Open DnPlas opened 2 days ago
Thank you for reporting us your feedback!
The internal ticket has been created: https://warthogs.atlassian.net/browse/KF-6331.
This message was autogenerated
Based on feedback from @misohu, the way to better approach this enhancement proposal is to have the scans closer to the source (each rock repository) instead of a central place.
@misohu also pointed out that rocks are already being scanned on_push
and on_pull
by the canonical/charmed-kubeflow-workflows/.github/workflows/get-rocks-modified-and-build-scan-test-publish.yaml@main
workflow, so scans are already happening at the rock level, but vulnerabilities are not being reported and not being constantly tested.
I am editing the original proposal in the description of this issue to match the above.
Context
As the team grows its offerings, security vulnerabilities must be scanned and report effectively so the team can addressed them in an appropriate time. Currently, the only repository that has a Github workflow for scanning
oci-images
and getting reports iscanonical/bundle-kubeflow
using thescan-images.yaml
workflow. While working correctly at the moment, this workflow presents the following limitations:get-all-images.py
script depends on scripts present in each repository to generate a list of images per repo. The problem with this is that 1) not all repos have this script (e.g. mlflow), 2) this script is tightly coupled to the host repo.canonical/kubeflow-ci
. This is problematic because 1) it creates a maintenance task, 2) they are doing something that actions likeaquasecurity/trivy-action@0.20.0
are already providing.mlflow-operator
repository.Proposal
Create a re-usable workflow for scanning oci-images that:
aquasecurity/trivy-action@0.20.0
to scan and generate reports for each of the images under scanPlease NOTE that part of this proposal is to only scan images that the Analytics team maintains. This is because the images that charms use that come from upstream cannot be patched by us.
Limitations
1. There is no other way of fetching the images that each charm uses, so for now we'll stick to using theget-all-images.py
script.oci-factory
and outsource all the vulnerability scans and reports. ~~The workflows will live at rocks repo level, so this is not a limitation anymore.Out of scope
Example
What needs to get done
Create a re-usable workflow for getting images used by any rock, scanning them for vulnerabilities, and reporting found vulns following the example in https://github.com/canonical/bundle-kubeflow/pull/1087/files#diff-327280cbc65c9de9998db8b0e5d1c937ccf75524907e5f9d026304ca85146f53
Definition of Done
There is a re-usable workflow that any of the charming products of this team can use.