Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Check for CVEs #46

Closed
kitarp29 opened this issue Jul 11, 2023 · 11 comments
Closed

Check for CVEs #46

kitarp29 opened this issue Jul 11, 2023 · 11 comments
Assignees

Comments

@kitarp29
Copy link
Owner

kitarp29 commented Jul 11, 2023

Right now the CI is set up such that every successful build of Docker Image will be pushed to ghcr.
But this is very risky, as I am not scanning for CVEs. Neither I have Image scanning open on my Docker Hub as I am broke.
So we need to find some CLI-based Docker Image Scanning Jobs in the CI.
Refer to This: Here
image

@kitarp29
Copy link
Owner Author

@kitarp29
Copy link
Owner Author

kitarp29 commented Aug 1, 2023

Or you can use this action directly: https://github.com/snyk/actions

@kitarp29
Copy link
Owner Author

kitarp29 commented Aug 11, 2023

So I have enabled Docker Scout on my repo.
It seems to be free in the early access version. ( Let's see till when it is free xD)
Anyway, this is the changes I saw after fixing it:

All I had to do is to upgrade the base image. This means I just had to build an image so that it gets the latest of the base image.
It raises a good itch in my head, I should have a CRON job for this. It runs once a month or so...

I know my CI will build and test, do functionality won't break!
Only demerit I see is the documentation will be outdated with the tag each time. And I really don't want to make any commit with a CI runner!
image

@kitarp29
Copy link
Owner Author

kitarp29 commented Aug 11, 2023

Anyway, this only fixes the CVEs on the image layer.
Let's plan and build something for the code level.
image
(PS: That's what she said)

@kitarp29
Copy link
Owner Author

Ok, so I set up Snyk to scan my codebase.
Now this got really interesting!
Most of the CVEs are dependency-related or Kubernetes-YAML related.
It is interesting because it did not say any part of the code has a CVE 🤯

Either one of the two things is happening here:

  • Snyk on the free level is bullcrap and not working as expected. I don't even see suggestions to fix my CVE on the dashboard.
  • I am the proof of singularity and I write code with no CVE 😂

Anyway my search for a Code scanning tool for my CI is not done yet then!
I mean, the repo has CodeQL setup but you know it's not the same feeling.
I learned some new things today for sure.

@kitarp29 kitarp29 self-assigned this Aug 13, 2023
@kitarp29
Copy link
Owner Author

@github-actions
Copy link

Stale issue message

Copy link

github-actions bot commented Jan 6, 2024

Stale issue message

Copy link

Stale issue message

Copy link

github-actions bot commented Jun 8, 2024

Stale issue message

Copy link

github-actions bot commented Nov 2, 2024

Stale issue message

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant