Add container vulnerability scanning for the built/published ACA-Py images. #2087
Comments
WadeBarnes
added
enhancement
|
@ryjones, Does Hyperledger have any existing tools and processes for this? Are there any other projects doing this? |
|
@WadeBarnes I think you can choose from a lot of free ones, we don't have a policy |
|
Narrowing to container images seems to give this list. Sysdig and Snyk are the names I recognize, but not sure about which to use. Opinions? Need to verify their use/pricing for open source projects. |
|
I created an acapy image with the new Dockerfile from the docker folder, uploaded it to Dockerhub and scanned it with Snyk tool. It was showing to have lot of vulnerabilities arising from Debian-buster base image. The number of vulnerabilities went down drastically, when changing the base image from |
|
@pradeepp88, Did you try it with Python 3.9? The new GHA workflows only produce images for Python 3.6 (for legacy test purposes) and Python 3.9. The Python 3.6 image is just being created to make side-by-side testing easier before testing the Python 3.9 image. |
|
@pradeepp88, it would also be interesting to compare the results when using |
|
@WadeBarnes I have tested the images with |
|
Thanks @pradeepp88 — great stuff. Much appreciation for the work and conclusions. |
|
thanks @pradeepp88, the related PR updating the base images has been merged. |
Addresses #2087 Signed-off-by: Ry Jones <[email protected]>
|
@WadeBarnes does #2417 address this completely? |
Addresses #2087 Signed-off-by: Ry Jones <[email protected]>
|
Addressed with #2418 |
PR #2076 added support for building and publishing ACA-Py images. The initial implementation just builds and publishes the images.
It would be a great enhancement to have these containers scanned on a regular basis (and possible during the builds) for vulnerabilities.
The text was updated successfully, but these errors were encountered: