Setup trivy for vulnerability scanning #1789
Comments
|
Seems like CAPI and the AWS-Provider do run the scans with a cron defined in the GitHub action yaml. I like the idea of having a scan on new releases as soon as the pr kicks off, and also on we weekly basis. Which images should be included from https://console.cloud.google.com/gcr/images/cluster-api-provider-vsphere ? Best |
|
The Kubernetes project currently lacks enough contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
|
Hey @srm09, is this still a valid issue, if it is true, I would like to work on it. |
|
Yup looks good. @zhanggbj Sorry wasn't aware of this issue when we did the PRs. I'll follow-up with some PRs to fix the found CVE's: |
|
/close |
|
@sbueringer: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/kind feature
Describe the solution you'd like
CAPI has trivy to get an early signal on CVE vulnerabilities:
kubernetes-sigs/cluster-api#7604 related issue in the CAPI repo
kubernetes-sigs/cluster-api#7632 has links to other similar issues for some other providers
We should have a similar setup for CAPV PRs and make it not required, so even if it fails we could get the PR merged and open a follow up PR to remediate the issue.
Anything else you would like to add:
n/a
/priority important-soon
/lifecycle active
The text was updated successfully, but these errors were encountered: