Add Anchore go dependency security scanning, investigate others #794
Comments
|
Here’s a test of the Anchore container scan: #797 Uploading the SCARIF results involves participating in the security scanning beta, I’m in the queue for my fork of Submariner. |
|
Additional thoughts: our containers are designed to be as up-to-date as possible based on their base image, except for non-packaged dependencies. The only image which could have undiagnosed, actionable security problems is our base Dapper image; our production images are all based on software which is already tracked by the security teams of the distributions we use. So ultimately, as long as we regularly rebuild our container images, it’s all about our Go dependencies, and dependencybot is already supposed to track that. If we ever start supporting multiple streams, with long-term releases, this will become harder to deal with, but until we’re there, we’re in pretty good shape. |
|
This issue has been automatically marked as stale because it has not had activity for 60 days. It will be closed if no further activity occurs. Please make a comment if this issue/pr is still valid. Thank you for your contributions. |
|
This is still relevant. |
|
This issue has been automatically marked as stale because it has not had activity for 60 days. It will be closed if no further activity occurs. Please make a comment if this issue/pr is still valid. Thank you for your contributions. |
|
bump |
Add scanning of Go dependencies for known vulnerabilities. Ignore two false positives. Relates-to: #794 Signed-off-by: Daniel Farrell <[email protected]>
|
It would be interesting to check if CodeQL identifies anything not found by other tools. https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-with-codeql |
Scan Go dependencies for known vulnerabilities. Run on PRs to gate on vulns negligible or higher. Also run on merges to devel and release branches to report results on the GitHub Code Scanning tab. Ignore two false positives. Relates-to: submariner-io/submariner#794 Signed-off-by: Daniel Farrell <[email protected]>
Scan Go dependencies for known vulnerabilities. Run on PRs to gate on vulns negligible or higher. Also run on merges to devel and release branches to report results on the GitHub Code Scanning tab. Ignore two false positives. Relates-to: submariner-io/submariner#794 Signed-off-by: Daniel Farrell <[email protected]>
Scan Go dependencies for known vulnerabilities. Run on PRs to gate on vulns negligible or higher. Also run on merges to devel and release branches to report results on the GitHub Code Scanning tab. Ignore two false positives. Relates-to: submariner-io/submariner#794 Signed-off-by: Daniel Farrell <[email protected]>
Scan Go dependencies for known vulnerabilities. Run on PRs to gate on vulns negligible or higher. Also run on merges to devel and release branches to report results on the GitHub Code Scanning tab. Relates-to: submariner-io/submariner#794 Signed-off-by: Daniel Farrell <[email protected]>
Scan Go dependencies for known vulnerabilities. Run on PRs to gate on vulns negligible or higher. Also run on merges to devel and release branches to report results on the GitHub Code Scanning tab. Ignore two false positives. Relates-to: submariner-io/submariner#794 Signed-off-by: Daniel Farrell <[email protected]>
Evaluating CodeQL vuln variant analysis here: The Go security rules are here (I don't see better docs): |
|
I used LGTM.com to run CodeQL against all the submariner-io repos. The test I did in Lighthouse was just unlucky to not see any new issues, there are other (minor from what I see so far) issues in other repos.
|
|
|
Scan Go dependencies for known vulnerabilities. Run on PRs to gate on vulns negligible or higher. Also run on merges to devel and release branches to report results on the GitHub Code Scanning tab. Ignore two false positives. Relates-to: submariner-io/submariner#794 Signed-off-by: Daniel Farrell <[email protected]>
Scan Go dependencies for known vulnerabilities. Run on PRs to gate on vulns negligible or higher. Also run on merges to devel and release branches to report results on the GitHub Code Scanning tab. Relates-to: submariner-io/submariner#794 Signed-off-by: Daniel Farrell <[email protected]>
Scan Go dependencies for known vulnerabilities. Run on PRs to gate on vulns negligible or higher. Also run on merges to devel and release branches to report results on the GitHub Code Scanning tab. Ignore two false positives. Relates-to: submariner-io/submariner#794 Signed-off-by: Daniel Farrell <[email protected]>
Scan Go dependencies for known vulnerabilities. Run on PRs to gate on vulns negligible or higher. Also run on merges to devel and release branches to report results on the GitHub Code Scanning tab. Ignore two false positives. Relates-to: submariner-io/submariner#794 Signed-off-by: Daniel Farrell <[email protected]>
Scan Go dependencies for known vulnerabilities. Run on PRs to gate on vulns negligible or higher. Also run on merges to devel and release branches to report results on the GitHub Code Scanning tab. Ignore two false positives. Relates-to: submariner-io/submariner#794 Signed-off-by: Daniel Farrell <[email protected]>
dfarrell07
changed the title
|
This is done. ✔️ |
Scan Go dependencies for known vulnerabilities. Run on PRs to gate on vulns negligible or higher. Also run on merges to devel and release branches to report results on the GitHub Code Scanning tab. Ignore two false positives. Relates-to: submariner-io/submariner#794 Signed-off-by: Daniel Farrell <[email protected]> (cherry picked from commit 8f2af1f)
Scan Go dependencies for known vulnerabilities. Run on PRs to gate on vulns negligible or higher. Also run on merges to devel and release branches to report results on the GitHub Code Scanning tab. Ignore two false positives. Relates-to: submariner-io/submariner#794 Signed-off-by: Daniel Farrell <[email protected]> (cherry picked from commit 8f2af1f)
Scan Go dependencies for known vulnerabilities. Run on PRs to gate on vulns negligible or higher. Also run on merges to devel and release branches to report results on the GitHub Code Scanning tab. Ignore two false positives. Relates-to: submariner-io/submariner#794 Signed-off-by: Daniel Farrell <[email protected]> (cherry picked from commit 8f2af1f)
What would you like to be added:
Scanning for known vulnerabilities in the container images we publish, and a feedback loop from that scanning to highlight the problem and encourage a fix. Some scanning already happens on Quay, but we don't do anything with that information.
For example: https://github.com/marketplace/actions/anchore-container-scan.
As a different type of scanning, we may also want to look into: https://github.com/octarinesec/kube-scan
Why is this needed:
More security more better.
The text was updated successfully, but these errors were encountered: