Create SBOMs and scan for vulnerablities #20801
Conversation
github-actions
bot
added
team: team-experience
team: team-engine
team: team-enterprise
labels
.github/workflows/build.yml
Outdated
| GITPOD_TEST_TOKEN_BITBUCKET: "${{ secrets.GITPOD_TEST_TOKEN_BITBUCKET }}" | ||
| GITPOD_TEST_TOKEN_BITBUCKET_SERVER: "${{ secrets.GITPOD_TEST_TOKEN_BITBUCKET_SERVER }}" | ||
| GITPOD_TEST_TOKEN_BITBUCKET_SERVER_WRITE: "${{ secrets.GITPOD_TEST_TOKEN_BITBUCKET_SERVER_WRITE }}" | ||
| GITPOD_TEST_TOKEN_BITBUCKET_SERVER_READ: "${{ secrets.GITPOD_TEST_TOKEN_BITBUCKET_SERVER_READ }}" |
There was a problem hiding this comment.
@corneliusludmann Do we really need all of these env vars? 🤔
Generally, I think producing the SBOMs should be part of the build itself - and only the scan separate - where we would not need all of these, because we effectively pull the required SBOMs from all the packages..?
There was a problem hiding this comment.
That would also allow us to have the "scan" as separate workflow that we trigger syncronously - and get rid of the invasive && needs.configuration.outputs.is_scheduled_run != 'true' checks... 🫧
There was a problem hiding this comment.
Generally, I think producing the SBOMs should be part of the build itself - and only the scan separate - where we would not need all of these, because we effectively pull the required SBOMs from all the packages..?
In general, I agree. Actually, we generate the SBOMs during build already. However, when we want to pull the cached packages Leeway calculates the internal version (aka hash) of the packages based on the package manifest, which also includes the value of envs. When the envs are not the same, Leeway would rebuild the packages.
To be honest, I don't know which variables exactly are considered. Do you think it's worth to try it out and find the right set of variables needed for it?
There was a problem hiding this comment.
Removed the envs that are not needed as discussed and it works. ✔️
| @@ -95,6 +96,33 @@ packages: | |||
| - ["sh", "-c", "echo \"version: ${version}\" >> versions.yaml"] | |||
| - ["sh", "-c", "dev-version-manifest--app/version-manifest >> versions.yaml"] | |||
| - ["sh", "-c", "rm -r components* dev-*"] | |||
| - name: needs-vuln-scan | |||
There was a problem hiding this comment.
Uh, that's neat! But how do we make sure this stays complete? 🫧
Maybe not a problem for now, but rather for Flex 👍
| @@ -31,6 +31,20 @@ defaultArgs: | |||
| provenance: | |||
| enabled: true | |||
| slsa: true | |||
| sbom: | |||
| enabled: true | |||
| ignoreVulnerabilities: | |||
|
|
|
/unhold |
Description
This PR improves our vulnerability detection by implementing daily scans and optimizing the scanning process.
Changes
needs-vuln-scantarget to focus on relevant packages onlyThe implementation replaces direct Trivy scanning with Leeway's built-in SBOM capabilities for better build system integration. When vulnerabilities are detected, the workflow automatically notifies us on Slack.
Related Issue(s)
Fixes https://linear.app/gitpod/issue/CLC-1339/sbom-vuln-scanning-on-gitpod-iogitpod
How to test
Run the workflow with "simulate scheduled" enabled. If you remove the ignore rules, you get a Slack message like this: https://gitpod.slack.com/archives/C07270E825R/p1746699798336559
Preview status
gitpod:summary
Build Options
Build
Run the build with werft instead of GHA
Run Leeway with
--dont-testPublish
Installer
Add desired feature flags to the end of the line above, space separated
Preview Environment / Integration Tests
If enabled this will build
install/previewIf enabled this will create the environment on GCE infra
Saves cost. Untick this only if you're really sure you need a non-preemtible machine.
Valid options are
all,workspace,webapp,ide,jetbrains,vscode,ssh. If enabled,with-previewandwith-large-vmwill be enabled./hold