Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ci: add workflow to check for vulnerabilities in images #381

Merged
merged 1 commit into from
Feb 6, 2024
Merged

ci: add workflow to check for vulnerabilities in images #381

merged 1 commit into from
Feb 6, 2024

Conversation

rkpattnaik780
Copy link
Contributor

@rkpattnaik780 rkpattnaik780 commented Jan 3, 2024
edited
Loading

Add automation to generate a weekly report of security vulnerabilities found by Quay.

Description

A workflow has been added to display the vulnerabilities found in the different workbench images in tabular format.

How Has This Been Tested?

A dry run in fork will result the following changes. link

Merge criteria:

  • The commits are squashed in a cohesive manner and have meaningful messages.
  • Testing instructions have been added in the PR body (for PRs involving changes that are not immediately obvious).
  • The developer has manually tested the changes and verified that the changes work

@rkpattnaik780 rkpattnaik780 changed the title WIP: ci: add workflow to check for vulnerabilities in images ci: add workflow to check for vulnerabilities in images Jan 8, 2024
atheo89
atheo89 requested changes Jan 12, 2024
View reviewed changes
Copy link
Member

@atheo89 atheo89 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great contribution, Rama! I've gone through this pull request and appended a few comments for minor adjustments.

.github/workflows/sec-scan.yml Outdated Show resolved Hide resolved
ci/security-scan/weekly_commit_ids.env Show resolved Hide resolved
.github/workflows/sec-scan.yml Outdated Show resolved Hide resolved
Makefile Outdated Show resolved Hide resolved
@atheo89
Copy link
Member

atheo89 commented Jan 15, 2024

Tnx /lgtm 🙂

@jiridanek
Copy link
Member

I have one (additional) suggestion. Enable Dependabot security alerts for this repo.

Currently, GitHub (dependabot) is already scanning dependencies in this repository and lists them on https://github.com/opendatahub-io/notebooks/network/dependencies. What it does not do is show the vulnerablities tab, which must be enabled extra https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts#configuration-of-dependabot-alerts

harshad16
harshad16 requested changes Jan 30, 2024
View reviewed changes
Copy link
Member

@harshad16 harshad16 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great work.
sorry for the delayed review.

Adding comment on at least to those code block where an new action is happening would help contributor.

ci/security-scan/quay_security_analysis.py Outdated Show resolved Hide resolved
jiridanek
jiridanek reviewed Jan 31, 2024
View reviewed changes
.github/workflows/sec-scan.yml
* `ci/security-scan/weekly_commit_ids` with the latest updated SHA digests of the notebooks (N & N-1)
Created by `/.github/workflows/sec-scan.yaml`

:exclamation: **IMPORTANT NOTE**: Remember to delete the ` ${{ env.SEC_SCAN_BRANCH }}` branch after merging the changes
Copy link
Member

@jiridanek jiridanek Jan 31, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider enabling https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/configuring-pull-request-merges/managing-the-automatic-deletion-of-branches in repository settings. Autodeleted branches can be restored with push of a button if still needed later.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the suggestion. We can club it with automating deletion for this workflow as well.

harshad16
harshad16 requested changes Feb 1, 2024
View reviewed changes
Copy link
Member

@harshad16 harshad16 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

few more changes:

ci/security-scan/quay_security_analysis.py Outdated Show resolved Hide resolved
.github/workflows/sec-scan.yml Outdated Show resolved Hide resolved
harshad16
harshad16 approved these changes Feb 5, 2024
View reviewed changes
Copy link
Member

@harshad16 harshad16 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

thanks for the work 👍

@openshift-ci openshift-ci bot added the lgtm label Feb 5, 2024
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Feb 5, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: harshad16

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved label Feb 5, 2024
@openshift-merge-bot openshift-merge-bot bot merged commit fc62a20 into opendatahub-io:main Feb 6, 2024
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jiridanek jiridanek jiridanek left review comments

@harshad16 harshad16 harshad16 approved these changes

@dibryant dibryant Awaiting requested review from dibryant

@atheo89 atheo89 Awaiting requested review from atheo89

Assignees

@harshad16 harshad16

@atheo89 atheo89

Labels
approved lgtm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@rkpattnaik780 @atheo89 @jiridanek @harshad16