Closed fhrbata closed 11 months ago
This is how the report and workflow looks like in my private fork https://github.com/fhrbata/idf-extra-components/actions/runs/6309525206/job/17129607763
Thanks for adding this!
One question: how will this action notify us if it finds any vulnerabilities?
@mahavirj The command exits with 1
if a vulnerability is found. So my expectation was that the pipeline fails and an email with info about failed pipeline will be send. But I cannot see how to customize this. Meaning I don't see this possibility in notification settings. I was hoping people will be able to set notification for this failed pipeline, but this doesn't seem possible.
But I have very limited experience with github, so may it's somehow possible and I just don't know how.
One quick thought is that maybe we can store some email address in secrets and explicitly send the report to that address if the check fails(finds some new vulnerability)
I might also suggest that we set up a simple webhook in Mattermost, so that when the action fails, it notifies us on some channel.
@igrr Thank you very much for the suggestion. IIUC we would set up an incoming webhhok in mattermost and use e.g. mattermost notify action in the workflow to post a message into the mattermost channel if the workflow fails or am I missing something? Thank you
@igrr I guess we would like to use something like this in GL also, so maybe just sending the msg from the jobs with curl would be enough. Do you want this to be handled as part of this PR or can it be handled in a follow-up PR? Thank you
@mahavirj Would some mattermost channel work for you as a source for the notifications? Thank you
@fhrbata Yeah, that sounds good to me.
Hi @mahavirj I needed to update this PR, but now it should be hopefully all set. I tested both cases(ok, failed) in my private fork and the testing mattermost channel. The esp-idf-sbom
changes are also published. Thank you!
Checklist
url
field definedChange description
esp-idf-sbom allows to scan whole repository/directory for all possible manifest files(idf_component.yml, sbom.yml and its referenced manifests, .gitmodules) and check them for possible vulnerabilities based on the cpe variable in manifest.
This adds scheduled scan at every midnight and also ad hoc(dispatch workflow) allowing to scan on demand.