Closed Eeebru closed 11 months ago
Checkmarx One – Scan Summary & Details – acc12f21-3ece-4827-b402-c59a21571858
What is the purpose of this workflow? Do we need the ability to push any image manually to Docker Hub?
This is only used when we create a new repository on DH to test if the signing is working.
To make this more secure, can the workflow have all inputs removed and pinned for mssqlmigratorutility
and then move this whole workflow over to the devops
repository? I can see this being an issue if someone runs the workflow with the wrong image/tag and deploys a signed image to one of our Docker Hub repositories.
To make this more secure, can the workflow have all inputs removed and pinned for
mssqlmigratorutility
and then move this whole workflow over to thedevops
repository? I can see this being an issue if someone runs the workflow with the wrong image/tag and deploys a signed image to one of our Docker Hub repositories.
Okay, will update the workflow reference only mssqlmigratorutility
, however, Joseph suggested the workflow to be here. We can have the conversation on our Team sync.
Hello @vgrassia, at the team sync yesterday, Joseph said he would leave me to make the decision of where this test wf should be. I am of the opinion that self-host is the only place where we are pushing any images to DH, so it makes sense if we leave this workflow in this repo, instead of DevOps repo. It will also be pretty redundant, since it would only be run when we add repos to DH, leaving it in the DevOps repo means we might delete it along the line when it's not being used.