Adds SECURITY.md and scanning workflow #267
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This adds SECURITY.md and a scanning workflow, using Trivy. In particular, this clarifies what we use to scan for vulnerabilities (Trivy, not anything else), and the only channel likely to be responded to on a significant issue (zipkin-admin email, not advisories as people ignored them). I won't merge this until I get at least 2 approves. After that, I'll help apply this to the other java repos. Signed-off-by: Adrian Cole <adrian@tetrate.io>
|
ps all the main repos are clean, with the exception of zipkin-dependencies, which is a mess due to documented revlock on spark. When it gets to that repo, I'll make a special case note in the workflow. |
| severity: HIGH,CRITICAL | ||
| output: trivy-report.md | ||
| cache-dir: .trivy | ||
| - name: Set Summary |
There was a problem hiding this comment.
intentionally just setting the summary vs opting into GitHub features. When we run trivy like this, it is basically the same as trivy fs . so quite easy and has no licensing or other impact with GitHub, nor any new tabs to accidentally ignore.
reta
approved these changes
Apr 14, 2024
reta
reviewed
Apr 14, 2024
SECURITY.md
Outdated
|
@anuraaga @reta @llinder @shakuzen trivya: The reason why this doesn't show up in red, despite testing with old spring deps, is that Trivy agreed that maven-invoker-test deps should be classified as dev dependencies, and they don't trigger by default anymore. That we could resolve that issue in OSS transparently, and also that trivy is OSS and we can run manually like all our other linters, is the reason I went with trivy here. This is in spite of us having access to snyk cloud and being able to manually work around the same (by deleting modules from the portal). Allowing anyone, not just the maintainers, to run the same checks as PRs require offline, is quite a good feature. If you think this decision should be in RATIONALE.md, I'm happy to add it! |
I think it is all good, not need for |
anuraaga
approved these changes
Apr 15, 2024
| - name: Set Summary | ||
| shell: bash | ||
| if: ${{ failure() && steps.trivy.conclusion == 'failure' }} | ||
| run: cat trivy-report.md >> $GITHUB_STEP_SUMMARY |
There was a problem hiding this comment.
Might be worth adding a link or comment about the 1MB limit on step summary.
There was a problem hiding this comment.
hopefully we don't end up with over 1MB of CVE descriptions, but sure ;)
There was a problem hiding this comment.
put a note with a cheeky suggestion if this happens :D
added 2 commits
April 15, 2024 06:21
|
PS I spent a good bit of time getting zipkin-dependencies clean, so this means all our prod images can use the same security settings. It is likely zipkin-dependencies will need more maintenance than others to stay clean. I think as volunteers we can choose how often we want to do that work. |
codefromthecrypt
pushed a commit
to openzipkin/zipkin
that referenced
this pull request
Apr 16, 2024
This adds SECURITY.md and a scanning workflow, using Trivy. In particular, this clarifies what we use to scan for vulnerabilities (Trivy, not anything else), and the only channel likely to be responded to on a significant issue (zipkin-admin email, not advisories as people ignored them). This is the same approach as approved and merged in openzipkin/zipkin-reporter-java#267 Signed-off-by: Adrian Cole <adrian@tetrate.io>
codefromthecrypt
added a commit
to openzipkin/zipkin
that referenced
this pull request
Apr 16, 2024
This adds SECURITY.md and a scanning workflow, using Trivy. In particular, this clarifies what we use to scan for vulnerabilities (Trivy, not anything else), and the only channel likely to be responded to on a significant issue (zipkin-admin email, not advisories as people ignored them). This is the same approach as approved and merged in openzipkin/zipkin-reporter-java#267 Signed-off-by: Adrian Cole <adrian@tetrate.io>
codefromthecrypt
pushed a commit
to openzipkin/zipkin-dependencies
that referenced
this pull request
Apr 16, 2024
This adds SECURITY.md and a scanning workflow, using Trivy. In particular, this clarifies what we use to scan for vulnerabilities (Trivy, not anything else), and the only channel likely to be responded to on a significant issue (zipkin-admin email, not advisories as people ignored them). This is the same approach as approved and merged in openzipkin/zipkin-reporter-java#267 Signed-off-by: Adrian Cole <adrian@tetrate.io>
codefromthecrypt
pushed a commit
to openzipkin/docker-alpine
that referenced
this pull request
Apr 16, 2024
This adds SECURITY.md and a scanning workflow, using Trivy. In particular, this clarifies what we use to scan for vulnerabilities (Trivy, not anything else), and the only channel likely to be responded to on a significant issue (zipkin-admin email, not advisories as people ignored them). This is the same approach as approved and merged in openzipkin/zipkin-reporter-java#267 Signed-off-by: Adrian Cole <adrian@tetrate.io>
codefromthecrypt
pushed a commit
to openzipkin/docker-java
that referenced
this pull request
Apr 16, 2024
This adds SECURITY.md and a scanning workflow, using Trivy. In particular, this clarifies what we use to scan for vulnerabilities (Trivy, not anything else), and the only channel likely to be responded to on a significant issue (zipkin-admin email, not advisories as people ignored them). This is the same approach as approved and merged in openzipkin/zipkin-reporter-java#267 Signed-off-by: Adrian Cole <adrian@tetrate.io>
codefromthecrypt
pushed a commit
to openzipkin/brave
that referenced
this pull request
Apr 16, 2024
This adds SECURITY.md and a scanning workflow, using Trivy. In particular, this clarifies what we use to scan for vulnerabilities (Trivy, not anything else), and the only channel likely to be responded to on a significant issue (zipkin-admin email, not advisories as people ignored them). This is the same approach as approved and merged in openzipkin/zipkin-reporter-java#267 Signed-off-by: Adrian Cole <adrian@tetrate.io>
codefromthecrypt
pushed a commit
to openzipkin/zipkin-gcp
that referenced
this pull request
Apr 16, 2024
This adds SECURITY.md and a scanning workflow, using Trivy. In particular, this clarifies what we use to scan for vulnerabilities (Trivy, not anything else), and the only channel likely to be responded to on a significant issue (zipkin-admin email, not advisories as people ignored them). This is the same approach as approved and merged in openzipkin/zipkin-reporter-java#267 Signed-off-by: Adrian Cole <adrian@tetrate.io>
codefromthecrypt
pushed a commit
to openzipkin/zipkin-aws
that referenced
this pull request
Apr 16, 2024
This adds SECURITY.md and a scanning workflow, using Trivy. In particular, this clarifies what we use to scan for vulnerabilities (Trivy, not anything else), and the only channel likely to be responded to on a significant issue (zipkin-admin email, not advisories as people ignored them). This is the same approach as approved and merged in openzipkin/zipkin-reporter-java#267 Signed-off-by: Adrian Cole <adrian@tetrate.io>
|
OK I raised PRs for all the most maintained and/or production repos. Folks who are interested can raise them for any of the others. |
codefromthecrypt
added a commit
to openzipkin/zipkin-aws
that referenced
this pull request
Apr 16, 2024
This adds SECURITY.md and a scanning workflow, using Trivy. In particular, this clarifies what we use to scan for vulnerabilities (Trivy, not anything else), and the only channel likely to be responded to on a significant issue (zipkin-admin email, not advisories as people ignored them). This is the same approach as approved and merged in openzipkin/zipkin-reporter-java#267 Signed-off-by: Adrian Cole <adrian@tetrate.io>
codefromthecrypt
added a commit
to openzipkin/zipkin-gcp
that referenced
this pull request
Apr 16, 2024
This adds SECURITY.md and a scanning workflow, using Trivy. In particular, this clarifies what we use to scan for vulnerabilities (Trivy, not anything else), and the only channel likely to be responded to on a significant issue (zipkin-admin email, not advisories as people ignored them). This is the same approach as approved and merged in openzipkin/zipkin-reporter-java#267 Signed-off-by: Adrian Cole <adrian@tetrate.io>
codefromthecrypt
added a commit
to openzipkin/brave
that referenced
this pull request
Apr 16, 2024
This adds SECURITY.md and a scanning workflow, using Trivy. In particular, this clarifies what we use to scan for vulnerabilities (Trivy, not anything else), and the only channel likely to be responded to on a significant issue (zipkin-admin email, not advisories as people ignored them). This is the same approach as approved and merged in openzipkin/zipkin-reporter-java#267 Signed-off-by: Adrian Cole <adrian@tetrate.io>
codefromthecrypt
added a commit
to openzipkin/docker-java
that referenced
this pull request
Apr 16, 2024
This adds SECURITY.md and a scanning workflow, using Trivy. In particular, this clarifies what we use to scan for vulnerabilities (Trivy, not anything else), and the only channel likely to be responded to on a significant issue (zipkin-admin email, not advisories as people ignored them). This is the same approach as approved and merged in openzipkin/zipkin-reporter-java#267 Signed-off-by: Adrian Cole <adrian@tetrate.io>
codefromthecrypt
added a commit
to openzipkin/docker-alpine
that referenced
this pull request
Apr 16, 2024
This adds SECURITY.md and a scanning workflow, using Trivy. In particular, this clarifies what we use to scan for vulnerabilities (Trivy, not anything else), and the only channel likely to be responded to on a significant issue (zipkin-admin email, not advisories as people ignored them). This is the same approach as approved and merged in openzipkin/zipkin-reporter-java#267 Signed-off-by: Adrian Cole <adrian@tetrate.io>
codefromthecrypt
added a commit
to openzipkin/zipkin-dependencies
that referenced
this pull request
Apr 16, 2024
This adds SECURITY.md and a scanning workflow, using Trivy. In particular, this clarifies what we use to scan for vulnerabilities (Trivy, not anything else), and the only channel likely to be responded to on a significant issue (zipkin-admin email, not advisories as people ignored them). This is the same approach as approved and merged in openzipkin/zipkin-reporter-java#267 Signed-off-by: Adrian Cole <adrian@tetrate.io>
codefromthecrypt
pushed a commit
to openzipkin/zipkin-go
that referenced
this pull request
Apr 24, 2024
This adds SECURITY.md and a scanning workflow, using Trivy. In particular, this clarifies what we use to scan for vulnerabilities (Trivy, not anything else), and the only channel likely to be responded to on a significant issue (zipkin-admin email, not advisories as people ignored them). This is the same approach as approved and merged in openzipkin/zipkin-reporter-java#267 Signed-off-by: Adrian Cole <adrian@tetrate.io>
codefromthecrypt
added a commit
to openzipkin/zipkin-go
that referenced
this pull request
Apr 29, 2024
This adds SECURITY.md and a scanning workflow, using Trivy. In particular, this clarifies what we use to scan for vulnerabilities (Trivy, not anything else), and the only channel likely to be responded to on a significant issue (zipkin-admin email, not advisories as people ignored them). This is the same approach as approved and merged in openzipkin/zipkin-reporter-java#267 --------- Signed-off-by: Adrian Cole <adrian@tetrate.io>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This adds SECURITY.md and a scanning workflow, using Trivy. In particular, this clarifies what we use to scan for vulnerabilities (Trivy, not anything else), and the only channel likely to be responded to on a significant issue (zipkin-admin email, not advisories as people ignored them).
I won't merge this until I get at least 2 approves. After that, I'll help apply this to the docker and other java repos.