bwoolf1
commented
3 years ago Info on vulnerability scanning in OCP: Scanning pods for vulnerabilities
Open bwoolf1 opened 3 years ago
bwoolf1
commented
3 years ago Info on vulnerability scanning in OCP: Scanning pods for vulnerabilities
bwoolf1
commented
3 years ago Each pipeline, such as ibm-nodejs, has a scanning task that runs ibm-img-scan. Notice two of the task's parameters are scan-trivy and scan-ibm. These indicate whether to run Trivy (which I think the Toolkit installs itself, so it may not be using the scanner in OCP/Quay) or the Vulnerability Advisor in ICCR.
Ideally, we'd like the images that the Toolkit builds to pass both/all scanners (whichever one(s) the user chooses).
The build pipelines can optionally scan the image for vulnerabilities before deploying. Many (all?) of our Starter Kits do not pass. Let's see if we can update them to pass vulnerability scanning.
For example, Tekton task ibm-img-scan does vulnerability scanning, using different scanners depending on the Toolkit's configuration.
THIS IS NOT A REQUIREMENT FOR IMAGE CERTIFICATION, but is a nice-to-have. If getting this working becomes too difficult, it may not be a high enough priority to fix. But if the Toolkit can't make images for Hello World apps that pass vulnerability scanning, what chance to users with real applications have?
This issue and/or issue #779: Update Dockerfiles to build from latest UBIs may be a duplicate of issue #772: Provide clean versions of the base images from RedHat that will pass Vulnerability Advisor scan.