Add container-scanner - Githubissues

mintel / build-harness

🤖Collection of Makefiles to facilitate building Python/Golang projects, Dockerfiles, and more

Apache License 2.0

2 stars 6 forks source link

Add container-scanner #44

Open nabadger opened 4 years ago

nabadger commented 4 years ago

I would like to integrate https://github.com/aquasecurity/trivy

We use this as part of our CI/CD pipelines on Gitlab.

https://gitlab.com/mintel/satoshi/ci-cd/pipeline/-/blob/master/commands/container_scan

A few important notes:

We support all the trivy env-vars
We support the .trivyignore file
We support our shared CVE whitelist (which may not be appropriate for build-harness)

charlieparkes commented 4 years ago

This would be great to get. Perhaps modules/trivy. Could we build a mintel/trivy image to Docker Hub? For the whitelist, we could add a generic command in the same module like trivy/whitelist that pulls a whitelist from a git repo you specify in your Makefile. (in otherwords, split the whitelist stuff out from the "running trivy as a docker image."

nabadger commented 4 years ago

There's already an dockerized trivy: https://hub.docker.com/r/aquasec/trivy/

For the whitelist, I think we need to consider the different use-cases around this, which is so far seems to be:

Application teams maintain their own whitelist
SRE maintain a shared whitelist
A combination of both

Currently we support a combination - this will be a good topic to discuss.