Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Include sast check for dockerfiles #696

Merged
merged 15 commits into from
Jun 22, 2023
Merged

Include sast check for dockerfiles #696

merged 15 commits into from
Jun 22, 2023

Conversation

Tansito
Copy link
Member

@Tansito Tansito commented Jun 21, 2023
edited
Loading

Summary

This PR includes checks that validates our Dockerfiles configurations.

Details and comments

  • Added a script that looks for vulnerabilities
  • Include conftest

ref #690

@Tansito Tansito mentioned this pull request Jun 21, 2023
Closed
3 tasks
@Tansito Tansito marked this pull request as ready for review June 21, 2023 10:33
psschwei
psschwei reviewed Jun 21, 2023
View reviewed changes
Copy link
Collaborator

@psschwei psschwei left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This test isn't showing up for this PR for some reason...

image

@Tansito
Copy link
Member Author

Tansito commented Jun 21, 2023
edited
Loading

I think is because of this commit @psschwei : 1557de7 (I needed to enable it to make it work). But you can check previous tests before that commit here. I can enable it by now until merge the PR too.

akihikokuroda
akihikokuroda reviewed Jun 21, 2023
View reviewed changes
.github/scripts/dockerfile-security.rego Outdated
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm a little curious. Are these checks recommended ones?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, from the security team. I can share with you internally the link if you are interested, Aki.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, please. I should have known them before I write any dockerfile :-)

Copy link
Member Author

@Tansito Tansito Jun 21, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Np, they seem relatively new. I didn't know them until we started some weeks ago with the deployment.

@psschwei
Copy link
Collaborator

Just trying to think through the workflow here... if this test is only run on push to main, does that mean the flow would be something like this:

  • PR opened
  • other tests run and pass
  • approved by reviewer
  • merge button clicked
  • docker verify test runs
  • if docker verify passes, then merge

If that's right, if the docker verify test fails, then the PR author would have to make changes but the PR would still be approved... if the changes needed to pass a security review were non-trivial, I could see wanting another review before merging...

@Tansito
Copy link
Member Author

Tansito commented Jun 21, 2023
edited
Loading

Not exactly, the workflow works too in a PR everytime in the PR exists a change in the specified path. In #689 it was working because to pass the checks I needed to do changes in the Dockerfiles. How at this time we don't need to fix anything the workflow doesn't run.

@Tansito
Copy link
Member Author

Tansito commented Jun 21, 2023

Now @psschwei you should be able to see the checks with the last change that I did, for example.

akihikokuroda
akihikokuroda approved these changes Jun 21, 2023
View reviewed changes
Copy link
Collaborator

@akihikokuroda akihikokuroda left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Our Dockerfiles pass these checks for now (with some warning) :-). It's good.

@Tansito
Copy link
Member Author

Tansito commented Jun 21, 2023

I don't know why this error didn't appear in #699 but I will take a look now 😂

@Tansito
Copy link
Member Author

Tansito commented Jun 22, 2023

Seems a bit random this error 🤷‍♂️

@Tansito Tansito merged commit cfe62d8 into main Jun 22, 2023
@Tansito Tansito deleted the docker-sast branch June 22, 2023 09:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@psschwei psschwei psschwei left review comments

@IceKhan13 IceKhan13 IceKhan13 approved these changes

@akihikokuroda akihikokuroda akihikokuroda approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Tansito @psschwei @IceKhan13 @akihikokuroda