Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

govulncheck to report known vulnerabilities #5199

Merged
merged 1 commit into from
Jul 30, 2024
Merged

govulncheck to report known vulnerabilities #5199

merged 1 commit into from
Jul 30, 2024

Conversation

crazy-max
Copy link
Member

@crazy-max crazy-max commented Jul 30, 2024
edited
Loading

similar to docker/buildx#2631

Runs govulncheck tool in our workflow to report known vulnerabilities that affect Go code using the Go vulnerability database at https://vuln.go.dev/ and output a SARIF report that will be uploaded to GitHub Code scanning so we have these issues reported in the Security tab like done with Docker Scout in #5184.

Atm dependabot will open a pull request when such vulnerabilities are found similar to #4786 but we often close them because it needs coordination with upstream repositories.

I suggest to disable security updates for Dependabot under https://github.com/moby/buildkit/settings/security_analysis and check issues reported in the Security tab instead with this workflow if we are ok with it:

image

SARIF output: https://github.com/moby/buildkit/actions/runs/10161094819/job/28098853183?pr=5199#step:4:332

@crazy-max
govulncheck to report known vulnerabilities
d138ca0 
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
@github-actions github-actions bot added area/hack building buildkit itself area/ci area/storage labels Jul 30, 2024
@crazy-max crazy-max marked this pull request as ready for review July 30, 2024 11:01
@AkihiroSuda AkihiroSuda merged commit bc92b63 into moby:master Jul 30, 2024
77 checks passed
@crazy-max crazy-max deleted the govulncheck branch July 30, 2024 22:47
@crazy-max crazy-max mentioned this pull request Aug 8, 2024
Merged
@austinvazquez austinvazquez mentioned this pull request Aug 22, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AkihiroSuda AkihiroSuda AkihiroSuda approved these changes

@thompson-shaun thompson-shaun thompson-shaun approved these changes

@thaJeztah thaJeztah Awaiting requested review from thaJeztah

Assignees
No one assigned
Labels
area/ci area/hack building buildkit itself
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@crazy-max @AkihiroSuda @thompson-shaun