Skip to content

ci: report vulnerabilities and fail on HIGH,CRITICAL #152

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
niemeyer merged 2 commits into from
Oct 14, 2024
Merged

ci: report vulnerabilities and fail on HIGH,CRITICAL #152

niemeyer merged 2 commits into from
Oct 14, 2024

Conversation

@cjdcordeiro
Copy link
Collaborator

@cjdcordeiro cjdcordeiro commented Aug 7, 2024

  • Have you signed the CLA?

Problem

The current GH workflow runs the Trivy scan but doesn't react to its findings, exiting successfully even if there are vulnerabilities.

In this PR

This PR adds an additional Trivy execution that raises an error on HIGH and CRITICAL vulnerabilities. It also uploads the vulnerability report to the CI run and the GitHub Security dashboard (example)

@github-advanced-security
Copy link

github-advanced-security bot commented Aug 7, 2024

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

@cjdcordeiro
Copy link
Collaborator Author

cjdcordeiro commented Aug 7, 2024

@letFunny @rebornplusplus can we update the yaml module?

@cjdcordeiro cjdcordeiro requested review from letFunny and removed request for niemeyer August 7, 2024 12:00
@cjdcordeiro cjdcordeiro added the Simple Nice for a quick look on a minute or two label Aug 8, 2024
@cjdcordeiro
Copy link
Collaborator Author

cjdcordeiro commented Aug 8, 2024

needs #153 for CI to pass

@rebornplusplus
Copy link

rebornplusplus commented Aug 8, 2024

@letFunny @rebornplusplus can we update the yaml module?

Should be alright, yeah. Following should do it:

go get gopkg.in/yaml.v3
go mod tidy

If you want to take this chance and update everything:

go get -u
go mod tidy

@rebornplusplus
Copy link

rebornplusplus commented Aug 8, 2024

Oh, I see you raised #153 already!

niemeyer
niemeyer approved these changes Oct 14, 2024
View reviewed changes
Copy link
Contributor

@niemeyer niemeyer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can't tell if this is actually doing what it should, but the theory sounds good.

@niemeyer niemeyer merged commit 3880d2b into canonical:main Oct 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@niemeyer niemeyer niemeyer approved these changes

+2 more reviewers

@rebornplusplus rebornplusplus rebornplusplus approved these changes

@letFunny letFunny letFunny approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@niemeyer niemeyer

Labels

Simple Nice for a quick look on a minute or two

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@cjdcordeiro @rebornplusplus @niemeyer @letFunny