-
Notifications
You must be signed in to change notification settings - Fork 490
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[security] audit repository tooling #930
Comments
Hello @dmitryax @TylerHelmuth |
@EjiroLaurelD @codeboten we have no code in this repo. Do the first 2 tasks apply to this repository? |
|
The repo has Helm charts in it. As a suggestion, we can use Aqua Trivy as a static code analysis tool for the repo. |
I am not familiar with that tool. Is it testing that the helm chart is installable? If so, we are using chart-testing for that. Is it testing whether or not the thing the helm chart installs has security issues? If it is, then would that produce duplicate security warnings since the applications we deploy are OpenTelemetry applications that would trigger security alerts in their own repos? |
I am not very familiar with the tool myself but I have seen it used on a few Iac projects online. I found that Trivy can be used to test whether a Helm chart is installable, but it is not primarily a testing tool. It is a security scanning tool that is used mainly in development to scan the Helm Charts for security vulnerabilities, misconfigurations and secrets without executing the chart. Yes it may produce duplicate security warnings for the OpenTelemetry applications, but this can be reduced if Trivy is configured to ignore certain types of warnings. For example, it can be configured to ignore warnings for known vulnerabilities that have already been patched in the OpenTelemetry applications. Another way to reduce the number of duplicate security warnings is to integrate Trivy with the CI/CD pipeline. This will allow to run Trivy scans on Helm charts as part of the build process. The CI/CD pipeline can then be configured to only fail the build if Trivy finds new security vulnerabilities that have not already been patched in the OpenTelemetry applications. I hope this helps |
The Security SIG is looking to ensure that security tooling is setup consistently across the organization. As a result, we're asking maintainers to ensure the following tools are enabled in each repository:
Parent issue: open-telemetry/sig-security#12
The text was updated successfully, but these errors were encountered: