Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: setup scanners for ratify releases #1521

Merged
merged 9 commits into from
May 31, 2024
Merged

Conversation

susanshi
Copy link
Collaborator

Description

What this PR does / why we need it:

Add a workflow to scan branch of selection.
This scanner is added based on GK scanner at https://github.com/open-policy-agent/gatekeeper/blob/master/.github/workflows/scan-vulns.yaml

See sample scan result: https://github.com/susanshi/ratify/actions/runs/9261974720

Which issue(s) this PR fixes (optional, using fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when the PR gets merged):

Fixes #1461

Type of change

Please delete options that are not relevant.

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Helm Chart Change (any edit/addition/update that is necessary for changes merged to the main branch)
  • This change requires a documentation update

How Has This Been Tested?

Sample run
https://github.com/susanshi/ratify/actions/runs/9261974720

Checklist:

  • Does the affected code have corresponding tests?
  • Are the changes documented, not just with inline documentation, but also with conceptual documentation such as an overview of a new feature, or task-based documentation like a tutorial? Consider if this change should be announced on your project blog.
  • Does this introduce breaking changes that would require an announcement or bumping the major version?
  • Do all new files have appropriate license header?

Post Merge Requirements

  • MAINTAINERS: manually trigger the "Publish Package" workflow after merging any PR that indicates Helm Chart Change

Copy link

codecov bot commented May 28, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 68.15%. Comparing base (1bd347c) to head (52f92d1).
Report is 58 commits behind head on dev.

Additional details and impacted files
@@            Coverage Diff             @@
##              dev    #1521      +/-   ##
==========================================
+ Coverage   66.76%   68.15%   +1.38%     
==========================================
  Files         116      119       +3     
  Lines        6030     6139     +109     
==========================================
+ Hits         4026     4184     +158     
+ Misses       1620     1561      -59     
- Partials      384      394      +10     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@binbin-li
Copy link
Collaborator

changes lgtm, thanks for adding it! Just have one question on the scan result:
image
Looks like there are 2 medium vulnerabilities in the kubectl dependency, but the status of 2 steps is all green.
image
Wonder if the step would fail if we do discover any high or critical vulnerabilities in the images in the future, otherwise it would be difficult for us to notice it.

junczhu
junczhu previously approved these changes May 30, 2024
@binbin-li binbin-li merged commit 340c4db into ratify-project:dev May 31, 2024
18 of 19 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

setup scanners for supported ratify releases
4 participants