Security: Implement Passive Container Rescans - Githubissues

buerokratt / POC-DMR.Cross-functional-requirements

Cross-functional requirements to take into account when developing or planning to develop Bürokratt's custom base components

MIT License

1 stars 1 forks source link

Security: Implement Passive Container Rescans #93

Open guypritchard opened 2 years ago

guypritchard commented 2 years ago

As containers 'age' in production existing mechanisms for container scanning during the publishing phase may not help us. Particularly for projects with containers which are not being actively developed.

A mechanism to scan containers in the GitHub container registry would be ideal here. The current production containers would be scanned as part of this.

Note> This is quite often a paid service.

Snyk has an approach here.

https://docs.snyk.io/products/snyk-container/image-scanning-library/github-container-registry-image-scanning/scan-container-images-from-github-container-registry-in-snyk

...other approaches are available.

Acceptance Criteria

[ ] Look at passive container 'rescans' to find issues with projects which aren't in active development. (this may warrant some research and could be spun out into a separate ticket.)

decodingahmed commented 2 years ago

Possible approach to consider

Create a new workflow that triggers using a schedule trigger to periodically start the scan (cron format): https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#schedule

This might be a cost-free alternative that might warrant investigating.