Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: build, scan, and push #25

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

mawinkler
Copy link
Collaborator

Description

This is a redesigned more complete GitHub Action Workflow.

Major benefits are that the registry does not get polluted by vulnerable images or images with malware, the scan result and SBOM are always stored as artifacts, and admission control is fully supported based on scan results.

Proposed Changes

  • Not using a scan container but triggering the scan inline allows easier adaption.
  • Scanning the built image first as a tarball allows security analysis without pushing to a registry.
  • Different handling of vulnerability thresholds by setting the maximum criticality for vulnerabilities. A threshold set to high allows any number of medium or lower criticalities, but no high or higher vulnerabilities.
  • Finishing the workflow by a registry scan allows integration with admission control.
  • Support for scanning for malware or vulnerabilities only.

Type of change

  • Breaking change (fix or feature that would cause existing functionality to not work as expected)

Checklist before requesting a review

  • I have performed a self-review of my code

@felipecosta09 felipecosta09 added the enhancement New feature or request label Feb 28, 2024
Copy link
Member

@felipecosta09 felipecosta09 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mawinkler I think there are missing updates in the scripts, right?

I only see changes in the README

@felipecosta09 felipecosta09 changed the title build, scan, and push feat: build, scan, and push Feb 28, 2024
felipecosta09
felipecosta09 previously approved these changes Aug 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants