legend icon indicating copy to clipboard operation
legend copied to clipboard

Published 20 hours ago verified publisher icon finos

GitHub action for Security scanning of sdlc, engine and studio containers

Open maoo opened this issue 4 years ago • 7 comments

Feature Request

Description of Problem:

All images published on https://hub.docker.com/u/finos are not scanned for security vulnerabilities ; it seems a rather simple feature to enable, given the large amount of tools available, especially for open source projects, which nicely integrate into GitHub Actions.

Tasks:

  • [ ] Identify a shortlist of GitHub Actions and/or Apps that perform vulnerability scanning of Docker images
  • [ ] Fork sdlc, engine and studio repos, testing solutions
  • [ ] If a PR introduces a vulnerability, the PR should fail
  • [ ] if the image built by GitHub Action contains a vulnerability, the release action should fail (and the image must not be published on Docker Hub)

maoo avatar Mar 12 '21 15:03 maoo

I've played a bit with https://github.com/marketplace/actions/anchore-container-scan , and it seems quite easy to run it as a GitHub Action; here's an initial idea:

  1. Copy publish-docker.sh into build-docker.sh, to take care of the local build of the image
  2. Change the release.yml logic to 1) build docker image 2) scan it 3) publish it
  3. Add build:docker script to package.json

This is what I came up with - https://github.com/finos/legend-studio/compare/master...maoo:master

@akphi @epsstan - wdyt?

maoo avatar Mar 12 '21 15:03 maoo

@maoo Great idea! My only wish is they have some automation like Whitesource to scan from the Dockerfile instead of having to build :D. Seems like for us now we need to write a little bash script to build from our Dockerfile (or use docker actions). Then run this action I think.

Studio image is a mere wrapper around finos/legend-engine-server image. So maybe scanning it wouldn't be necessary. But maybe it is :D, I'll see if I can experiment with it

akphi avatar Mar 13 '21 19:03 akphi

@maoo I just added some PRs for this. Our images are fairly basic 😭 But yep, after toying around with anchore for a while, I consider this https://github.com/anchore/scan-action/issues/87 a deal-breaker to me so I have moved on to try out https://github.com/Azure/container-scan which uses trivy underneath and seems like a pretty solid choice. I'm still testing out a bit, but I think these PRs are quite ready to go.

I'll check with @pierredebelen to see what he thinks, and go on to implement this with the rest of the stack

akphi avatar Mar 14 '21 01:03 akphi

Great progress @akphi !

Re. the simplicity of containers and the importance of scanning, I believe that scanning everything would consumers peace of mind even before knowing how these images are built (and their inherited security); if there's a badge that states that images are (continuously) scanned, I think it will help consumption a lot.

Great to hear about container-scan , I'm looking forward to seeing it in action. Please let me know if you need some help!

maoo avatar Mar 14 '21 09:03 maoo

I've played a bit with https://github.com/marketplace/actions/anchore-container-scan , and it seems quite easy to run it as a GitHub Action; here's an initial idea:

  1. Copy publish-docker.sh into build-docker.sh, to take care of the local build of the image
  2. Change the release.yml logic to 1) build docker image 2) scan it 3) publish it
  3. Add build:docker script to package.json

This is what I came up with - finos/[email protected]:master

@akphi @epsstan - wdyt?

I've played a bit with https://github.com/marketplace/actions/anchore-container-scan , and it seems quite easy to run it as a GitHub Action; here's an initial idea:

  1. Copy publish-docker.sh into build-docker.sh, to take care of the local build of the image
  2. Change the release.yml logic to 1) build docker image 2) scan it 3) publish it
  3. Add build:docker script to package.json

This is what I came up with - finos/[email protected]:master

@akphi @epsstan - wdyt?

@maoo I have not heard about anchore. Clair and klar seem to be popular options. Gitlab has switched from Clair to Trivy [1].
I suggest we use one of the popular tools with the most comprehensive CVE database.

[1] https://docs.gitlab.com/ee/user/application_security/container_scanning/

epsstan avatar Mar 19 '21 03:03 epsstan

@epsstan container-scan is used by Azure and it uses Trivy underneath, it also has Dockle to help scan the code quality for Docker image.

akphi avatar Mar 19 '21 07:03 akphi

This issue is stale because it has been open for 30 days with no activity. Please remove stale label or add any comment to keep this open. Otherwise this will be closed in 5 days.

finos-admin avatar Sep 22 '22 12:09 finos-admin

This issue was closed because it has been inactive for 35 days. Please re-open if this issue is still relevant.

finos-admin avatar Sep 28 '22 12:09 finos-admin