build icon indicating copy to clipboard operation
build copied to clipboard

Published 20 hours ago verified publisher icon shipwright-io

Vulnerability Scanning Implementation for container images

Open karanibm6 opened this issue 1 year ago • 3 comments

Changes

Implementation of this SHIP : https://github.com/shipwright-io/community/blob/main/ships/0033-build-output-vulnerability-scanning.md#build-output-vulnerability-scanning

  • Add vulnerability scanning options in build and buildrun types in v1alpha1 and v1beta1
  • Add vulnerable image for unit testing of vulnerability scanning feature
  • Implement vulnerability scanning for container images using trivy and lists vulnerabilities in buildrun output
  • Add e2e tests to verify options for vulnerability scanning

Fixes https://github.com/shipwright-io/build/issues/1394

Submitter Checklist

  • [x] Includes tests if functionality changed/was added
  • [x] Includes docs if changes are user-facing
  • [x] Set a kind label on this PR
  • [ ] Release notes block has been filled in, or marked NONE

See the contributor guide for details on coding conventions, github and prow interactions, and the code review process.

Release Notes

Vulnerability Scanning Implementation

karanibm6 avatar Feb 07 '24 17:02 karanibm6

/kind feature

karanibm6 avatar Feb 07 '24 17:02 karanibm6

I hate to be the person to come in and "drive by" this PR, especially since we had an approved SHIP beforehand and Karan has been iterating on this for months. But I think we need to reconsider the API in light of SARIF. I don't the spec existed when the proposal was written - or was not widely adopted. It is now becoming a clear industry standard; many of the top scanning tools (Trivy, Snyk, Syft offhand) support SARIF formatted outputs, and we at Red Hat are using SARIF-formatted outputs in our build pipelines.

The most notable thing with SARIF is that it only has the following levels in the spec:

  • note - aka an "INFO" message
  • warning - a scan warning (Moderate/low severity?)
  • error - a serious issue/vulnerability (likely Important / Critical severity vulnerability)

adambkaplan avatar Apr 12 '24 19:04 adambkaplan

Looks mostly good @karanibm6. I put a few small changes in https://github.com/karanibm6/build/pull/37. Please check.

SaschaSchwarze0 avatar May 31 '24 20:05 SaschaSchwarze0

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: SaschaSchwarze0

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • ~~OWNERS~~ [SaschaSchwarze0]

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

openshift-ci[bot] avatar Jun 10 '24 09:06 openshift-ci[bot]