Added trivy-scan for plugins #856
Conversation
|
I'm willing to try this; but I'm concerned about endless false positives. the CNI plugins make no HTTP or TLS requests, provide no network services, and and don't parse end-user-provided input. Dealing with the output of security scanners is, in my experience, a tiring exercise in pulling signal from noise. CNI, as a volunteer-operated project, only has so many resources, and dealing with spurious false positives might not be a good use of that time. Does trivy do any sort of code path analysis to determine if CVEs are applicable in the style of govulncheck? |
|
Yes, we are not testing any HTTP or TLS requests. But this will help to test the overall code. |
|
@squeed Please review the PR. |
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
Signed-off-by: Yash Singh <[email protected]>
mmorel-35
force-pushed
the
trivy-scan
branch
from
b5de559
to
d84c4b3
Compare
This PR introduces the security scanning for plugins repository. This job will run once any pull and push request changes made on the
mainbranch.1. Why is this pull request needed and what does it do?
The CVE scanning for the plugins repository will be enabled by this PR. It will make it easier to track down the HIGH and CRITICAL CVE being used.
Test result:
