[Task]: Update GA Vulnerability Scans to Align with AWS ECR Scans - Githubissues

HHS / simpler-grants-gov

https://simpler.grants.gov

Other

44 stars 13 forks source link

[Task]: Update GA Vulnerability Scans to Align with AWS ECR Scans #947

Open acouch opened 10 months ago

acouch commented 10 months ago

Summary

AWS ECR scans are being used to scan containers in AWS. The results sometimes vary between scans. Solutions include:

[ ] update our workflow to run the scans in ECR through GA (publish then scan) using https://github.com/marketplace/actions/aws-ecr-scan-docker-image or https://github.com/aws-samples/amazon-ecr-continuous-scan.
[ ] Update the grype.yml and .trivyignore files to align with the AWS ECR filters

Related to: #809 and #808

Acceptance criteria

[ ] GA scans best align with AWS ECR scans
[ ] Documentation updated

Open questions / notes

acouch commented 10 months ago

This would be helpful but is not a blocker for the current milestone.

acouch commented 9 months ago

NOTE: It would also be helpful to run the vuln scans daily or multiple times a day so a vuln doesn't come up as we are trying to deploy.