caponetto
commented
1 week ago @jiridanek thanks for the review!
We can't fail the build when vulnerabilities are detected, that way we'd never have a pass. But these inforeports are not very practical to work with either, there is too much info to scan. We'd need to either reduce the number of findings the tool produces, so it is possible to read through it easily.
Yeah, I agree. I've reduced the scope to only HIGH and CRITICAL issues because the list was getting bigger if we allowed all of them. But let's see if it helps otherwise we can revisit it and try to personalize more.
Currently, this is mainly useful to check that some vulnerability we intended to fix was indeed fixed. But, then I'd have to first merge the PR to get scan on it. (Or run scan on my machine.)
We can't enable it to run for all PRs due to the amount of time it adds but now I'm thinking if we can come up with some strategy like running it if the PR has a certain label or something like that.
jiridanek
atheo89
openshift-ci[bot]
https://issues.redhat.com/browse/RHOAIENG-8779
Description
This PR introduces the usage of Trivy to scan the container images and consolidate vulnerability reports. I've configured the
Build Notebooksworkflow to be triggered daily at 2 am UTC to generate the report (the scan runs after each image is built). I didn't see the need to run it on eachpushbut we can enable it if it makes sense. Each report is uploaded to the workflow summary as soon as each individual job is completed. Finally, reports follow a markdown template.Demo
https://github.com/opendatahub-io/notebooks/assets/638737/68f92ecb-40a2-4fa9-8f19-c5037f98458d
Here is an example of workflow run where you can see real reports.
Note: I haven't added the checks for PRs because the scan operation adds an extra ~10 minutes, which would slow our PR jobs down.
How Has This Been Tested?
I've executed the workflow on my fork.
Merge criteria: