ezavgorodniy
commented
6 months ago Hi Leonard,
If the maintainers are interested in this I could help setting that up.
I know the PR is not the best place to try to make a contact however I couldn't send you a request via LinkedIn (https://www.linkedin.com/in/yevhen-zavhorodnii-40773132/) because we don't have common connections and couldn't find alternative way to connect. Could you please suggest the best way to contact you?
I'm not officially a maintainer of the project however I am personally as well as my company is very interested in it and chatting now with an author and other contributors about the way to maintain/contribute.
joreiche
Currently, running the anchore scan on pull requests does not scan the changed files from the pull request. Instead it uses the
Dockerfile, where the main repo https://github.com/Threagile/threagile.git is being cloned.In order to properly scan the pull request I refactored
Dockerfile.localand used it in the github action. Now the actual changes from the pull request are considered in the scan.One possibly controversial change is the option
fail-build: falsein.github/workflows/anchore-analysis.yml. This allows the build to succeed while still reporting the found vulnerabilities in the Security tab. For example, currently there are vulnerabilities in alpine linux that do not have a fix available. Most of the time this cannot be avoided.Generally I would recommend only having one Dockerfile and removing the docker-build-*.sh files or moving them to a non-default branch. If someone wants to build from the master branch, simply using
git stash --include-untrackedandgit checkout mastershould be enough to build the main container file.I would recommend versioning and automatically pushing the image to Dockerhub instead though. If the maintainers are interested in this I could help setting that up.