kube-ez
kube-ez copied to clipboard
kitarp29
Check for CVEs
Right now the CI is set up such that every successful build of Docker Image will be pushed to ghcr.
But this is very risky, as I am not scanning for CVEs. Neither I have Image scanning open on my Docker Hub as I am broke.
So we need to find some CLI-based Docker Image Scanning Jobs in the CI.
Refer to This: Here
So I have enabled Docker Scout on my repo. It seems to be free in the early access version. ( Let's see till when it is free xD) Anyway, this is the changes I saw after fixing it:
All I had to do is to upgrade the base image. This means I just had to build an image so that it gets the latest of the base image. It raises a good itch in my head, I should have a CRON job for this. It runs once a month or so...
I know my CI will build and test, do functionality won't break!
Only demerit I see is the documentation will be outdated with the tag each time. And I really don't want to make any commit with a CI runner!
Anyway, this only fixes the CVEs on the image layer.
Let's plan and build something for the code level.
(PS: That's what she said)
Ok, so I set up Snyk to scan my codebase. Now this got really interesting! Most of the CVEs are dependency-related or Kubernetes-YAML related. It is interesting because it did not say any part of the code has a CVE 🤯
Either one of the two things is happening here:
- Snyk on the free level is bullcrap and not working as expected. I don't even see suggestions to fix my CVE on the dashboard.
- I am the proof of singularity and I write code with no CVE 😂
Anyway my search for a Code scanning tool for my CI is not done yet then! I mean, the repo has CodeQL setup but you know it's not the same feeling. I learned some new things today for sure.
Integrate this: https://collabnix.com/how-to-integrate-docker-scout-with-github-actions/
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}