Skip to content

ci: Expand trivy scanning to other images #1161

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Aug 1, 2025
Merged

ci: Expand trivy scanning to other images #1161

merged 3 commits into from
Aug 1, 2025

Conversation

robert-cronin
Copy link
Contributor

@robert-cronin robert-cronin commented Jun 3, 2025
edited
Loading

Reason for Change:

Refactored preset image dockerfile to group os dependencies in one target fo easy scanning
Converted trivy pipeline into matrix strategy

Issue Fixed:
N/A

Notes for Reviewers:
I am not sure if all of these require scanning, happy to cut down to a subset. Some images I've left out because they are quite large, e.g. the llm-reference-preset and ragservice images

zhuangqh
zhuangqh reviewed Jun 3, 2025
View reviewed changes
@robert-cronin robert-cronin force-pushed the feat/add-scan-for-reference-preset-image branch 2 times, most recently from c4bd823 to 83bb362 Compare June 3, 2025 07:27
@robert-cronin
Copy link
Contributor Author

robert-cronin commented Jun 3, 2025
edited
Loading

Result from my local run for the preset base os trivy scan:

[Build and Push Preset Models/Scan preset base os image] ⭐ Run Main Run Trivy
[Build and Push Preset Models/Scan preset base os image]   🐳  docker exec cmd=[bash --noprofile --norc -e -o pipefail /var/run/act/workflow/3-composite-6.sh] user= workdir=
| Running Trivy with options: trivy image test/preset-tfs:latest
| 2025-06-03T07:45:03Z  WARN    [vulndb] Trivy DB may be corrupted and will be re-downloaded. If you manually downloaded DB - use the `--skip-db-update` flag to skip updating DB.
| 2025-06-03T07:45:03Z  INFO    [vulndb] Need to update DB
| 2025-06-03T07:45:03Z  INFO    [vulndb] Downloading vulnerability DB...
| 2025-06-03T07:45:03Z  INFO    [vulndb] Downloading artifact...        repo="public.ecr.aws/aquasecurity/trivy-db:2"
| 
| 2025-06-03T07:45:06Z  INFO    [vulndb] Artifact successfully downloaded       repo="public.ecr.aws/aquasecurity/trivy-db:2"
| 2025-06-03T07:45:06Z  INFO    [vuln] Vulnerability scanning is enabled
| 2025-06-03T07:45:06Z  INFO    [secret] Secret scanning is enabled
| 2025-06-03T07:45:06Z  INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
| 2025-06-03T07:45:06Z  INFO    [secret] Please see also https://trivy.dev/v0.63/docs/scanner/secret#recommendation for faster secret detection
| 2025-06-03T07:45:10Z  INFO    Detected OS     family="debian" version="12.11"
| 2025-06-03T07:45:10Z  INFO    [debian] Detecting vulnerabilities...   os_version="12" pkg_num=151
| 2025-06-03T07:45:10Z  WARN    Using severities from other vendors for some vulnerabilities. Read https://trivy.dev/v0.63/docs/scanner/vulnerability#severity-selection for details.
| 
| Report Summary
| 
| ┌───────────────────────────────────────┬────────┬─────────────────┬─────────┐
| │                Target                 │  Type  │ Vulnerabilities │ Secrets │
| ├───────────────────────────────────────┼────────┼─────────────────┼─────────┤
| │ test/preset-tfs:latest (debian 12.11) │ debian │        2        │    -    │
| └───────────────────────────────────────┴────────┴─────────────────┴─────────┘
| Legend:
| - '-': Not scanned
| - '0': Clean (no security findings detected)
| 
| 
| For OSS Maintainers: VEX Notice
| --------------------------------
| If you're an OSS maintainer and Trivy has detected vulnerabilities in your project that you believe are not actually exploitable, consider issuing a VEX (Vulnerability Exploitability eXchange) statement.
| VEX allows you to communicate the actual status of vulnerabilities in your project, improving security transparency and reducing false positives for your users.
| Learn more and start using VEX: https://trivy.dev/v0.63/docs/supply-chain/vex/repo#publishing-vex-documents
| 
| To disable this notice, set the TRIVY_DISABLE_VEX_NOTICE environment variable.
| 
| 
| test/preset-tfs:latest (debian 12.11)
| 
| Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 0, CRITICAL: 0)
| 
| ┌─────────────┬───────────────┬──────────┬────────┬───────────────────┬──────────────────┬──────────────────────────────────────────────────────┐
| │   Library   │ Vulnerability │ Severity │ Status │ Installed Version │  Fixed Version   │                        Title                         │
| ├─────────────┼───────────────┼──────────┼────────┼───────────────────┼──────────────────┼──────────────────────────────────────────────────────┤
| │ libsystemd0 │ CVE-2025-4598 │ MEDIUM   │ fixed  │ 252.36-1~deb12u1  │ 252.38-1~deb12u1 │ systemd-coredump: race condition that allows a local │
| │             │               │          │        │                   │                  │ attacker to crash a SUID...                          │
| │             │               │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2025-4598            │
| ├─────────────┤               │          │        │                   │                  │                                                      │
| │ libudev1    │               │          │        │                   │                  │                                                      │
| │             │               │          │        │                   │                  │                                                      │
| │             │               │          │        │                   │                  │                                                      │
| └─────────────┴───────────────┴──────────┴────────┴───────────────────┴──────────────────┴──────────────────────────────────────────────────────┘
[Build and Push Preset Models/Scan preset base os image]   ❌  Failure - Main Run Trivy [7.137283062s]
[Build and Push Preset Models/Scan preset base os image] exitcode '1': failure
[Build and Push Preset Models/Scan preset base os image] ⭐ Run Main Remove Trivy Envs file
[Build and Push Preset Models/Scan preset base os image]   🐳  docker exec cmd=[bash --noprofile --norc -e -o pipefail /var/run/act/workflow/3-composite-7.sh] user= workdir=
[Build and Push Preset Models/Scan preset base os image]   ✅  Success - Main Remove Trivy Envs file [77.818767ms]
[Build and Push Preset Models/Scan preset base os image]   ❌  Failure - Main Run Trivy vulnerability scanner [16.016759494s]
[Build and Push Preset Models/Scan preset base os image] exitcode '1': failure
[Build and Push Preset Models/Scan preset base os image] ⭐ Run Post Run Trivy vulnerability scanner
[Build and Push Preset Models/Scan preset base os image]   🐳  docker cp src=/home/rob/.cache/act/aquasecurity-trivy-action@master/ dst=/var/run/act/actions/aquasecurity-trivy-action@master/
[Build and Push Preset Models/Scan preset base os image] ⭐ Run Post Install Trivy
[Build and Push Preset Models/Scan preset base os image]   🐳  docker cp src=/home/rob/.cache/act/aquasecurity-setup-trivy@ff1b8b060f23b650436d419b5e13f67f5d4c3087/ dst=/var/run/act/actions/aquasecurity-setup-trivy@ff1b8b060f23b650436d419b5e13f67f5d4c3087/
[Build and Push Preset Models/Scan preset base os image] ⭐ Run Post Checkout install script
[Build and Push Preset Models/Scan preset base os image]   🐳  docker exec cmd=[/opt/acttoolcache/node/18.20.8/x64/bin/node /var/run/act/actions/actions-checkout@v4/dist/index.js] user= workdir=
[Build and Push Preset Models/Scan preset base os image]   ✅  Success - Post Checkout install script [155.543207ms]
[Build and Push Preset Models/Scan preset base os image] ⭐ Run Post Restore Trivy binary from cache
[Build and Push Preset Models/Scan preset base os image]   🐳  docker exec cmd=[/opt/acttoolcache/node/18.20.8/x64/bin/node /var/run/act/actions/actions-cache@v4/dist/save/index.js] user= workdir=
| [command]/usr/bin/tar --posix -cf cache.tzst --exclude cache.tzst -P -C /home/rob/go/src/kaito --files-from manifest.txt --use-compress-program zstdmt
| Cache Size: ~40 MB (41869152 B)
| Cache saved successfully
| Cache saved with key: trivy-binary-v0.63.0-Linux-X64
[Build and Push Preset Models/Scan preset base os image]   ✅  Success - Post Restore Trivy binary from cache [592.291753ms]
[Build and Push Preset Models/Scan preset base os image]   ✅  Success - Post Install Trivy [808.638134ms]
[Build and Push Preset Models/Scan preset base os image]   ✅  Success - Post Run Trivy vulnerability scanner [913.457382ms]
[Build and Push Preset Models/Scan preset base os image] ⭐ Run Complete job
[Build and Push Preset Models/Scan preset base os image]   ✅  Success - Complete job
[Build and Push Preset Models/Scan preset base os image] 🏁  Job failed
Error: Job 'Scan preset base os image' failed

sozercan
sozercan reviewed Jun 3, 2025
View reviewed changes
sozercan
sozercan reviewed Jun 3, 2025
View reviewed changes
sozercan
sozercan reviewed Jun 3, 2025
View reviewed changes
sozercan
sozercan reviewed Jun 3, 2025
View reviewed changes
sozercan
sozercan reviewed Jun 3, 2025
View reviewed changes
@robert-cronin robert-cronin force-pushed the feat/add-scan-for-reference-preset-image branch 9 times, most recently from 731f347 to b728242 Compare June 4, 2025 06:08
zhuangqh
zhuangqh reviewed Jun 6, 2025
View reviewed changes
@robert-cronin @chewong
Expand trivy scanning
55873eb 
Signed-off-by: robert-cronin <robert.owen.cronin@gmail.com>
@chewong chewong force-pushed the feat/add-scan-for-reference-preset-image branch from b728242 to 55873eb Compare July 15, 2025 00:30
@chewong chewong self-requested a review as a code owner July 15, 2025 00:30
@chewong chewong changed the title Expand trivy scanning to other images ci: Expand trivy scanning to other images Jul 15, 2025
chewong
chewong reviewed Jul 22, 2025
View reviewed changes
@robert-cronin robert-cronin requested a review from chewong July 24, 2025 05:34
chewong
chewong reviewed Jul 24, 2025
View reviewed changes
@robert-cronin robert-cronin force-pushed the feat/add-scan-for-reference-preset-image branch from 12cf976 to 170c0fa Compare July 28, 2025 07:03
@robert-cronin robert-cronin requested a review from chewong July 28, 2025 07:04
chewong
chewong reviewed Jul 28, 2025
View reviewed changes
@robert-cronin
Expand trivy scanning
4220808 
Signed-off-by: robert-cronin <robert.owen.cronin@gmail.com>
@robert-cronin robert-cronin force-pushed the feat/add-scan-for-reference-preset-image branch 2 times, most recently from 1d4ef6e to 4220808 Compare August 1, 2025 07:34
@robert-cronin robert-cronin requested a review from chewong August 1, 2025 07:34
chewong
chewong approved these changes Aug 1, 2025
View reviewed changes
Copy link
Collaborator

@chewong chewong left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@chewong chewong merged commit a42040d into kaito-project:main Aug 1, 2025
18 of 26 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chewong chewong chewong approved these changes

@Fei-Guo Fei-Guo Awaiting requested review from Fei-Guo Fei-Guo is a code owner

@helayoty helayoty Awaiting requested review from helayoty

@ishaansehgal99 ishaansehgal99 Awaiting requested review from ishaansehgal99

@sozercan sozercan Awaiting requested review from sozercan

@zhuangqh zhuangqh Awaiting requested review from zhuangqh zhuangqh is a code owner

Assignees
No one assigned
Labels
None yet
Projects
KAITO Roadmap
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@robert-cronin @sozercan @chewong @zhuangqh