equinixmetal-buildkite / trivy-buildkite-plugin Goto Github PK

In order for us not to miss trivy updates, we should be tracking the version with renovate and making sure we get automated version updates.

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

• chore(deps): update aquasec/trivy docker tag to v0.51.4
• chore(deps): update buildkite plugin docker-compose to v4.16.0
• chore(deps): update buildkite plugin plugin-linter to v3.3.0
• chore(deps): update buildkite/plugin-tester docker tag to v4.1.1
• chore(deps): update actions/checkout action to v4
• chore(deps): update buildkite plugin docker-compose to v5
• chore(deps): update softprops/action-gh-release action to v2
• Click on this checkbox to rebase all open PRs at once

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository

The plugin currently relies on Docker for two reasons:

• To run trivy itself (by volume mounting the cloned git repo into the trivy container)
• To build the user's Dockerfile at the root of the repo

We cannot assume that Docker will be available in the CI environment. This is especially true if the plugin is already running in a container / is a child of an isolated process. We should stop using Docker altogether in this plugin. Any image scanning features could go into the docker-build plugin: https://github.com/equinixmetal-buildkite/docker-build-buildkite-plugin

We should investigate using go install github.com/aquasecurity/trivy/cmd/trivy@latest (or @vX.Y.Z). This will likely require an upstream change, as something about their project breaks go install ...:

$ go install github.com/aquasecurity/trivy/cmd/trivy@latest
go: downloading github.com/aquasecurity/trivy v0.31.3
go: github.com/aquasecurity/trivy/cmd/trivy@latest (in github.com/aquasecurity/[email protected]):
	The go.mod file for the module providing named packages contains one or
	more replace directives. It must not contain directives that would cause
	it to be interpreted differently than if it were the main module.

Unfortunately, trivy defaults to exiting with status code 0 - even when it finds security issues. This is not useful in a CI environment (or, well, anywhere really). Perhaps the trivy maintainers can be convinced to change this behavior...

In the meantime, we should default trivy's exit status code to non-zero when it finds issues. We still want to allow users to override this behavior - but it should have a more sensible default. At the moment, the plugin defaults to zero which is not ideal.

The post-checkout hook is not appropriate for running Trivy, as we expect the container to be already built by then. e.g. the docker-build plugin uses the post-command. We should instead opt for using post-command as well or a later stage so we can take advantage of pre-built images.

The README started as a template provided by buildkite. We need to replace the left-over template parts with actual information.

First, thank you for the plugin! I was working on setting this up tonight in a context where I only want container scanning, not fs scanning.

I tried a bunch of options such as:

skip-dirs: "/*"
skip-files: "/*"

Or:

skip-dirs: "**"
skip-files: "**"

But none of these seemed to successfully skip files. I was considering adding a skip-fs: true/false option and making the script that runs the fs check test for that variable but I wanted to run that idea past you first in case you have an easier way to achieve what I'm trying to do without changes?

The pre-checkout script looks for the trivy executable in the PATH directories. If the script finds trivy in one of those directories, it should set the TRIVY_EXE_PATH environment variable equal to the executable file path. Unfortunately the pre-checkout script does not currently do that.

The end result is the plugin will fail to run when when it finds trivy on the file system.

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

This repository currently has no open or pending branches.

Detected dependencies