There is a user-facing docs PR against https://github.com/Kong/docs.konghq.com - PUT DOCS PR HERE

Full changelog

  • add .grype.yaml to ignore negligible and won't-fix vulnerabilities

Issue reference

Fix #FTI-5195

outsinre avatar Jun 29 '23 05:06 outsinre

@kikito FYI. Thanks.

VicYP avatar Jul 14 '23 08:07 VicYP

2.8.4.3-rc1 still reports the vulnerability: https://github.com/Kong/kong-ee/actions/runs/6081756831

outsinre avatar Sep 05 '23 09:09 outsinre

Close due to no authority decision.

outsinre avatar Sep 21 '23 09:09 outsinre

Testing the pull request

Dolat2057 avatar Sep 27 '23 13:09 Dolat2057