tekton-robot
commented
1 year ago Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale with a justification.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.
/lifecycle stale
Send feedback to tektoncd/plumbing.
vinamra28
In TEP-0115, we selected 5 resources to be supported at
Verifiedsupport tier, where the @tektoncd/catalog-maintainers are expected to patch the detected CVEs.In TEP-0079, we have proposed to use the Artifact Hub Scanner service (which uses Trivy) to generate vulnerability reports and displayed on the Artifact Hub.
Here is the list of resources (and the underlying images) that will be serviced at
Verifiedtier:gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.18.1gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.40.2gcr.io/kaniko-project/executor:v1.5.1@sha256:c6166717f7fe0b7da44908c986137ecfeab21f31ec3992f6e128fff8a94be8a5docker.io/library/bash:5.1.4@sha256:c523c636b722339f41b6a431b44588ab2f762c5de5ec3bd7964420ff982fb1d9docker.io/library/golang:latestThe security reports for the above resources currently contains a bunch of CVEs, which should be addressed before we can claim these are the
Verified Catalogs.We can create separate issues to track the progress for each resource.
Steps to Reproduce the Problem
The Artifact Hub uses Trivy to scan the container images, you can get the same security report by running Trivy locally:
trivy image [container image name]@tektoncd/catalog-maintainers