tekton-pipeline images can contain vulnerabilities #1833

othomann · 2020-01-09T17:02:00Z

Expected Behavior

No vulnerabilities in docker images built for tekton-pipeline

Two vulnerabilities are reported today against latest.

use the ibmcloud cr va tool to check docker images for vulnerabilities.
two images contain issues:
creds-init-c761f275af7b3d8bea9d50cc6cb0106f latest 821029bb8b42 othomann 14 hours ago 25 MB 1 problem
git-init-4874978a9786b6625dd8b6ef2a21aa70 latest 879990cf3bde othomann 14 hours ago 31 MB 1 problem
The command apk update && apk upgrade needs to be added in the Dockerfile. alpine:latest might not be built using latest packages.

The text was updated successfully, but these errors were encountered:

vdemeester · 2020-01-09T17:12:49Z

/kind feature

othomann · 2020-01-14T16:29:23Z

Closing #1833. Fixed with PR #1835.

othomann added a commit to othomann/pipeline that referenced this issue Jan 9, 2020

Fix for tektoncd#1833

655d1f8

tekton-robot added the kind/feature Categorizes issue or PR as related to a new feature. label Jan 9, 2020

bobcatfish assigned othomann Jan 9, 2020

othomann closed this as completed Jan 14, 2020