CDAPI-68 Enable trivy scanning and enhance preview environemnt workflow#14
CDAPI-68 Enable trivy scanning and enhance preview environemnt workflow#14neil-sproston merged 1 commit intomainfrom
Conversation
|
✅ Trivy gate: no Critical/High vulnerabilities. Trivy Filesystem Scan SummaryFilesystem: /tmp/artifact
✅ No vulnerabilities found. |
neil-sproston
changed the title
nhsd-jack-wainwright
left a comment
nhsd-jack-wainwright
left a comment
There was a problem hiding this comment.
LGTM 👍 , just some minor comments / questions.
| }); | ||
|
|
||
| # ---------- Perform trivy scan and notify ---------- | ||
| - name: Prepare lambda artifact for trivy scan |
There was a problem hiding this comment.
I wonder if it would be better to run the trivy steps here as part of the stage-1-commit.yaml workflow rather than the preview-env workflow? It would mean that you may need to run the make build target again but would keep it together with the existing scan-dependencies job.
There was a problem hiding this comment.
Maybe - I do like having it in the PR as akin to the sonarcloud messages...
Currently it will always setup the preview environment for the user but will fail hard as a quality gate if any critical problems are found
| format: spdx-json | ||
| output: sbom.spdx.json | ||
|
|
||
| - name: Trivy SBOM Dependency Graph Upload |
There was a problem hiding this comment.
Where would this dependency graph be uploaded currently?
There was a problem hiding this comment.
We are not currently uploading it in our workflow. This a non-default option for uploading the dependency graph to our github repo.
This functionality is included as we are planning to contribute it "upstream"
| if: github.event.action != 'closed' | ||
| uses: ./.github/actions/trivy-fs-sbom | ||
| with: | ||
| fs-path: /tmp/artifact |
There was a problem hiding this comment.
As this is looking at the files retrieved from the bundled artifact.zip, I think Trivy will be scanning the code of any dependencies alongside the Pathology API source code. Should this step instead be looking at the pathology-api directory at the root of the repository instead?
| run: cat trivy_fs_report.md >> "$GITHUB_STEP_SUMMARY" | ||
|
|
||
| - name: Update Trivy PR comment | ||
| if: ${{ github.event_name == 'pull_request' && !github.event.pull_request.head.repo.fork }} |
There was a problem hiding this comment.
Does this PR comment update as PRs are subsequently updated after being initially created?
There was a problem hiding this comment.
Yes they are updated - this action is based as closely as possible to the "upstream" action which we want to contribute back to. That action uses a "sticky" comment so it does update but does not appear at the end each time - not my preference but is in line with current practive in the nhs-england-tools actions.
|
|
||
| - name: Update Trivy PR comment | ||
| if: ${{ github.event_name == 'pull_request' && !github.event.pull_request.head.repo.fork }} | ||
| uses: marocchino/sticky-pull-request-comment@v2 |
There was a problem hiding this comment.
Should the version of the Github action here be pinned to a commit hash rather than a version number?
There was a problem hiding this comment.
In our actions yes we do - however this action is based as closely as possible on the action in nhs-england-tools so that we can rapidly contribute back to "upstream" hence we follow there practice in this action.
|
|
||
| - name: Trivy SBOM SPDX Scan - Docker Image | ||
| if: ${{ inputs.image-ref != '' }} | ||
| uses: aquasecurity/trivy-action@0.28.0 |
There was a problem hiding this comment.
Should the version of the trivy-action here be pinned to a commit hash rather than a version number?
There was a problem hiding this comment.
In our actions yes we do - however this action is based as closely as possible on the action in nhs-england-tools so that we can rapidly contribute back to "upstream" hence we follow there practice in this action.
| fi | ||
|
|
||
| - name: Trivy fs scan | ||
| uses: aquasecurity/trivy-action@0.28.0 |
There was a problem hiding this comment.
As above, should the version of the trivy-action here be pinned to a commit hash?
There was a problem hiding this comment.
In our actions yes we do - however this action is based as closely as possible on the action in nhs-england-tools so that we can rapidly contribute back to "upstream" hence we follow there practice in this action.
neil-sproston
force-pushed
the
CDAPI-68enableTrivy
branch
from
d846b89 to
08be85d
Compare
|
Deployment Complete
|
|
2 participants
Description
Context
This change provide trivy scanning of the lambda code thus satisfying a red-line requirement.
Type of changes
Checklist
Sensitive Information Declaration
To ensure the utmost confidentiality and protect your and others privacy, we kindly ask you to NOT including PII (Personal Identifiable Information) / PID (Personal Identifiable Data) or any other sensitive data in this PR (Pull Request) and the codebase changes. We will remove any PR that do contain any sensitive information. We really appreciate your cooperation in this matter.