Closed ldallmayr closed 4 months ago
Hi Leonard,
If the maintainers are interested in this I could help setting that up.
I know the PR is not the best place to try to make a contact however I couldn't send you a request via LinkedIn (https://www.linkedin.com/in/yevhen-zavhorodnii-40773132/) because we don't have common connections and couldn't find alternative way to connect. Could you please suggest the best way to contact you?
I'm not officially a maintainer of the project however I am personally as well as my company is very interested in it and chatting now with an author and other contributors about the way to maintain/contribute.
@ ldallmayr I merged your changes into my fork so they are part of pr #57. thank you for your contribution
this pr has been resolved with #57
Currently, running the anchore scan on pull requests does not scan the changed files from the pull request. Instead it uses the
Dockerfile
, where the main repo https://github.com/Threagile/threagile.git is being cloned.In order to properly scan the pull request I refactored
Dockerfile.local
and used it in the github action. Now the actual changes from the pull request are considered in the scan.One possibly controversial change is the option
fail-build: false
in.github/workflows/anchore-analysis.yml
. This allows the build to succeed while still reporting the found vulnerabilities in the Security tab. For example, currently there are vulnerabilities in alpine linux that do not have a fix available. Most of the time this cannot be avoided.Generally I would recommend only having one Dockerfile and removing the docker-build-*.sh files or moving them to a non-default branch. If someone wants to build from the master branch, simply using
git stash --include-untracked
andgit checkout master
should be enough to build the main container file.I would recommend versioning and automatically pushing the image to Dockerhub instead though. If the maintainers are interested in this I could help setting that up.