osm
osm copied to clipboard
Add vulnerability checking to the CI pipelines
Please describe the Improvement and/or Feature Request
Our CI pipeline should be actively checking for Go vulnerabilities with the newly announced govulncheck tooling to catch issues as soon as possible.
Scope (please mark with X where applicable)
- CI System [X]
Possible use cases
CI vulnerability checking.
Added default label kind/needed
. Please consider re-labeling this issue appropriately.
@trstringer I think this is not taken yet. Would you mind assigning it to me?
Thanks for your willingness to tackle this! You're now assigned to the issue 👍🏾
Thanks @keithmattix !
Progress update: Figured out how to run the Go vulnerability check in GitHub Action. However, the GitHub Action job I created always got killed by GitHub Actions when running the command govulncheck ./...
. I am trying to resolve this. Thanks!
- Result update: I think this issue is blocked due to the memory limitation of our CI environment (VM for Github Actions).
- Free memory of VM using
free -m
:
total used free shared buff/cache available Mem: 6943 623 936 12 5384 6009 Swap: 4095 0 4095
- Free memory of VM using
- Suggestion: Increase the memory limit for Github Action VMs.
- Details:
- The first thought I had is that
govulncheck
will check modules parallelly and consume more memory than expected. I then ran the commandgovulncheck
module by module. However, I found the memory limitation still cause the issue. For some module, the command allocated more than 12 GB memory. The total available in the CI environment is about 11 GB (~7GB RAM + ~4GB SWAP). That is why the CI job always got killed with out of memory error.
- The first thought I had is that
@keithmattix @trstringer