Added trivy scan tekton-tasks and updated chart version of kubviz-agent

[akash4sh]

No description provided.

[dryrunsecurity]

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security	Status	Findings
Configured Codepaths Analyzer	✅	0 findings
Authn/Authz Analyzer	✅	0 findings
Server-Side Request Forgery Analyzer	✅	0 findings
Secrets Analyzer	✅	0 findings
IDOR Analyzer	✅	0 findings
Sensitive Files Analyzer	✅	0 findings
SQL Injection Analyzer	✅	0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

The provided code changes cover various aspects of the application's security, including updating a Kubernetes application's version, implementing a security scanning and reporting mechanism in the CI/CD pipeline, and integrating Cosign signing for Docker images.

The changes to the app_list.yaml file update the kubviz-agent application version, which is a routine maintenance task and does not have any significant security implications. However, it is recommended to review the release notes and change logs of the updated application to ensure there are no known security vulnerabilities or issues.

The changes to the Tekton ClusterTasks, trivy-scan-before-task.yaml and trivy-scan-after-task.yaml, implement a security scanning and reporting mechanism using the Trivy security scanner. This is a valuable security practice, as it helps identify known vulnerabilities in container images early in the development process. The storage of the scan results in a PostgreSQL database also provides a way to track and analyze the security posture of the application over time.

The changes to the github-trivy-scan-pipeline.yaml file integrate the security scanning tasks into a comprehensive Tekton pipeline, which also includes steps for building the Docker image, deploying the application, running QT tests, and signing the Docker image using Cosign. This pipeline demonstrates a strong focus on security, with multiple steps in place to ensure the security and integrity of the built Docker image and the deployed application.

Files Changed:

1. default-apps-templates/app_list.yaml:

   • The targetRevision for the kubviz-agent application has been updated from "1.1.23" to "1.1.24".

2. cicd/tekton-cluster-tasks/templates/trivy-scan-before-task.yaml:

   • Implements a Tekton ClusterTask that scans a container image using the Trivy security scanner and stores the scan results in a PostgreSQL database.

3. cicd/tekton-cluster-tasks/templates/trivy-scan-after-task.yaml:

   • Implements a Tekton ClusterTask that scans a Docker image using the Trivy security scanner and stores the scan results in a PostgreSQL database.

4. tekton-samples/tekton-pipeline-yamls/github-trivy-scan-pipeline.yaml:

   • Defines a Tekton pipeline that performs various tasks, including fetching the source code, building and scanning the Docker image, deploying the application, running QT tests, signing the Docker image using Cosign, and updating the GitHub status.

Powered by DryRun Security