-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ubuntu vulnerability container image scan #1637
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm, since the crazy-max/ghaction-container-scan@v3
action is maintained by someone else, it potentially allows them to nullify this check by updating the action to do nothing. Maybe it may make sense to fork this action into the Fuel
organization and use it instead.
Agree - this action seems to have a small community. We should audit the action and likely fork it to ensure it doesn't become a malicious attack vector. |
@Voxelot - would it better to investigate another action or can you assist with the forking on this action code repo? (I don't have the fork repo permissions I think) |
I've created a fork here: https://github.com/FuelLabs/ghaction-container-scan Looking through the code it seems like a pretty lightweight wrapper around trivy, but we could have appsec review it as well. |
Closing for now |
Implement ubuntu vunerability container scan into container image build-publish process
actions is based on: https://github.com/marketplace/actions/container-scan#scan-image