adambkaplan
commented
2 years ago +1 - all our images will need to be onboarded to HACBS, which won't let us curl | bash to install components.
Open fgiloux opened 2 years ago
adambkaplan
commented
2 years ago +1 - all our images will need to be onboarded to HACBS, which won't let us curl | bash to install components.
In some of our images we download binaries with curl and copy them into the filesystem. Whenever possible we should use a package manager for the installation. Examples: https://github.com/openshift-pipelines/pipeline-service/blob/main/images/access-setup/Dockerfile#L8-L13
Rational: These binaries are not "visible" to image scanners, which means that CVEs may get unnoticed.