search

finos / traderX

https://demo.traderx.finos.org/
Apache License 2.0
51 stars 47 forks source link

Add ci image vulnerability scanner #227

Closed willtsai closed 3 days ago

willtsai commented 3 days ago

Adding a CI image vulnerability scanner to the project as per comments in https://github.com/finos/traderX/pull/225#issuecomment-2368876109

netlify[bot] commented 3 days ago

Deploy Preview for lucky-concha-f3599f canceled.

Name Link
Latest commit f891e792901213a717d1b6004018404e00dbb745
Latest deploy log https://app.netlify.com/sites/lucky-concha-f3599f/deploys/66f3453829262f0008ca555e
willtsai commented 3 days ago

@maoo please take a look at this - I think we have some other options in terms of image scanner. I've added the one you suggested in https://github.com/finos/traderX/pull/225#issuecomment-2368876109, but it looks like there is an "official" image scanner from Trivy actions/aqua-security-trivy. Let me know which one you'd prefer to use for this, should be easy to swap them out.

willtsai commented 3 days ago

@maoo - actually, I've noticed that there is already a scanner in place for the dockerfiles here .github/workflows/security.yml -- do you still think we need to add it here as a part of the image publishing job? Or is scanning the dockerfiles on a scheduled cadence good enough already?

DovOps commented 3 days ago

I'd put a scan in to the publishing job as well so that it only publishes when scan is successful. We can keep in both locations so we find out periodically as well as when attempting to publish