gitpod icon indicating copy to clipboard operation
gitpod copied to clipboard
verified publisher icon gitpod-io

[lacework] Use 'installer mirror list' and include Docker Hub images

Open corneliusludmann opened this issue 1 year ago • 0 comments

Description

This change uses the installer mirror list command to get the list of all used images for the Lacework scan. It also fixes the issues that lacework cannot scan images from Docker Hub. For some reason, removing the docker.io/ prefix did the trick.

As an additional improvement, it does not stop scanning when there is an error with an image. It continues and returns an error exit code at the end.

Related Issue(s)

Fixes https://linear.app/gitpod/issue/ENG-1591/scan-workspace-images-for-cves

How to test

I started a manual GitHub action run: https://github.com/gitpod-io/gitpod/actions/runs/7805409193/job/21289613547

For some reason, the xterm-web image fails to scan:

= Scanning eu.gcr.io/gitpod-core-dev/build/ide/xterm-web : latest [49 / 66]
Pulling image: Done!
Saving image: Done!
Getting image manifest: Done!
Gathering packages: Done!
Packaging image data: Done!
ERROR: Scanned manifest has no packages. Aborting..

However, this seems to be independent of this change.

Preview status

gitpod:summary

Build Options

Build
  • [ ] /werft with-werft Run the build with werft instead of GHA
  • [ ] leeway-no-cache
  • [ ] /werft no-test Run Leeway with --dont-test
Publish
  • [ ] /werft publish-to-npm
  • [ ] /werft publish-to-jb-marketplace
Installer
  • [ ] analytics=segment
  • [ ] with-dedicated-emulation
  • [ ] workspace-feature-flags Add desired feature flags to the end of the line above, space separated
Preview Environment / Integration Tests
  • [ ] /werft with-local-preview If enabled this will build install/preview
  • [ ] /werft with-preview
  • [ ] /werft with-large-vm
  • [x] /werft with-gce-vm If enabled this will create the environment on GCE infra
  • [x] /werft preemptible Saves cost. Untick this only if you're really sure you need a non-preemtible machine.
  • [ ] with-integration-tests=all Valid options are all, workspace, webapp, ide, jetbrains, vscode, ssh. If enabled, with-preview and with-large-vm will be enabled.
  • [ ] with-monitoring

/hold

corneliusludmann avatar Feb 06 '24 16:02 corneliusludmann