Ci: Add Codeql and make trivy work for next containers #90
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
|
also replaced versions of all workflows that reference a version (not main / master) to use the commit SHA. Thus, solves #86. |
|
Java Backend currently failing due to failure in tests (none given yet). Therefore we need to check to:
|
@tom-rm-meyer-ISST the easiest way is to build it yourself, as reference you can see the IRS codeql workflow - they also use Java |
|
trivy should scan the "latest" images, not "main". I created this as a short term solution, so you can see your findings. At this time no image with a latest tag was released. |
|
Except of these minor changes, it looks good :) |
I'm confused again: I adjusted the Workflow to also assign the latest tag to images currently created for main (no release as no specific tag has been set). The TRG seems to only refer to the latest tag for versions in images:
I used the example worfklow as basis and now added the latest tag also for the second case. We could dicsuss in the office hour whats actually the intended behavior. But for now: Trivy currently scans the main tag? Then in this PR, we could change it to latest. |
Well, we have frontend and backend (javascript and java) that kind of adds some more steps. I'm meanwhile progressing with the testing so that we can merge this PR next week after I merged them :) |
|
@tom-rm-meyer-ISST which PR? I can do the changes for you, but please link the PR you are talking of. |
Sorry @scherersebastian, I was talking about those two PR's (#91, #97) that added some tests. Those have been merged meanwhile. After that I found out today, that the setup for the autobuild didn't work
The latter could be interesting for your recommended setups. @scherersebastian could you please review this pr now? Everything seems to work now. |
|
@scherersebastian resolved comment. Please approve, if fine :) |
.github/workflows/trivy.yml
Outdated
| @@ -61,14 +64,14 @@ jobs: | |||
| steps: | |||
| # Pull image from Docker Hub and run Trivy vulnerability scanner | |||
| - name: Run Trivy vulnerability scanner | |||
| uses: aquasecurity/trivy-action@0.14.0 | |||
| uses: aquasecurity/trivy-action@2b6a709cf9c4025c5438138008beaddbb02086f0 # v0.14.0 | |||
| with: | |||
| image-ref: "tractusx/app-puris-backend:main" | |||
| # The branches below must be a subset of the branches above | ||
| branches: ["main"] | ||
| schedule: | ||
| - cron: "36 1 * * 0" |
There was a problem hiding this comment.
I would take this scan cycle 0 0 * * * , but this is up to you
There was a problem hiding this comment.
it's once a day - it's free, why not :)
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| language: ["java", "javascript"] |
There was a problem hiding this comment.
Being honest, I am not one hundred percent sure, whether this will work.
javascript does not need autobuild.
I think the easiest solution is to test it out. Might be that you need to configure a separate set of steps just of javascript.
I would say, lets merge it, and see what happens - I will be there to help :)
Description
As shown in issue sig-security#24, @scherersebastian showed how to setup the codeql scan and offered the review (comment).
I would love you to do the review!
Also as stated in configuring the trivy scans (#83) I updated the workflows to assign the latest tag to the current main branch to ensure trivy runs on non-release containers, too. Maybe you're also able to review that. If not it's fine.
Pre-review checks
Please ensure to do as many of the following checks as possible, before asking for committer review: