Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ci: report vulnerabilities and fail on HIGH,CRITICAL #152

Merged
merged 2 commits into from
Oct 14, 2024
Merged

ci: report vulnerabilities and fail on HIGH,CRITICAL #152

merged 2 commits into from
Oct 14, 2024

Conversation

cjdcordeiro
Copy link
Collaborator

  • Have you signed the CLA?

Problem

The current GH workflow runs the Trivy scan but doesn't react to its findings, exiting successfully even if there are vulnerabilities.

In this PR

This PR adds an additional Trivy execution that raises an error on HIGH and CRITICAL vulnerabilities. It also uploads the vulnerability report to the CI run and the GitHub Security dashboard (example)

@github-advanced-security
Copy link

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

@cjdcordeiro
Copy link
Collaborator Author

@letFunny @rebornplusplus can we update the yaml module?

@cjdcordeiro cjdcordeiro requested review from letFunny and removed request for niemeyer August 7, 2024 12:00
@cjdcordeiro cjdcordeiro added the Simple Nice for a quick look on a minute or two label Aug 8, 2024
@cjdcordeiro
Copy link
Collaborator Author

needs #153 for CI to pass

@rebornplusplus
Copy link
Member

@letFunny @rebornplusplus can we update the yaml module?

Should be alright, yeah. Following should do it:

go get gopkg.in/yaml.v3
go mod tidy

If you want to take this chance and update everything:

go get -u
go mod tidy

@rebornplusplus
Copy link
Member

Oh, I see you raised #153 already!

niemeyer
niemeyer approved these changes Oct 14, 2024
View reviewed changes
Copy link
Contributor

@niemeyer niemeyer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can't tell if this is actually doing what it should, but the theory sounds good.

@niemeyer niemeyer merged commit 3880d2b into canonical:main Oct 14, 2024
13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@letFunny letFunny letFunny approved these changes

@rebornplusplus rebornplusplus rebornplusplus approved these changes

@niemeyer niemeyer niemeyer approved these changes

Assignees

@niemeyer niemeyer

Labels
Simple Nice for a quick look on a minute or two
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@cjdcordeiro @rebornplusplus @niemeyer @letFunny