Add weekly security scan using govulncheck and trivy #396
Conversation
|
Oh I need to include the go version in the e2e image build also |
lentzi90
force-pushed
the
lentzi90/security-scan
branch
from
15b9513 to
9c6a34c
Compare
There was a problem hiding this comment.
Thanks for the contribution!
This is in line with kubernetes-sigs/cluster-api-provider-openstack#2536, which provides a bit more context.
Just ran this locally, and noticed it produces a warning about possible invalid image when GO_VERSION is unset. Perhaps that's something we would like to fix.
Dockerfile
Outdated
| @@ -1,5 +1,6 @@ | |||
| # Build the manager binary | |||
| FROM golang:1.23 AS builder | |||
| ARG GO_VERSION | |||
There was a problem hiding this comment.
Do we want to set a default value there to prevent the warning?
https://docs.docker.com/reference/dockerfile/#default-values
1 warning found (use docker --debug to expand):
- InvalidDefaultArgInFrom: Default value for ARG golang:${GO_VERSION} results in empty or invalid base image name (line 3)
Even if we expect to always build the image via make, which sets a default value, it probably wouldn't hurt to set a default here too, WDYT?
There was a problem hiding this comment.
Yeah that makes sense. I'll update and probably push a PR to CAPI/CAPO also since they both get the same warning
This adds a new make target "verify-security" that runs govulncheck agains the code base and also builds the contaier image and scans it with trivy. I tried keeping things similar to how they are done elsewhere in the code. This is all based on how they do it in Cluster API (hence the copyright text in the scripts). Probably the most controversial thing here is that I added the GO_VERSION variable. The idea is to make sure we know what exact version is used. Signed-off-by: Lennart Jern <[email protected]>
lentzi90
force-pushed
the
lentzi90/security-scan
branch
from
9c6a34c to
810a068
Compare
This adds a new make target "verify-security" that runs govulncheck agains the code base and also builds the contaier image and scans it with trivy. I tried keeping things similar to how they are done elsewhere in the code. This is all based on how they do it in Cluster API (hence the copyright text in the scripts).
Probably the most controversial thing here is that I added the GO_VERSION variable. The idea is to make sure we know what exact version is used.