Open jawnsy opened 1 year ago
Sweet thanks for the excellent ticket. There are two different base image types, we'll probably want scanning for both. Do we only want to scan releases or should we scan development images too?
For releases, we can do the following tags:
prefect:2-latest
prefect:2-latest-conda
This would only cover Python 3.10, but I presume their images are consistent across Python versions.
For development, we aren't publishing a latest tag so we could use the SHA for the Python 3.10 images but I'm down to just enable a latest tag and do:
prefect-dev:latest
prefect-dev:latest-conda
First check
Description
To help the security team monitor risks in the images we publish, we should add a step to our build pipeline that scans images and uploads results to CodeQL. We use Trivy to do this elsewhere.
I can take this on, but require some help identifying a tag we can use (we need a single image tag generated during the build that we can pass to trivy, but there are a number of conditionals in docker-builds.yaml so I'm unclear which tag to use)
I believe this requires a few things:
load: true
tobuild-push-action
, to load the image from BuildKit into the system dockersecurity-events: write
permission, required for CodeQLImpact
We'll have container scan reports uploaded to our Security tab in our GitHub repository. Our security team monitors the vulnerabilities listed there to triage them.
Additional context
No response