Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add image scanning #6

Merged
merged 5 commits into from
Feb 8, 2025
Merged

Add image scanning #6

merged 5 commits into from
Feb 8, 2025

Conversation

emsearcy
Copy link
Contributor

@emsearcy emsearcy commented Feb 7, 2025

Also update dependencies.

@emsearcy emsearcy force-pushed the ems/toolchain-updates branch 3 times, most recently from 86322ab to 4d1b790 Compare February 7, 2025 19:01
@emsearcy
Add image scanning
a35d8a0 
Also update dependencies.

Signed-off-by: Eric Searcy <eric@linuxfoundation.org>
@emsearcy emsearcy force-pushed the ems/toolchain-updates branch from 4d1b790 to a35d8a0 Compare February 7, 2025 19:03
@emsearcy emsearcy requested a review from jordane February 7, 2025 19:04
@emsearcy
Address linting issues
eb42a6e 
Signed-off-by: Eric Searcy <eric@linuxfoundation.org>
@emsearcy
Fix version-bump typo on Publish job
b0d8107 
Signed-off-by: Eric Searcy <eric@linuxfoundation.org>
jordane
jordane reviewed Feb 7, 2025
View reviewed changes
Copy link

@jordane jordane left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You probably also want to block the publish job on the results of the scan, as we definitely don't want to upload if you found a secret.

.github/workflows/image-scan.yaml Outdated Show resolved Hide resolved
@emsearcy
Copy link
Contributor Author

emsearcy commented Feb 7, 2025

You probably also want to block the publish job on the results of the scan, as we definitely don't want to upload if you found a secret.

I created this as PR job, rather than a merge job, so I assume this would be covered by required checks and branch restrictions?

@emsearcy
Additional flags to ensure Trufflehog fails the check
2eda209 
Pass failure exit code on found secrets, and also ignore the update
check.

Signed-off-by: Eric Searcy <eric@linuxfoundation.org>
@emsearcy emsearcy force-pushed the ems/toolchain-updates branch from 235d540 to 2eda209 Compare February 7, 2025 19:27
@emsearcy
Specify version of ko for better build reproducibility
7f702dc 
Signed-off-by: Eric Searcy <eric@linuxfoundation.org>
@emsearcy
Copy link
Contributor Author

emsearcy commented Feb 7, 2025

I created this as PR job, rather than a merge job, so I assume this would be covered by required checks and branch restrictions?

On the other hand, perhaps it's overkill to do this on every update to a PR, and a sanity check pre-publish on merge would be sufficient...

@jordane
Copy link

jordane commented Feb 7, 2025
edited
Loading

Yes as long as it has --fail and this is on PRs, that would be sufficient. We would want to rotate anything caught at that point anyway, since it exists on Github's servers for some amount of time..

That does rely on no one changing the repo settings and pushing directly (a manual build & push is what caused issues with one container image recently..) bypassing the PR check though.

@emsearcy emsearcy merged commit d3d3ee7 into main Feb 8, 2025
4 checks passed
@emsearcy emsearcy deleted the ems/toolchain-updates branch February 8, 2025 05:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jordane jordane jordane approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@emsearcy @jordane