Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Look into security scans for container images #115

Closed
poikilotherm opened this issue Oct 22, 2019 · 3 comments · May be fixed by #215
Closed

Look into security scans for container images #115

poikilotherm opened this issue Oct 22, 2019 · 3 comments · May be fixed by #215
Labels
enhancement New feature or request security Anything related to security of containers and deployments

Comments

@poikilotherm
Copy link
Member

poikilotherm commented Oct 22, 2019

Free plan for OSS at https://snyk.io
And nice lables via shield.io

Snyk only offers up to 100 scans for OSS.

After some reading, we should go with Clair or Anchore Engine.

See also https://kubedex.com/follow-up-container-scanning-comparison

@poikilotherm poikilotherm added the enhancement New feature or request label Oct 22, 2019
@poikilotherm poikilotherm changed the title Look into snyk.io security scans for container images Look into security scans for container images Feb 3, 2020
@poikilotherm
Copy link
Member Author

poikilotherm commented Feb 3, 2020

@donsizemore what would you think about running a Anchore Engine as a dockerized service on https://jenkins.dataverse.org? I'm not sure it would fit in a free tier AWS job on IQSS bill, but as it should be updated frequently with latest databases, it should run 24/7...

@4tikhonov this might be relevant for you guys at SSHOC/CESSDA, too, as Anchore allows for policies.

I took a look at this as we want to go into pilot testing with public exposure and I need to make sure we are safe from the start...

@poikilotherm poikilotherm added this to the v4.19 milestone Feb 3, 2020
@poikilotherm poikilotherm added the security Anything related to security of containers and deployments label Feb 14, 2020
@poikilotherm poikilotherm removed this from the v4.19 milestone Apr 16, 2020
@poikilotherm
Copy link
Member Author

I removed this from the milestone 4.19 as other things receive more priority for now.
With Dataverse 5 at the horizon for release in summer, this should be picked up again.

poikilotherm added a commit to poikilotherm/dataverse that referenced this issue Jul 14, 2021
Trivy should be capable of 1. have configurable list of CVEs zu ignore,
2. allow to filter unfixed vulns and 3. have a more decent SARIF template
for better integration into the Github Security Tab reports

gdcc/dataverse-kubernetes#115
poikilotherm added a commit to poikilotherm/dataverse that referenced this issue Jul 28, 2021
Trivy should be capable of 1. have configurable list of CVEs zu ignore,
2. allow to filter unfixed vulns and 3. have a more decent SARIF template
for better integration into the Github Security Tab reports

gdcc/dataverse-kubernetes#115
poikilotherm added a commit to poikilotherm/dataverse that referenced this issue Aug 17, 2021
Trivy should be capable of 1. have configurable list of CVEs zu ignore,
2. allow to filter unfixed vulns and 3. have a more decent SARIF template
for better integration into the Github Security Tab reports

gdcc/dataverse-kubernetes#115
poikilotherm added a commit to poikilotherm/dataverse that referenced this issue Aug 23, 2021
Trivy should be capable of 1. have configurable list of CVEs zu ignore,
2. allow to filter unfixed vulns and 3. have a more decent SARIF template
for better integration into the Github Security Tab reports

gdcc/dataverse-kubernetes#115
@poikilotherm
Copy link
Member Author

Done in both https://github.com/gdcc/dataverse/tree/develop+ct and https://github.com/gdcc/dataverse/tree/master+ct via Github Action using Trivy

Scans are not public viewable and cannot be configured to be public.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request security Anything related to security of containers and deployments
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant