Unified Tool for Security Scans in Kubeflow Projects #885
Description
As part of the last KFP call, we discussed that it would be nice to have unify tool to scan our images for CVEs: https://youtu.be/wvGctNDiF2E?t=1125. Right now, Kubeflow repos use Dependabot for static analysis, it automatically creates PRs to update the dependencies for each language.
However, one of the requirements is to run scanning on releases, given that each Kubeflow project has its own release schedule, we should integrate it as part of GitHub Actions CI.
I am aware of those tools:
- @droctothorpe was talking about: https://github.com/mend
- Argo Workflows uses Snyk: https://github.com/argoproj/argo-workflows/blob/main/.github/workflows/snyk.yml
- Kubeflow Spark Operator uses Trivy: https://github.com/kubeflow/spark-operator/blob/master/.github/workflows/trivy-image-scanning.yaml
- Kubeflow Manifests uses Trivy: https://github.com/kubeflow/manifests/blob/master/.github/workflows/trivy.yaml#L48
Thoughts @kubeflow/kubeflow-steering-committee @kubeflow/kubeflow-outreach-committee @kubeflow/wg-pipeline-leads @kubeflow/wg-data-leads @kubeflow/wg-training-leads @Electronic-Waste @kramaranya @astefanutti @szaher @kubeflow/wg-manifests-leads @kubeflow/wg-notebooks-leads @chensun @droctothorpe @HumairAK @mprahl @zazulam @anishasthana ?
/area security