Add container scanning to the build system - Sonatype

OasisLMF / OasisPlatform

Loss modelling platform.

BSD 3-Clause "New" or "Revised" License

40 stars 17 forks source link

Add container scanning to the build system - Sonatype #413

Closed sambles closed 3 years ago

sambles commented 4 years ago

Check built container for vulnerabilities:

Jonas Nordin: I'll wait to add your containers until you've integrated it. You only have to worry about high and critical for us. This scans the actual layers in the container.

sambles commented 4 years ago

Note: Switch platform image to alpine but worker base should stick to Debian

sambles commented 3 years ago

https://plugins.jenkins.io/sysdig-secure/

sambles commented 3 years ago

More options: https://www.aquasec.com/products/container-security/ https://blog.aquasec.com/aqua-microscanner-free-image-vulnerability-scanning-plug-in-for-jenkins https://github.com/aquasecurity/trivy#rhelcentos

sambles commented 3 years ago

Example docker run aquasec/trivy image coreoasis/model_worker:1.9.1

coreoasis/model_worker:1.9.1 (debian 10.5)
==========================================
Total: 1096 (UNKNOWN: 6, LOW: 772, MEDIUM: 153, HIGH: 158, CRITICAL: 7)
 ...

trivy_output.txt