Check for CVEs - Githubissues

kitarp29 / kube-ez

This is a simple k8s-api project. It is built on Golang and utilises the client-go library to interact with Kubernetes Cluster. It is a plug and play solution and can be used to create a k8s-api server.

MIT License

71 stars 12 forks source link

Check for CVEs #46

Open kitarp29 opened 1 year ago

kitarp29 commented 1 year ago

Right now the CI is set up such that every successful build of Docker Image will be pushed to ghcr. But this is very risky, as I am not scanning for CVEs. Neither I have Image scanning open on my Docker Hub as I am broke. So we need to find some CLI-based Docker Image Scanning Jobs in the CI. Refer to This: Here

kitarp29 commented 1 year ago

Look into this https://github.com/marketplace/actions/docker-scout

kitarp29 commented 1 year ago

Or you can use this action directly: https://github.com/snyk/actions

kitarp29 commented 1 year ago

So I have enabled Docker Scout on my repo. It seems to be free in the early access version. ( Let's see till when it is free xD) Anyway, this is the changes I saw after fixing it:

All I had to do is to upgrade the base image. This means I just had to build an image so that it gets the latest of the base image. It raises a good itch in my head, I should have a CRON job for this. It runs once a month or so...

I know my CI will build and test, do functionality won't break! Only demerit I see is the documentation will be outdated with the tag each time. And I really don't want to make any commit with a CI runner!

kitarp29 commented 1 year ago

Anyway, this only fixes the CVEs on the image layer. Let's plan and build something for the code level. (PS: That's what she said)

kitarp29 commented 1 year ago

Ok, so I set up Snyk to scan my codebase. Now this got really interesting! Most of the CVEs are dependency-related or Kubernetes-YAML related. It is interesting because it did not say any part of the code has a CVE 🤯

Either one of the two things is happening here:

Snyk on the free level is bullcrap and not working as expected. I don't even see suggestions to fix my CVE on the dashboard.
I am the proof of singularity and I write code with no CVE 😂

Anyway my search for a Code scanning tool for my CI is not done yet then! I mean, the repo has CodeQL setup but you know it's not the same feeling. I learned some new things today for sure.

kitarp29 commented 1 year ago

Integrate this: https://collabnix.com/how-to-integrate-docker-scout-with-github-actions/

github-actions[bot] commented 10 months ago

Stale issue message

github-actions[bot] commented 8 months ago

Stale issue message

github-actions[bot] commented 6 months ago

Stale issue message

github-actions[bot] commented 3 months ago

Stale issue message