tegola icon indicating copy to clipboard operation
tegola copied to clipboard
verified publisher icon go-spatial

Implement Trivy code scanning to help identify vulns

Open ARolek opened this issue 1 year ago • 3 comments

@fjrsaracho surfaced an issue reported by the code scanning tool Trivy. This issue is about implementing Trivy to do a scan weekly so we can stay on top of vulns even if code is not being pushed.

It is under Apache License 2.0. Including comercial usage. You can read more on following link: https://github.com/aquasecurity/trivy/blob/main/LICENSE

Not sure if it fits for you as a real "open-source"

Originally posted by @fjrsaracho in https://github.com/go-spatial/tegola/issues/1000#issuecomment-2237342860

ARolek avatar Jul 20 '24 20:07 ARolek

Github offers code scanning too natively if that is an option.

iwpnd avatar Jul 20 '24 20:07 iwpnd

@iwpnd yeah they do, via CodeQL. From my understanding Trivy and CodeQL overlap, but also cover different parts of the codebase. CodeQL would cover the Go and JS code, and Trivy covers the Dockerfile. I still need to research some of the details, but this is my high level understanding.

ARolek avatar Jul 20 '24 20:07 ARolek

For docker we should be able to get away with Dependabot keeping the image updated.

iwpnd avatar Jul 20 '24 21:07 iwpnd