Skip to content

[dev] Introduce script and CI step using trivy to scan and enforce 0 CRITICAL in images #20712

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Merged
merged 5 commits into from
Mar 28, 2025
Merged

[dev] Introduce script and CI step using trivy to scan and enforce 0 CRITICAL in images #20712

merged 5 commits into from
Mar 28, 2025

Conversation

geropl
Copy link
Member

@geropl geropl commented Mar 27, 2025

Description

Moving this closer to the dev loop helps us react to these quicker.

Note: This is not meant to preclude the ongoing discussions of how to improve scanning, enforcement and reaction across all deliverables. Instead, I see it as a mere first step.

Related Issue(s)

How to test

Documentation

Preview status

gitpod:summary

Build Options

Build
  • /werft with-werft
    Run the build with werft instead of GHA
  • leeway-no-cache
  • /werft no-test
    Run Leeway with --dont-test
Publish
  • /werft publish-to-npm
  • /werft publish-to-jb-marketplace
Installer
  • analytics=segment
  • with-dedicated-emulation
  • workspace-feature-flags
    Add desired feature flags to the end of the line above, space separated
Preview Environment / Integration Tests
  • /werft with-local-preview
    If enabled this will build install/preview
  • /werft with-preview
  • /werft with-large-vm
  • /werft with-gce-vm
    If enabled this will create the environment on GCE infra
  • /werft preemptible
    Saves cost. Untick this only if you're really sure you need a non-preemtible machine.
  • with-integration-tests=all
    Valid options are all, workspace, webapp, ide, jetbrains, vscode, ssh. If enabled, with-preview and with-large-vm will be enabled.
  • with-monitoring

/hold

geropl added 3 commits March 27, 2025 09:32
@geropl
[scripts] Introduce trivy-scan-images.sh
71bfc08 
Tool: gitpod/catfood.gitpod.cloud
@geropl
[trivy] Fitting trivyignore.yaml
5e382c2 
Tool: gitpod/catfood.gitpod.cloud
@geropl
[trivy] Add scan and enforcement of "CRITICAL" vulns at build time
29be042 
Tool: gitpod/catfood.gitpod.cloud
@geropl
Fix base repo ref
ed5bdb3 
Tool: gitpod/catfood.gitpod.cloud
@geropl geropl force-pushed the gpl/trivy-image-scan branch from ca98a95 to ed5bdb3 Compare March 27, 2025 10:17
@geropl
Replace docker run by oci-tool fetch file
ec2e163 
Tool: gitpod/catfood.gitpod.cloud
@geropl geropl marked this pull request as ready for review March 27, 2025 10:51
@geropl geropl requested a review from corneliusludmann March 27, 2025 10:52
@geropl
Copy link
Member Author

geropl commented Mar 27, 2025

/unhold

@roboquat roboquat merged commit 9dd5f74 into main Mar 28, 2025
20 checks passed
@roboquat roboquat deleted the gpl/trivy-image-scan branch March 28, 2025 07:44
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@corneliusludmann corneliusludmann corneliusludmann approved these changes

Assignees
No one assigned
Labels
size/XL
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@geropl @corneliusludmann @roboquat