Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add daily vulnerability scan #100

Merged
merged 9 commits into from
Oct 30, 2023
Merged

Add daily vulnerability scan #100

merged 9 commits into from
Oct 30, 2023

Conversation

R-HNF
Copy link
Contributor

@R-HNF R-HNF commented Oct 18, 2023
edited
Loading

Description

I have updated three files for daily vulnerability scan.

  1. daily-vul-scan.yml
  2. README.md
  3. trivy-results.tpl

1. daily-vul-scan.yml

Add daily vulnerability scan workflow daily-vul-scan.yml using trivy-action created by the official Trivy team.

This is the result of a test run.

2. README.md

Add a badge to README.md to display the workflow results on the main branch.

Sample:
image

The result is marked as failing due to vulnerabilities.
ref. https://github.com/R-HNF/gatling-operator/tree/add_daily-vul-scan

3. trivy-results.tpl

Add a template trivy-results.tpl for writing out Trivy results to an issue.

This is the sample of a test run.

Checklist

Please check if applicable

  • Tests have been added (if applicable, ie. when operator codes are added or modified)
  • Relevant docs have been added or modified (if applicable, ie. when new features are added or current features are modified)

Relevant issue #45

@R-HNF R-HNF requested review from gold-kou and itiB October 19, 2023 05:17
@R-HNF R-HNF added the enhancement New feature or request label Oct 19, 2023
gold-kou
gold-kou reviewed Oct 27, 2023
View reviewed changes
.github/workflows/daily-vul-scan.yml Outdated
issues: write

jobs:
build:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I feel the job should be separated more as not only building here.
Such as scanning and making an issue.

Copy link
Contributor Author

@R-HNF R-HNF Oct 27, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As you suggested, it seemed like a good idea to separate the jobs.
However, upon consideration of the following points, I concluded that processing the trivy results within the same job would be more efficient than writing them out as a string and sharing across different jobs.

  • The output of aquasecurity/trivy-action@master is specified by file.
  • The input specification for JasonEtco/create-an-issue@v2 is filename.

Consequently, I decided to only change the job name, instead of separating the jobs.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK, I understand it's tough to separate jobs.

gold-kou
gold-kou approved these changes Oct 27, 2023
View reviewed changes
Copy link
Contributor

@gold-kou gold-kou left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@R-HNF R-HNF merged commit 4b89ab8 into st-tech:main Oct 30, 2023
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gold-kou gold-kou gold-kou approved these changes

@itiB itiB Awaiting requested review from itiB

Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@R-HNF @gold-kou