GH action: add SBOM + scanner for dockerfile and docker images #260
Conversation
- use trivy to scan all Dockerfile.release.full - use syft to generate sbom from images we build - upload to codeql for trivy scan result from image
- for some reason matrix.os to match startwith "windows" does not work
- seems it could not find the image it built from previou step
|
looks like |
|
This PR has no related issue for it. After discussion in the PMC call today, I will create an issue so we can discuss a best path forward, thinking about the design and benefits and maintenance implications of such a change and to talk about the scanning that occurs upstream already, in order to compare what is being checked / scanned to avoid duplication. |
|
@tianon / @yosifkit do either of you two have any thoughts about this? It would be good to understand what scanning the official images already go through prior to publishing. I wonder if this is the most appropriate place to have this code (perhaps it's better in the upstream GitHub action that is maintained by your team? |
|
Created #267 for discussing best approach and location for such scanning and work to take place. |
|
Thanks for the ping, @gdams ❤️ I would say that at the That being said, this is definitely a priority for Docker - there's a lot of work in BuildKit to generate SBOMs directly at build-time (see especially moby/buildkit#2773 and linked PRs), and that's the direction we're planning to take. 👍 |
|
@zdtsw can this be closed now given the comments above? |
sure |
GH action: add SBOM for linux docker images+ scanner for dockerfile
- use trivy to scan all Dockerfile.release.full
- use syft to generate sbom from images we build
- upload to codeql for trivy scan result from image
- windows is not working for sbom and trivy yet
sbom result artifacts: https://github.com/zdtsw/containers/actions/runs/2882299165
scan result: https://github.com/zdtsw/containers/actions/runs/2882299167