containers icon indicating copy to clipboard operation
containers copied to clipboard
verified publisher icon adoptium

GH action: add SBOM + scanner for dockerfile and docker images

Open zdtsw opened this issue 3 years ago • 5 comments

GH action: add SBOM for linux docker images+ scanner for dockerfile - use trivy to scan all Dockerfile.release.full - use syft to generate sbom from images we build - upload to codeql for trivy scan result from image - windows is not working for sbom and trivy yet sbom result artifacts: https://github.com/zdtsw/containers/actions/runs/2882299165 scan result: https://github.com/zdtsw/containers/actions/runs/2882299167

zdtsw avatar Aug 18 '22 13:08 zdtsw

looks like Specify at least 1 USER command in Dockerfile with non-root user as argument is the worst thing in all our dockerfile some others might need to be addressed too https://avd.aquasec.com/nvd/2022/cve-2022-37434/ https://avd.aquasec.com/nvd/2020/cve-2020-16156/ https://avd.aquasec.com/nvd/2016/cve-2016-2781/

zdtsw avatar Aug 19 '22 07:08 zdtsw

This PR has no related issue for it.

After discussion in the PMC call today, I will create an issue so we can discuss a best path forward, thinking about the design and benefits and maintenance implications of such a change and to talk about the scanning that occurs upstream already, in order to compare what is being checked / scanned to avoid duplication.

smlambert avatar Aug 24 '22 13:08 smlambert

@tianon / @yosifkit do either of you two have any thoughts about this? It would be good to understand what scanning the official images already go through prior to publishing. I wonder if this is the most appropriate place to have this code (perhaps it's better in the upstream GitHub action that is maintained by your team?

gdams avatar Aug 24 '22 14:08 gdams

Created https://github.com/adoptium/containers/issues/267 for discussing best approach and location for such scanning and work to take place.

smlambert avatar Aug 24 '22 16:08 smlambert

Thanks for the ping, @gdams :heart:

I would say that at the Dockerfile source level is probably not the best place to check for issues with the final built images. :sweat_smile:

That being said, this is definitely a priority for Docker - there's a lot of work in BuildKit to generate SBOMs directly at build-time (see especially https://github.com/moby/buildkit/issues/2773 and linked PRs), and that's the direction we're planning to take. :+1:

tianon avatar Aug 25 '22 21:08 tianon

@zdtsw can this be closed now given the comments above?

tellison avatar Nov 29 '22 08:11 tellison

@zdtsw can this be closed now given the comments above?

sure

zdtsw avatar Nov 29 '22 09:11 zdtsw