equinixmetal-buildkite / trivy-buildkite-plugin Goto Github PK
View Code? Open in Web Editor NEWLicense: Apache License 2.0
License: Apache License 2.0
In order for us not to miss trivy updates, we should be tracking the version with renovate and making sure we get automated version updates.
This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.
These updates have all been created already. Click a checkbox below to force a retry/rebase of any.
.buildkite/pipeline.yml
docker-compose v4.12.0
plugin-linter v3.2.0
.github/workflows/release.yml
actions/checkout v3
softprops/action-gh-release v1
.github/workflows/tests.yml
actions/checkout v3
actions/checkout v3
actions/checkout v3
actions/checkout v3
hooks/pre-checkout
aquasec/trivy 0.49.1
Makefile
buildkite/plugin-tester v4.0.0
The plugin currently relies on Docker for two reasons:
We cannot assume that Docker will be available in the CI environment. This is especially true if the plugin is already running in a container / is a child of an isolated process. We should stop using Docker altogether in this plugin. Any image scanning features could go into the docker-build plugin: https://github.com/equinixmetal-buildkite/docker-build-buildkite-plugin
We should investigate using go install github.com/aquasecurity/trivy/cmd/trivy@latest
(or @vX.Y.Z
). This will likely require an upstream change, as something about their project breaks go install ...
:
$ go install github.com/aquasecurity/trivy/cmd/trivy@latest
go: downloading github.com/aquasecurity/trivy v0.31.3
go: github.com/aquasecurity/trivy/cmd/trivy@latest (in github.com/aquasecurity/[email protected]):
The go.mod file for the module providing named packages contains one or
more replace directives. It must not contain directives that would cause
it to be interpreted differently than if it were the main module.
Unfortunately, trivy defaults to exiting with status code 0 - even when it finds security issues. This is not useful in a CI environment (or, well, anywhere really). Perhaps the trivy maintainers can be convinced to change this behavior...
In the meantime, we should default trivy's exit status code to non-zero when it finds issues. We still want to allow users to override this behavior - but it should have a more sensible default. At the moment, the plugin defaults to zero which is not ideal.
The post-checkout hook is not appropriate for running Trivy, as we expect the container to be already built by then. e.g. the docker-build plugin uses the post-command
. We should instead opt for using post-command as well or a later stage so we can take advantage of pre-built images.
The README started as a template provided by buildkite. We need to replace the left-over template parts with actual information.
First, thank you for the plugin! I was working on setting this up tonight in a context where I only want container scanning, not fs scanning.
I tried a bunch of options such as:
skip-dirs: "/*"
skip-files: "/*"
Or:
skip-dirs: "**"
skip-files: "**"
But none of these seemed to successfully skip files. I was considering adding a skip-fs: true/false option and making the script that runs the fs
check test for that variable but I wanted to run that idea past you first in case you have an easier way to achieve what I'm trying to do without changes?
The pre-checkout
script looks for the trivy
executable in the PATH
directories. If the script finds trivy
in one of those directories, it should set the TRIVY_EXE_PATH
environment variable equal to the executable file path. Unfortunately the pre-checkout
script does not currently do that.
The end result is the plugin will fail to run when when it finds trivy on the file system.
This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.
This repository currently has no open or pending branches.
.buildkite/pipeline.yml
docker-compose v3.10.0
plugin-linter v3.0.0
docker-compose.yml
.github/workflows/release.yml
actions/checkout v3
softprops/action-gh-release v1
.github/workflows/tests.yml
actions/checkout v3
actions/checkout v3
actions/checkout v3
actions/checkout v3
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.