-
Notifications
You must be signed in to change notification settings - Fork 893
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create security scan script #2731
Conversation
Please extend and rename the extract_images script to provide all of this information at once. You can still name it trivy_scan.sh So trivy_scan.sh should do all of this. For non pullable images you can just output a warning and ignore them otherwise. |
Please be aware of #2733 |
d17bae4
to
ecb199b
Compare
Signed-off-by: Hansini Karunarathne <hansini.20@cse.mrt.ac.lk>
Signed-off-by: Hansini Karunarathne <hansini.20@cse.mrt.ac.lk>
I automated the trivy_scan process and created a github action to run the trivy_scanning process and print the table. screenshot of the table |
.github/workflows/trivy.yaml
Outdated
chmod +x trivy_scan.sh | ||
./trivy_scan.sh | ||
|
||
# Upload the artifact |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you comment out the upload part for now? we do not want external dependencies.
.github/workflows/trivy.yaml
Outdated
- name: Setup Python | ||
uses: actions/setup-python@v5 | ||
with: | ||
python-version: '3.10' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please use the latest Python available in the base image
@@ -0,0 +1,248 @@ | |||
# !/usr/bin/env bash |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we want to migrate to python entirely for that script? What do you think @hansinikarunarathne
the dependencies should be checked and installed if not available, e.g. prettytable and trivy if someone runs this locally on ubuntu or fedora |
5cb4768
to
d840117
Compare
Signed-off-by: Hansini Karunarathne <hansini.20@cse.mrt.ac.lk>
d840117
to
bdada60
Compare
/lgtm lets follow up with the remaining stuff in a new PR. |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: juliusvonkohout The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
https://github.com/kubeflow/manifests/actions/runs/9463132552/job/26067629950 will be interesting. |
* Automate the scanning security vulnerabilities in images of WGs Signed-off-by: Hansini Karunarathne <hansini.20@cse.mrt.ac.lk> * Fixed a issue in trivy_scan.yaml and trivy_scan.sh Signed-off-by: Hansini Karunarathne <hansini.20@cse.mrt.ac.lk> * Did requested changes in trivy.yaml Signed-off-by: Hansini Karunarathne <hansini.20@cse.mrt.ac.lk> --------- Signed-off-by: Hansini Karunarathne <hansini.20@cse.mrt.ac.lk>
Pull Request Template for Kubeflow manifests Issues
✏️ A brief description of the changes
✅ Contributor checklist
DCO
check)cla/google
check)