Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement Trivy code scanning to help identify vulns #1005

Open
ARolek opened this issue Jul 20, 2024 · 3 comments
Open

Implement Trivy code scanning to help identify vulns #1005

ARolek opened this issue Jul 20, 2024 · 3 comments

Comments

@ARolek
Copy link
Member

ARolek commented Jul 20, 2024

@fjrsaracho surfaced an issue reported by the code scanning tool Trivy. This issue is about implementing Trivy to do a scan weekly so we can stay on top of vulns even if code is not being pushed.

It is under Apache License 2.0. Including comercial usage. You can read more on following link: https://github.com/aquasecurity/trivy/blob/main/LICENSE

Not sure if it fits for you as a real "open-source"

Originally posted by @fjrsaracho in #1000 (comment)

@ARolek ARolek moved this to Ready in Tegola Roadmap Jul 20, 2024
@iwpnd
Copy link
Member

iwpnd commented Jul 20, 2024

Github offers code scanning too natively if that is an option.

@ARolek
Copy link
Member Author

ARolek commented Jul 20, 2024

@iwpnd yeah they do, via CodeQL. From my understanding Trivy and CodeQL overlap, but also cover different parts of the codebase. CodeQL would cover the Go and JS code, and Trivy covers the Dockerfile. I still need to research some of the details, but this is my high level understanding.

@iwpnd
Copy link
Member

iwpnd commented Jul 20, 2024

For docker we should be able to get away with Dependabot keeping the image updated.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Status: Ready
Development

No branches or pull requests

2 participants