README
¶
Trivy Security Scanning
Trivy is a security scanning tool which we use to scan our images for vulnerabilities.
Scanning Images Locally
Scan a single image
You can run a trivy scan identical to CI on your own command line by installing Trivy and running
trivy image --severity HIGH,CRITICAL quay.io/solo-io/<IMAGE>:<VERSION>
Scan a single version
You can scan all Gloo Edge images for a specific version by running
VERSION=<VERSION> make scan-version
Generating Scan Result Documentation Locally
Scan open source images
Using our scanner, we can run scans against groups of images. To filter which version to scan, we use:
VERSION_CONSTRAINT=">v1.8.0, <v1.9.0" go run generate_docs.go run-security-scan -r gloo
Scanning enterprise images
If you want to run the enterprise security scanning locally, make sure to have your GITHUB_TOKEN environment variable set and run the command with -r set to the enterprise repository:
VERSION_CONSTRAINT=">v1.8.0, <v1.9.0" go run generate_docs.go run-security-scan -r glooe
Outputs
The outputs of a trivy scan are the following:
_output/scans/gloo/markdown_results - a folder which has scans for each image of each version of gloo that was scanned. The scan results are in markdown format
and are uploaded to a google cloud bucket, which we later pull from during docs generation (which happens on merges to main), to generate a human-readable markdown
security scans document, which we display in our docs.
Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func BuildSecurityScanReportGloo ¶ added in v1.7.0
func BuildSecurityScanReportGlooE ¶ added in v1.7.0
func EnterpriseImages ¶ added in v1.9.0
List of images only included in gloo edge enterprise In 1.7, we replaced the grpcserver images with gloo-fed images.
func GetSecurityScanReport ¶
func OpenSourceImages ¶ added in v1.9.0
List of images included in gloo edge open source version 1.<version>.x
Types ¶
This section is empty.
Source Files