add security scanners for containers #652
Comments
|
I ran trivy on the wis2box-api, it found one issue with severity=HIGH |
|
question: should the GHA only fail on severity=CRITICAL ? |
|
|
Add trivy.yml to PR: #699 wis2box-management passes wis2box-api, wis2box-ui and wis2box-webapp fail
|
|
@tomkralidis how to proceed ?
|
|
|
after updating dim_eccodes_baseimage to use Ubuntu 22.04, wis2box-api now passes the vulnerability scan: |
|
2024-07-24:
|
|
2024-08-14:
|
|
This task is quite difficult due to the many images and upstream dependencies. Certain packages have no active developers like wis2box-ui, for which the node-version in the base-image needs to be updated, which I'm hesitant to do as there is a high risk of additional work required when doing so due to downstream dependencies. New vulnerabilities can be discovered over time, so we would require contineous updates to make this security scanner pass. Each vulnerability found needs to be carefully studied as many do not appear to be relevant as actual security concerns as they depend on specific features that we may not use. https://avd.aquasec.com/nvd/2024/cve-2024-24790/ The scan itself regularly fails with the error: A manual re-run often works around this, but it has to be noted that adding this GitHub-action will introduce significant additional work for developers for each new PR to pass this test. |
|
In order to make this task more manageable I will add the trivvy-scans (and resolve vulnerabilities) to images build outside of this repo, namely: Then I can reduce the number of trivvy-scans required to be added in this repo |
|
FYI, I found a workaround for the TOOMANYREQUESTS issue by setting a different TRIVY_DB_REPOSITORY in the env |
|
FYI we will need a trivy GHA setup for https://github.com/wmo-im/wis2box-auth as well. |
Add trivy via GitHub Actions in order to scan containers for vulnerabilities.
The text was updated successfully, but these errors were encountered: