Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create security scan script #2731

Merged
merged 3 commits into from
Jun 11, 2024

Conversation

hansinikarunarathne
Copy link
Member

@hansinikarunarathne hansinikarunarathne commented May 26, 2024

Pull Request Template for Kubeflow manifests Issues

  • Please include a summary of changes and the related issue.
  • List any dependencies that are required for this change.
  • Please delete the options that are not relevant.
  • The following checklist will help you to satisfy the requirements.

✏️ A brief description of the changes

  1. I added a script for the security vulnerability scan with Trivy.

  2. I added the extracting images part in the extract_images.sh to the trivy_scan.sh.

  3. The script creates security scanning reports for each image in WG. Those scan reports are saved in JSON in the docs/image_lists/security_scan_reports/{WG_names} .

  4. Security counts of all images related to the WG groups are saved in the docs/image_lists/severity_counts_with_images_for_WG.

  5. Summary of all security scan counts is saved in the summary_of_severity_counts_for_WG as JSON and table formats.

  6. Created the Github action run when PR merges to a master to automate the whole process and print the table.

  7. Also can run the trivy_scan.sh file inside the hack folder manually.

✅ Contributor checklist


You can join our slack channel wg-manifests here. This link also contains our meeting schedule.

@juliusvonkohout
Copy link
Member

juliusvonkohout commented May 27, 2024

Please extend and rename the extract_images script to provide all of this information at once. You can still name it trivy_scan.sh
Please provide per workinggroup and total information similar to the extract_images scripts.

So trivy_scan.sh should do all of this.

For non pullable images you can just output a warning and ignore them otherwise.

@google-oss-prow google-oss-prow bot added size/M and removed size/S labels May 27, 2024
@juliusvonkohout
Copy link
Member

juliusvonkohout commented May 27, 2024

You need to generate per working group lists and total list and generate this table

image

WG1_ images.txt WG1_CVEs.json
WG2_ images.txt WG2_CVEs.json
...
total_ images.txt total_CVEs.json

afterwards you can add a github action workflow to generate this table on merges to master.

@juliusvonkohout
Copy link
Member

Please be aware of #2733

Signed-off-by: Hansini Karunarathne <hansini.20@cse.mrt.ac.lk>
Signed-off-by: Hansini Karunarathne <hansini.20@cse.mrt.ac.lk>
@hansinikarunarathne
Copy link
Member Author

You need to generate per working group lists and total list and generate this table

image

WG1_ images.txt WG1_CVEs.json WG2_ images.txt WG2_CVEs.json ... total_ images.txt total_CVEs.json

afterwards you can add a github action workflow to generate this table on merges to master.

I automated the trivy_scan process and created a github action to run the trivy_scanning process and print the table.
You can find my github action in my forked repository of Kubeflow https://github.com/hansinikarunarathne/kubeflow-manifests/actions/runs/9431495509

screenshot of the table

image

chmod +x trivy_scan.sh
./trivy_scan.sh

# Upload the artifact
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you comment out the upload part for now? we do not want external dependencies.

- name: Setup Python
uses: actions/setup-python@v5
with:
python-version: '3.10'
Copy link
Member

@juliusvonkohout juliusvonkohout Jun 10, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please use the latest Python available in the base image

@@ -0,0 +1,248 @@
# !/usr/bin/env bash
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we want to migrate to python entirely for that script? What do you think @hansinikarunarathne

@juliusvonkohout
Copy link
Member

juliusvonkohout commented Jun 10, 2024

the dependencies should be checked and installed if not available, e.g. prettytable and trivy if someone runs this locally on ubuntu or fedora

@hansinikarunarathne hansinikarunarathne force-pushed the master branch 3 times, most recently from 5cb4768 to d840117 Compare June 10, 2024 14:02
Signed-off-by: Hansini Karunarathne <hansini.20@cse.mrt.ac.lk>
@juliusvonkohout
Copy link
Member

/lgtm
/approve

lets follow up with the remaining stuff in a new PR.

@google-oss-prow google-oss-prow bot added the lgtm label Jun 11, 2024
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: juliusvonkohout

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@google-oss-prow google-oss-prow bot merged commit 94c6135 into kubeflow:master Jun 11, 2024
3 checks passed
@juliusvonkohout
Copy link
Member

doncorsean pushed a commit to doncorsean/kubeflow-manifests that referenced this pull request Jul 18, 2024
* Automate the scanning security vulnerabilities in images of WGs

Signed-off-by: Hansini Karunarathne <hansini.20@cse.mrt.ac.lk>

* Fixed a issue in trivy_scan.yaml and trivy_scan.sh

Signed-off-by: Hansini Karunarathne <hansini.20@cse.mrt.ac.lk>

* Did requested changes in trivy.yaml

Signed-off-by: Hansini Karunarathne <hansini.20@cse.mrt.ac.lk>

---------

Signed-off-by: Hansini Karunarathne <hansini.20@cse.mrt.ac.lk>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants