Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Trivy security scanner #21780

Open
wants to merge 29 commits into
base: main
Choose a base branch
from
Open

Add Trivy security scanner #21780

wants to merge 29 commits into from

Conversation

lilatomic
Copy link
Contributor

Trivy is a scanner for finding security vulnerabilities and misconfigurations in Docker images, Helm charts, and Terraform modules (among others). This MR adds it for all of those.

I made it as a single MR to minimise churn in the common code (like the invocation of Trivy). Let me know if you'd rather I split this up.

@lilatomic
first pass at running Trivy on Docker targets
16c1423
@lilatomic
mv skip field
abbfd1e
@lilatomic
remove progress bars
bfa2962
@lilatomic
cache to Pants named caches
c83c2ba 
(previously it was escaping the sandbox to use /tmp/trivy, which won't survive reboots)
@lilatomic
tailor and lint
bb856d5
@lilatomic
load config files
781e083
@lilatomic
slight fix to docs on loading config files
fba96a0
@lilatomic
add option for setting allowed severity options
1a419f4
@lilatomic
fix skip field
910dbe1
@lilatomic
allow passing in command-specific arguments
8849e15
@lilatomic
implement trivy for terraform
d0845ee
@lilatomic
add vars-file handling for trivy for terraform
1b4389a
@lilatomic
trivy can lint helm deployments
265b36c
@lilatomic
trivy can lint helm charts too
df5f522
@lilatomic
mv terraform_fieldset_to_init_request
837bdc2
@lilatomic
rebuild terraform to allow extending to modules
f3edd18
@lilatomic
trivy can lint terraform modules
475383e
@lilatomic
register skip fields
c5a1b05
@lilatomic
use correct partitioner
ea0fb12
@lilatomic
add test for trivy terraform
37d709f
@lilatomic
do not forward vars files when running on terraform modules
cbfbd26 
When running on a module, `get_terraform_backend_and_vars` would detect all vars files.
(Because the vars files are typically specified as dependencies on the deployment, the module has none.
Inference then grabs all of them.)
This is almost certainly not desired,
especially since they will be passed when running against the deployment.
@lilatomic
add tests for docker
76c2536
@lilatomic
rebuild trivy validation to use actual subcommand for parsing output
6fb5d01
@lilatomic
add tests for trivy on helm
413907f
@lilatomic
# This is a combination of 2 commits.
0c488e1 
# This is the 1st commit message:

document using Trivy in all backends

# The commit message pantsbuild#2 will be skipped:

# fixup! docs
@lilatomic
fix heading level hierarchy and typo
a607d13
@lilatomic
improve assertions
42c6391
@lilatomic
add to changelog
a6a6013
@lilatomic lilatomic added category:new feature backend: Docker Docker backend-related issues labels Dec 19, 2024
@lilatomic lilatomic added backend: Helm Helm backend-related issues backend: Terraform Terraform backend-related issues labels Dec 19, 2024
alonsodomin
alonsodomin reviewed Dec 19, 2024
View reviewed changes
Copy link
Contributor

@alonsodomin alonsodomin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGMT

Just an observation on how other tools have been added in the past, the default approach I believe is to add their register.py hook under the experimental package, even when the parent module has already been graduated.

Taking as a reference the Python backend and its extra tools that have been gradually added but I'll let others have the final word on that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alonsodomin alonsodomin alonsodomin left review comments

@benjyw benjyw Awaiting requested review from benjyw

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
backend: Docker Docker backend-related issues backend: Helm Helm backend-related issues backend: Terraform Terraform backend-related issues category:new feature
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@lilatomic @alonsodomin