Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add trivy and sonar repo scan to GitHub actions [3] #7542

Closed
Tracked by #7503
MartinWahnschaffe opened this issue Dec 17, 2021 · 2 comments · Fixed by #11387, #11388 or #11468
Closed
Tracked by #7503

Add trivy and sonar repo scan to GitHub actions [3] #7542

MartinWahnschaffe opened this issue Dec 17, 2021 · 2 comments · Fixed by #11387, #11388 or #11468
Assignees
@JonasCir
Labels
code-quality Reliability, maintainability, reusability, or testability task Something to be done that does not directly affect the software
Milestone
Iteration 2023-01...

Comments

@MartinWahnschaffe
Copy link
Contributor

MartinWahnschaffe commented Dec 17, 2021
edited by StefanKock
Loading

Problem Description

We are currently using CodeQL to scan for security problems integrated into Github and sonarqube to do a more detailed scan which also includes CVE vulnerabilities. Unfortunately sonarqube is not integrated into the pull request mechanics so it's easy to miss new vulnerabilities.

Proposed Change

  • Use trivy to check for vulnerabilities (most importantly CVE https://avd.aquasec.com/). This should be integrated into the checks executed for pull requests.
  • Include current rules from SonarQube and let these rules evaluate new code in a pull request (for now don't block the pull request).

Acceptance Criteria

  • Warnings for existing problems are shown as security alerts on Github
  • Vulnerabilities in pull requests are shown as part of the checks.

Alternatives

Use sonarcloud: https://sonarcloud.io/github
@MartinWahnschaffe MartinWahnschaffe mentioned this issue Dec 17, 2021
Closed
10 tasks
@MartinWahnschaffe MartinWahnschaffe added technology Technical issues, e.g. synchronization, libraries, plugins, etc. task Something to be done that does not directly affect the software labels Dec 17, 2021
JonasCir added a commit that referenced this issue Dec 22, 2021
@JonasCir
[#7542] introduce trivy repo scanner
0c4a993
@JonasCir JonasCir mentioned this issue Dec 22, 2021
Closed
JonasCir added a commit that referenced this issue Dec 22, 2021
@JonasCir
[#7542] avoid clash of reports
65a797c
JonasCir added a commit that referenced this issue Dec 22, 2021
@JonasCir
[#7542] fix typo
4567d3a
@vidi42 vidi42 added this to the Sprint 110 - 1.67.0 milestone Jan 6, 2022
@StefanKock StefanKock removed this from the Sprint 112 - 1.69.0 milestone Mar 2, 2022
JonasCir added a commit that referenced this issue Jun 28, 2022
@JonasCir
[#7542] introduce trivy repo scanner
c429a45
JonasCir added a commit that referenced this issue Jun 28, 2022
@JonasCir
[#7542] avoid clash of reports
d524c3b
JonasCir added a commit that referenced this issue Jun 28, 2022
@JonasCir
[#7542] fix typo
346faa3
@StefanKock StefanKock added code-quality Reliability, maintainability, reusability, or testability dependencies Pull requests that update a dependency file and removed technology Technical issues, e.g. synchronization, libraries, plugins, etc. labels Jun 30, 2022
@MartinWahnschaffe MartinWahnschaffe added needs-refinement Refinement or further specification required and removed needs-refinement Refinement or further specification required labels Jun 30, 2022
@MartinWahnschaffe MartinWahnschaffe changed the title Add trivy repo scan to GitHub actions Add trivy or sonarcloud repo scan to GitHub actions Oct 11, 2022
@StefanKock StefanKock changed the title Add trivy or sonarcloud repo scan to GitHub actions Add trivy or sonarcloud repo scan to GitHub actions [3] Jan 26, 2023
@StefanKock StefanKock changed the title Add trivy or sonarcloud repo scan to GitHub actions [3] Add trivy and sonarcloud repo scan to GitHub actions [3] Jan 26, 2023
@StefanKock StefanKock changed the title Add trivy and sonarcloud repo scan to GitHub actions [3] Add trivy and sonar repo scan to GitHub actions [3] Jan 26, 2023
@MartinWahnschaffe
Copy link
Contributor Author

To be done:

  • both should not block PRs
  • Add rules from existing sonarcube

@JonasCir
Copy link
Contributor

JonasCir commented Jan 30, 2023
edited
Loading

@MartinWahnschaffe Unfortunately, we cannot avoid the CI failing. Once a critical errror is detected in the PR, the corresponding CI pass will fail. You only control the severity level (low, medium, high, critical), but you cannot disable it.

Looking into the existing rules now...

@StefanKock StefanKock added this to the Iteration 2023-01 - 1.80.0 milestone Feb 6, 2023
JonasCir added a commit that referenced this issue Feb 6, 2023
@JonasCir
[#7542] test comment
8a68607
JonasCir added a commit that referenced this issue Feb 6, 2023
@JonasCir
[#7542] test comment
76b5eaf
@MartinWahnschaffe MartinWahnschaffe mentioned this issue Feb 6, 2023
Closed
2 tasks
JonasCir added a commit that referenced this issue Feb 6, 2023
@JonasCir
[#7542] test comment
03b0520
JonasCir added a commit that referenced this issue Feb 6, 2023
@JonasCir
[#7542] comment link to SonarCloud
24e68b4
@MartinWahnschaffe MartinWahnschaffe mentioned this issue Feb 6, 2023
Merged
JonasCir added a commit that referenced this issue Feb 6, 2023
@JonasCir
[#7542] better comment wording
a4ac1a2
JonasCir added a commit that referenced this issue Feb 6, 2023
@JonasCir
[#7542] comment link to SonarCloud
3962d4f
JonasCir added a commit that referenced this issue Feb 6, 2023
@JonasCir
Merge pull request #11388 from hzi-braunschweig/ci/7542-trivy-scanner…
f83b2bc 
…-new

[#7542] use trivy
JonasCir added a commit that referenced this issue Feb 6, 2023
@JonasCir
Merge pull request #11387 from hzi-braunschweig/change/7542-sonarcloud
8420f3b 
[#7542] add sonar cloud CI pass
JonasCir added a commit that referenced this issue Feb 9, 2023
@JonasCir
[#7542] only comment on PR event, not on branch push
d37b114
@JonasCir JonasCir mentioned this issue Feb 9, 2023
Merged
@StefanKock StefanKock removed the dependencies Pull requests that update a dependency file label Feb 9, 2023
MartinWahnschaffe added a commit that referenced this issue Feb 9, 2023
@MartinWahnschaffe
Merge pull request #11468 from hzi-braunschweig/ci/7542-trivy-scanner…
e7a647c 
…-new

[#7542] only comment on PR event, not on branch push
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@JonasCir JonasCir

Labels
code-quality Reliability, maintainability, reusability, or testability task Something to be done that does not directly affect the software
Projects
None yet
Milestone
Iteration 2023-01 - 1.80.0
4 participants
@vidi42 @JonasCir @MartinWahnschaffe @StefanKock