search

finos / a11y-theme-builder

DesignOps toolchain theme builder for accessibility inclusion using Atomic Design.
Apache License 2.0
46 stars 69 forks source link

[TB] Implement Docker vulnerability scanning with whitelisting #785

Open aaronreed708 opened 9 months ago

aaronreed708 commented 9 months ago

Problem/Concern

As discussed in #742, we will be disabling Docker vulnerability scanning until such time that we can establish the scanning with white listing supported. This issue is to do the work to find and implement a solution that supports whitelisting.

Proposed Solution

Re-enable Docker vulnerability scanning when a solution is found.

aarishshahmohsin commented 6 months ago

Can I be assigned this issue?

aaronreed708 commented 6 months ago

Can I be assigned this issue?

I have assigned you the issue. I look forward to hearing your proposal!

aarishshahmohsin commented 6 months ago

@aaronreed708

The current workflow which is being used "crazy-max/ghaction-container" does not support the ignoring of certain vulnerabilities. This is being addressed in an issue created Link.

So the solution would be to use a different workflow like aquasecurity/trivy-action which supports the use of the --ignore-unfixed flag and the use of a .trivyignore file.

Then the only thing remaining would be to add the workflow in the publish-docker.yml file and adding the failing workflows in the ignore section.

aarishshahmohsin commented 6 months ago

@aaronreed708

The current workflow which is being used "crazy-max/ghaction-container" does not support the ignoring of certain vulnerabilities. This is being addressed in an issue created Link.

So the solution would be to use a different workflow like aquasecurity/trivy-action which supports the use of the --ignore-unfixed flag and the use of a .trivyignore file.

Then the only thing remaining would be to add the workflow in the publish-docker.yml file and adding the failing workflows in the ignore section.

@aaronreed708 please have a look this

aaronreed708 commented 6 months ago

Sorry @aarishshahmohsin, I missed the email notification of your comment. I think that this sounds like a good plan!

aarishshahmohsin commented 6 months ago

Sorry @aarishshahmohsin, I missed the email notification of your comment. I think that this sounds like a good plan!

Should I submit a PR?

aaronreed708 commented 6 months ago

Sorry, missed it again. Yes, please, submit the pr. Ping me on slack when it is ready, hopefully I won't miss that!