Skip to content

Adds trivy image#123

Merged
bomoko merged 1 commit intomainfrom
feature/trivy_image
Apr 15, 2025
Merged

Adds trivy image#123
bomoko merged 1 commit intomainfrom
feature/trivy_image

Conversation

@bomoko
Copy link
Contributor

@bomoko bomoko commented Apr 3, 2025

This adds a trivy image with built in vulnerability images for use in Lagoon Remote

@github-actions
Copy link

github-actions bot commented Apr 3, 2025
edited
Loading

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

PackageVersionScoreDetails
actions/actions/attest-build-provenance c074443f1aee8d4aeeae555aebba3282517141b2 UnknownUnknown
actions/actions/checkout 11bd71901bbe5b1630ceea73d27597364c9af683 🟢 5.9
Details
CheckScoreReason
Maintained⚠️ 22 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 2
Code-Review🟢 10all changesets reviewed
Binary-Artifacts🟢 10no binaries found in the repo
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
License🟢 10license file detected
Fuzzing⚠️ 0project is not fuzzed
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Signed-Releases⚠️ -1no releases found
Security-Policy🟢 9security policy file detected
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
Pinned-Dependencies🟢 3dependency not pinned by hash detected -- score normalized to 3
Packaging🟢 10packaging workflow detected
SAST🟢 9SAST tool detected but not run on all commits
Vulnerabilities⚠️ 28 existing vulnerabilities detected
actions/anchore/sbom-action f325610c9f50a54015d37c8d16cb3b0e2c8f4de0 🟢 5.1
Details
CheckScoreReason
Maintained🟢 45 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 4
Code-Review🟢 10all changesets reviewed
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Binary-Artifacts🟢 9binaries present in source code
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Security-Policy🟢 10security policy file detected
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
Signed-Releases⚠️ 0Project has not signed or included provenance with any releases.
Pinned-Dependencies🟢 7dependency not pinned by hash detected -- score normalized to 7
Packaging🟢 10packaging workflow detected
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
Vulnerabilities⚠️ 011 existing vulnerabilities detected
actions/docker/build-push-action 471d1dc4e07e5cdedd4c2171150001c434f0b7a4 🟢 5.5
Details
CheckScoreReason
Security-Policy🟢 9security policy file detected
Code-Review🟢 4Found 3/7 approved changesets -- score normalized to 4
Maintained🟢 1024 commit(s) and 14 issue activity found in the last 90 days -- score normalized to 10
Binary-Artifacts🟢 10no binaries found in the repo
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
License🟢 10license file detected
Fuzzing⚠️ 0project is not fuzzed
Signed-Releases⚠️ -1no releases found
Branch-Protection🟢 5branch protection is not maximal on development and all release branches
Packaging🟢 10packaging workflow detected
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
Vulnerabilities🟢 46 existing vulnerabilities detected
actions/docker/login-action 74a5d142397b4f367a81961eba4e8cd7edddf772 🟢 6.3
Details
CheckScoreReason
Binary-Artifacts🟢 10no binaries found in the repo
Security-Policy🟢 9security policy file detected
Code-Review🟢 10all changesets reviewed
Packaging⚠️ -1packaging workflow not detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Maintained🟢 1016 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection🟢 5branch protection is not maximal on development and all release branches
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
SAST🟢 8SAST tool detected but not run on all commits
Vulnerabilities🟢 46 existing vulnerabilities detected
actions/docker/metadata-action 902fa8ec7d6ecbf8d84d538b9b233a880e428804 🟢 5.9
Details
CheckScoreReason
Security-Policy🟢 9security policy file detected
Code-Review🟢 8Found 5/6 approved changesets -- score normalized to 8
Binary-Artifacts🟢 10no binaries found in the repo
Maintained🟢 1025 commit(s) and 8 issue activity found in the last 90 days -- score normalized to 10
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
License🟢 10license file detected
Fuzzing⚠️ 0project is not fuzzed
Signed-Releases⚠️ -1no releases found
Branch-Protection🟢 5branch protection is not maximal on development and all release branches
Packaging🟢 10packaging workflow detected
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
Vulnerabilities🟢 46 existing vulnerabilities detected
actions/docker/setup-buildx-action b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 🟢 5.5
Details
CheckScoreReason
Security-Policy🟢 9security policy file detected
Maintained🟢 1017 commit(s) and 6 issue activity found in the last 90 days -- score normalized to 10
Code-Review🟢 5Found 3/6 approved changesets -- score normalized to 5
Binary-Artifacts🟢 10no binaries found in the repo
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection🟢 5branch protection is not maximal on development and all release branches
Packaging🟢 10packaging workflow detected
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
Vulnerabilities🟢 37 existing vulnerabilities detected
actions/docker/setup-qemu-action 29109295f81e9208d7d86ff1c6c12d2833863392 🟢 5.7
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Binary-Artifacts🟢 10no binaries found in the repo
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Security-Policy🟢 9security policy file detected
Maintained🟢 1027 commit(s) and 6 issue activity found in the last 90 days -- score normalized to 10
Packaging⚠️ -1packaging workflow not detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection🟢 5branch protection is not maximal on development and all release branches
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
Vulnerabilities🟢 37 existing vulnerabilities detected
actions/softprops/action-gh-release c95fe1489396fe8a9eb87c0abf8aa5b2ef267fda 🟢 5
Details
CheckScoreReason
Code-Review🟢 5Found 5/10 approved changesets -- score normalized to 5
Packaging⚠️ -1packaging workflow not detected
Maintained🟢 1017 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10
Binary-Artifacts🟢 10no binaries found in the repo
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Pinned-Dependencies🟢 10all dependencies are pinned
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
Security-Policy⚠️ 0security policy file not detected
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
Vulnerabilities🟢 55 existing vulnerabilities detected

Scanned Files

  • .github/workflows/insights-trivy-image.yaml

@bomoko bomoko requested a review from Copilot April 3, 2025 01:31
Copilot AI reviewed Apr 3, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR introduces a new Trivy image with preloaded vulnerability databases for faster scans in Lagoon Remote.

  • Adds a README detailing the custom Trivy image.
  • Introduces a GitHub Actions workflow to build, push, and attest the insights-trivy image.

Reviewed Changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated 1 comment.

File Description
insights-trivy/README.md New README with a description of the custom Trivy image and its intended use.
.github/workflows/insights-trivy-image.yaml GitHub Actions workflow for building, tagging, and publishing the insights-trivy image.
Files not reviewed (1)
  • insights-trivy/Dockerfile: Language not supported

@bomoko bomoko force-pushed the feature/trivy_image branch from 6f627a1 to 1b6aa75 Compare April 3, 2025 01:36
@bomoko bomoko requested a review from tobybellwood April 3, 2025 15:12
@bomoko bomoko marked this pull request as ready for review April 3, 2025 16:30
tobybellwood
tobybellwood approved these changes Apr 14, 2025
View reviewed changes
Copy link
Member

@tobybellwood tobybellwood left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me.

@bomoko bomoko merged commit 0a2553b into main Apr 15, 2025
9 of 11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@tobybellwood tobybellwood tobybellwood approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@bomoko @tobybellwood