securityscanutils

package

v1.13.0-beta2 Latest Latest Go to latest Published: Aug 5, 2022 License: Apache-2.0 Imports: 4 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/solo-io/gloo

README ¶

Trivy Security Scanning

Trivy is a security scanning tool which we use to scan our images for vulnerabilities.

Scanning Images Locally

Scan a single image

You can run a trivy scan identical to CI on your own command line by installing trivy and running

trivy image --severity HIGH,CRITICAL quay.io/solo-io/<IMAGE>:<VERSION>

Scan a collection of images

Using our scanner, we can run scans against groups of images. To filter which version to scan, we can either use:

MIN_SCANNED_VERSION (scan all version greater than the provided tag)

IMAGE_REPO=quay.io/solo-io SCAN_DIR=_output/scans MIN_SCANNED_VERSION="v1.8.0" go run generate_docs.go run-security-scan -r gloo

VERSION_CONSTRAINT (scan all versions that match the constraint)

IMAGE_REPO=quay.io/solo-io SCAN_DIR=_output/scans VERSION_CONSTRAINT=">v1.8.0, <v1.9.0" go run generate_docs.go run-security-scan -r gloo

Scanning enterprise images

If you want to run the enterprise security scanning locally, make sure to have your GITHUB_TOKEN environment variable set and run the command with -r set to the enterprise repository:

IMAGE_REPO=quay.io/solo-io SCAN_DIR=_output/scans MIN_SCANNED_VERSION="v1.8.0" go run generate_docs.go run-security-scan -r glooe

Outputs

The outputs of a trivy scan are the following: _output/scans/gloo/markdown_results - a folder which has scans for each image of each version of gloo that was scanned. The scan results are in markdown format and are uploaded to a google cloud bucket, which we later pull from during docs generation (which happens on merges to master), to generate a human-readable markdown security scans document, which we display in our docs.

_output/scans/gloo/sarif_results - a folder which has .sarif files containing scan results for each image of each version of gloo that was scanned. These .sarif files are then uploaded to github, and the scan results can be seen on the security tab of the gloo repo.

Documentation ¶

Index ¶

func BuildSecurityScanReportGloo(tags []string) error
func BuildSecurityScanReportGlooE(tags []string) error
func EnterpriseImages(before17 bool) []string
func GetSecurityScanReport(url string) (string, error)
func OpenSourceImages() []string

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func BuildSecurityScanReportGloo ¶ added in v1.7.0

func BuildSecurityScanReportGloo(tags []string) error

func BuildSecurityScanReportGlooE ¶ added in v1.7.0

func BuildSecurityScanReportGlooE(tags []string) error

func EnterpriseImages ¶ added in v1.9.0

func EnterpriseImages(before17 bool) []string

List of images only included in gloo edge enterprise In 1.7, we replaced the grpcserver images with gloo-fed images. For images before 1.7, set before17 to true.

func GetSecurityScanReport ¶

func GetSecurityScanReport(url string) (string, error)

func OpenSourceImages ¶ added in v1.9.0

func OpenSourceImages() []string

List of images included in gloo edge open source

Types ¶

This section is empty.

Source Files ¶

View all Source files

securityscan_utils.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL