IT-3421: Add vulnerability scanning to container build #3

brucehoff · 2024-07-31T15:18:00Z

Builds container and caches it as a '.tar' file
Passes the '.tar' file to Trivy for vulnerabilty checking
Vul'n findings appear under the GitHub "Security" tab
Only pushes container image to GHCR if vul'n scan passes
Pushes to multiple tags, including Major.minor.patch and Major.minor, allowing the update of Major.minor for security fixes
Provides the ability to suppress "false positive" findings
Adds a daily scan, to identify new vul'ns in existing image
Documents how vul'n scanning and versioning work in README
Updates the base image from RStudio 4.3 to 4.4 (to address identified vulnerabilities)

Note: We increase the 80 character limit to 200 in .yaml files because in trivy.yml we need to list files to skip, some of which have path lengths > 80 characters, and breaking them over multiple lines is unwieldy.

…ation to end

…which doesn't seem to be used

github-advanced-security · 2024-07-31T15:27:59Z

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

Dockerfile

README.md

.yamllint.yaml

.pre-commit-config.yaml

.github/workflows/trivy.yml

.github/workflows/trivy_periodic_image_scan.yml

…d' scan

brucehoff added 30 commits January 21, 2024 08:41

initial commit

e354291

remove 'ubuntu' user reference

d7b77d5

typo

22b3a9b

add packages sudo, psmisc required by RStudio; move R package install…

2527a5d

…ation to end

remove unnecessary quotes

8a56612

updated build workflow

985d7ba

updated workflow; added Dockerfile lint

f8babcd

keep container alive; set auth-none in server.conf

1953554

whitespace

1cfe4e0

update RStudio version to v2023.12.0; remove rstudio-server.service, …

fac8961

…which doesn't seem to be used

added rstudio user

7678a4b

run rstudio as rstudio user

ba34e95

define rstudio user differently

8d78228

added line continuation to Dockerfile

2890bae

added quotes to dockerfile

578e58d

split up multiline command to find error

9a658e6

fixed quotes

9b42953

undid line split

4d466aa

switch to rocker/rstudio to avoid infinite redirect problem

e4942bc

clean up

e5ef2fe

Let rstudio have sudo access without having to enter a password

4f878d6

suppress sudo warning; cleanup whitespace

eae5335

IT-3317 feedbqck from CR

ec892e0

IT-3317 feedback from CR

0ce0f8a

IT-3317 feedback from CR

ebfb4c6

install packages as 'rstudio' user, not as 'root'

6e40d5b

install boto3

2cea41c

clean up Dockerfile

11820e4

install boto3

e5f73bf

upgrading build-push-action from v3 to v5; turning off caching

6983503

brucehoff added 13 commits July 25, 2024 06:37

IT-3421: Add Trivy container scan

6fae8b2

IT-3421: Add tarball upload step

00ae542

IT-3421: upgraded to rstudio 4.4.1; streamlined build

d8bbd0a

IT-3421: whitespace

6b680fc

IT-3421 listed some files for Trivy to skip

f3397ef

IT-3421: Whitespace

96bfb46

IT-3421: add apt-get upgrade to docker build

9404c5f

IT-3421: suppress apt-get-upgrade docker-lint check

45f49a1

IT-3421: Fixed comment

0d45263

IT-3421: Matrix build; ReadMe

2fa8125

IT-3421: Ensure image name is lower case

4f102ad

IT-3421: Fixed container metadata action

cc1cbb4

IT-3421: Fixed bug

e74128a

brucehoff requested a review from a team July 31, 2024 15:18

IT-3421: remove erroneous build matrix

1094bcd

zaro0508 requested changes Aug 1, 2024

View reviewed changes

Dockerfile Show resolved Hide resolved

README.md Outdated Show resolved Hide resolved

.yamllint.yaml Outdated Show resolved Hide resolved

.pre-commit-config.yaml Outdated Show resolved Hide resolved

.github/workflows/trivy.yml Show resolved Hide resolved

IT-3421: Rename yamllint file; set max length in yaml files

ceda40c

brucehoff requested a review from zaro0508 August 2, 2024 21:51

IT-3421, use tags of the form 1.2.3, not v1.2.3

7147ff4

brucehoff requested a review from a team August 2, 2024 23:15

IT-3421 fixed daily cron job for Trivy

785a1fb

zaro0508 requested changes Aug 12, 2024

View reviewed changes

.github/workflows/trivy_periodic_image_scan.yml Outdated Show resolved Hide resolved

zaro0508 requested changes Aug 12, 2024

View reviewed changes

.github/workflows/trivy_periodic_image_scan.yml Outdated Show resolved Hide resolved

IT-3421: Clarify the need to make Docker images lower case

064897b

brucehoff requested a review from zaro0508 August 12, 2024 15:59

brucehoff added 2 commits August 12, 2024 09:03

IT-3421: Clarify the need to make Docker images lower case

d38652e

IT-3421: Improve comments around uploading trivy results for a 'faile…

5b22e06

…d' scan

zaro0508 approved these changes Aug 13, 2024

View reviewed changes

brucehoff merged commit 8f59162 into Sage-Bionetworks-IT:main Aug 13, 2024
5 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

IT-3421: Add vulnerability scanning to container build #3

IT-3421: Add vulnerability scanning to container build #3

brucehoff commented Jul 31, 2024 •

edited

Loading

github-advanced-security bot commented Jul 31, 2024

IT-3421: Add vulnerability scanning to container build #3

IT-3421: Add vulnerability scanning to container build #3

Conversation

brucehoff commented Jul 31, 2024 • edited Loading

github-advanced-security bot commented Jul 31, 2024

brucehoff commented Jul 31, 2024 •

edited

Loading