Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WIP -DO NOT MERGE - HOFF-615: Replace Anchore with Trivy #215

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

WIP -DO NOT MERGE - HOFF-615: Replace Anchore with Trivy #215

wants to merge 2 commits into from

Conversation

adityababumallisettiHO
Copy link

@adityababumallisettiHO adityababumallisettiHO commented Feb 23, 2024
edited
Loading

What?

I've added Trivy Scanner to Pipeline and removed deprecated Anchore Scanner for the UKVI end tenancy service, see ticket
https://collaboration.homeoffice.gov.uk/jira/browse/HOFF-615

Why?
Trivy will let you scan images, file systems and repositories for any vulnerabilities and issues. It will detect CVEs of OS packages, applications susceptibilities, and exposures of IaC in Terraform files, Kubernetes and Docker.
Drawback of Anchore Scanner is it’s significantly slower, the process of using it is more cumbersome, the output is less friendly and most importantly, it scans fewer CVEs.


How?

Removed Anchore cve exception file and added trivy cve exception file in hof-services-config repo from UKVI end tenancy configs.
Removed Anchore Scanner steps from pipeline and added trivy scanner steps with cron scanner.
Our Acceptance criteria is to list the Medium to Critical vulnerabilities.

Testing?
We can test it by raising pull request to Master branch. Drone Pipeline should run through the steps and should list the Medium to Critical Vulnerabilties and should progress to next steps of deployment to branch
https://drone-gh.acp.homeoffice.gov.uk/UKHomeOffice/end-tenancy/1178

Screenshots
This screenshot is from Drone CI console
image

@adityababumallisettiHO
HOFF-615: Replace Anchore with Trivy
3f6c6f6 
* Trivy Scanner & cron job added to pipeline
* trivy-cve-exceptions file path added
* Trivy will scan images, file systems and repositories for any vulnerabilities and issues.
* Trivy is supported by ACP team
@adityababumallisettiHO
HOFF-615: Replace Anchore with Trivy
272a8b1 
* Remove Trivy reference from Dockerfile Comments
* Trivy Scanner & cron job added to pipeline
* trivy-cve-exceptions file path added
* Trivy will scan images, file systems and repositories for any vulnerabilities and issues.
* Trivy is supported by ACP team
sulthan-ahmed
sulthan-ahmed approved these changes Feb 26, 2024
View reviewed changes
Copy link
Contributor

@sulthan-ahmed sulthan-ahmed left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please squash the commits before merging

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sulthan-ahmed sulthan-ahmed sulthan-ahmed approved these changes

@Rhodine-orleans-lindsay Rhodine-orleans-lindsay Awaiting requested review from Rhodine-orleans-lindsay

@shamiluwais shamiluwais Awaiting requested review from shamiluwais

@william-gu-hof william-gu-hof Awaiting requested review from william-gu-hof

@jamiecarterHO jamiecarterHO Awaiting requested review from jamiecarterHO

Assignees

@adityababumallisettiHO adityababumallisettiHO

Labels
wip
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@adityababumallisettiHO @sulthan-ahmed