Open grzesuav opened 5 years ago
We should identify the scope of which Docker containers we want to scan and where and when. My understanding is that we currently:
via openjdk-build scripts, we run the build in a docker container to test that our "build in a docker container" functionality works for users outside of Adopt (as in Adopt we currently build on 'bare metal' (or close enough to it). This functionality isn't well tested/maintained and we don't release these via our API or website.
via openjdk-docker we create docker builds using various linux distros as baselines and provide slim versions, full versions etc. The results of these docker builds are pushed to DockerHub
via openjdk-tests (and friends) we do a host of testing using underlying docker containers to host the env / tests
So my question which of these do we want to scan and when/why.
I would suggest that most beneficial would be hook it into 2. as :
OK, given snyk is enabled for that repo - does that integration not check the resulting image? Or does the GitHub integration not scan containers?
github integration does not scan Dockerfiles/images
Do we need this on all the machines or is there a limited number of systems we're planning to run this on?
not sure, probably best to start witch machines used to build linux images. @karianna any thoughs ?
I'd say linux for any docker related builds.
OK I've put it on for the jenkins user on build-scaleway-ubuntu1604-x64-2 which is where the x86 docker builds are generally done. If you source $HOME/.nvm/nvm.sh
that should activate it in whatever scripts you need it. I would suggest that you check for the presence of that at the start and warn/abort/do nothing as appropriate based on your requirements.
@grzesuav - Are you able to test this out now?
hi, just finishing https://github.com/AdoptOpenJDK/openjdk-docker/pull/263 and I will switch to this, hopefully this weekend
@sxa555 how can I test if code on mt branch will execute properly ? Is there any way I can run my branch (PR above) to check how it behaves ?
I would imagine I need to perform https://support.snyk.io/hc/en-us/articles/360003812458-Getting-started-with-the-CLI with nvm which is :
snyk
scan command after image is buildsnyk monitor
on image push to repositoryIs this is still in progress and blocked?
@sxa the question is do we want to continue with snyk analysis for docker images
In order to enable
snyk
analysis, I would neednvm
installed, to use it for installnpm
andsnyk