ci(nightly): various trivy-related tweaks (#4935)

1. only check the edge-static image There are a bunch of libc-related findings that are hard to address, and likely not relevant for us: for example, Go will not use glibc's regexp engine, even if linked against libc. 2. pull the image before checking it I've noticed locally that `trivy image` will just use whatever image it finds under the mentioned tag. So we pull first to ensure that we actually scan the right 'edge' image. 3. split jobs Before, the scan-repo step wouldn't ever happen if scan-image failed. Let's do them both all the time instead. 4. for the repo scan, ignore go.mod files of the dependencies -- there's little we can do about, say, grpc referencing a vulnerable yaml.v2 dep in its go.mod. And there should also be little harm in it, since we're using a more recent version in our go.mod. 5. Updated .trivyignore with recent, new, findings. Signed-off-by: Stephan Renatus <stephan.renatus@gmail.com>
open-policy-agent · Jul 25, 2022 · c981cc9 · c981cc9
1 parent 742ca92
commit c981cc9
Show file tree

Hide file tree

Showing 2 changed files with 43 additions and 11 deletions.
diff --git a/.github/workflows/nightly.yaml b/.github/workflows/nightly.yaml
@@ -77,32 +77,42 @@ jobs:
           status: ${{ job.status }}
           fields: repo,workflow
 
-  trivy-scan:
-    name: Trivy security scan
+  trivy-scan-image:
+    name: Trivy security scan image
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout code
+      - name: Checkout code # needed for .trivyignore file
         uses: actions/checkout@v3
 
+      - run: "docker pull openpolicyagent/opa:edge-static"
+
       # Equivalent to:
-      # $ trivy fs .
-      - name: Run Trivy scan on repo
+      # $ trivy image openpolicyagent/opa:edge-static
+      - name: Run Trivy scan on image
         uses: aquasecurity/trivy-action@0.6.0
         with:
-          scan-type: fs
+          image-ref: 'openpolicyagent/opa:edge-static'
           format: table
           exit-code: '1'
           ignore-unfixed: true
+          vuln-type: os,library
           severity: CRITICAL,HIGH
 
+  trivy-scan-repo:
+    name: Trivy security scan repo
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
       # Equivalent to:
-      # $ trivy image openpolicyagent/opa:edge
-      - name: Run Trivy scan on image
+      # $ trivy fs .
+      - name: Run Trivy scan on repo
         uses: aquasecurity/trivy-action@0.6.0
         with:
-          image-ref: 'openpolicyagent/opa:edge'
+          scan-type: fs
           format: table
           exit-code: '1'
           ignore-unfixed: true
-          vuln-type: os,library
-          severity: CRITICAL,HIGH
+          skip-dirs: vendor/ # don't check go deps' go.mod files
+          severity: CRITICAL,HIGH
diff --git a/.trivyignore b/.trivyignore
@@ -6,11 +6,33 @@ CVE-2021-3538
 
 # * go.etcd.io/etcd - we don't run etcd as part of the OPA deployment
 CVE-2018-1098
+CVE-2018-1099
 
 # * k8s.io/kubernetes - we don't run kubernetes as part of the OPA deployment
+CVE-2019-1002101
+CVE-2019-11250
 CVE-2019-11253
+CVE-2019-11254
+CVE-2020-8552
+CVE-2020-8554
+CVE-2020-8555
+CVE-2020-8557
 CVE-2020-8558
+CVE-2020-8559
+CVE-2020-8561
+CVE-2020-8562
+CVE-2020-8563
+CVE-2020-8564
+CVE-2020-8565
+CVE-2021-25735
+CVE-2021-25740
 CVE-2021-25741
 
 # * github.com/emicklei/go-restful - we don't use its code in our handlers
 CVE-2022-1996
+
+# * github.com/docker/distribution - OCI manifest code isn't used
+GHSA-qq97-vm5h-rrhg
+
+# github.com/dgrijalva/jwt-go -- vulnerable version used by docker/distribution above
+CVE-2020-26160