PLTF-24 Image scan on latest tags#230
Conversation
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
|
Hi @raymyers , this is still open but the underlying issue was closed. Are you still intending to merge this or shall we close it? |
Instead of hardcoding image tags in the scan-docker-images workflow, extract them from the chart values files using yq. This ensures the scanned images stay in sync with the chart definitions. - Add discover_images job to extract tags from values.yaml files - Use dynamic matrix from discovered images for scan job Co-authored-by: openhands <openhands@all-hands.dev>
|
Recording this flavor hack for posterity, as I took the comment out of the code. This was for the case of ubuntu vs debian based images. There may be a better way. |

This runs a trivy scan on the current docker images, publishing results to the GitHub security tab.
This partially meets the requirement of vulnerability scanning for SOC 2. Example findings:
https://github.com/All-Hands-AI/OpenHands-Cloud/security/code-scanning?query=pr%3A230+is%3Aopen
The images scanned:
Helm Chart Checklist
versionfield inChart.yamlfor each modified chartAdditional Notes