Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add security-scan for CRT #13627

Merged
merged 5 commits into from
Jan 31, 2022
Merged

add security-scan for CRT #13627

merged 5 commits into from
Jan 31, 2022

Conversation

claire-labry
Copy link
Collaborator

@claire-labry claire-labry commented Jan 11, 2022
edited
Loading

What this PR does is it enables security scanning (owned by the Security team) for this repository. This is a part of the Common Release Tooling (CRT) effort which enables a consistent workflow for security scanning that can be used across products and services. It provides a single abstraction point to allow us integrate our own scanning capabilities, as well as leverage external tools and APIs from vendors, open source, or free-to-use projects. Learn more about HashiCorp's security-scanner here.

The security-scan tests are passing successfully:

security-scan-binaries
security-scan-containers

You'll also see that I had to upgrade the Dockerfile to use alpine:3 as the older version caused the security-scanner to pick up some vulnerabilities, CVEs to be specific. See error outputs here that arose. We worked with Security and they scanned different versions of the alpine base image and concluded that version 3 picks up the most stable + clean version of alpine and suggested to upgrade to that version to avoid any friction and potential vulnerabilities in the future and simply tidy up the container.

I ran into some merge conflicts, but resolved those and will be happy to squash and merge once this PR is approved.

If anyone needs any further clarification or if nothing makes sense, feel free to comment or reach out to me! ❤️

@vercel vercel bot temporarily deployed to Preview – vault-storybook January 11, 2022 15:59 Inactive
@vercel vercel bot temporarily deployed to Preview – vault January 11, 2022 15:59 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook January 11, 2022 17:42 Inactive
@vercel vercel bot temporarily deployed to Preview – vault January 11, 2022 17:42 Inactive
@claire-labry claire-labry changed the title [DRAFT] add security-scan add security-scan for CRT Jan 11, 2022
@claire-labry claire-labry marked this pull request as ready for review January 11, 2022 17:50
@mladlow mladlow requested a review from jasonodonnell January 11, 2022 21:04
@mladlow
Copy link
Collaborator

mladlow commented Jan 11, 2022

I'm requesting review of the Docker aspects from @jasonodonnell.

jasonodonnell
jasonodonnell reviewed Jan 11, 2022
View reviewed changes
Dockerfile Outdated
@@ -1,4 +1,4 @@
FROM alpine:3.14 as default
FROM alpine:3 as default
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks fine as it will always pull in the latest version of 3.x, but my only concern is it's difficult to tell what version of Alpine was used in the build. As long as we can keep a receipt of that, and we're okay with always rolling forward, then this should be fine.

Copy link
Collaborator Author

@claire-labry claire-labry Jan 19, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah okay, I got mixed up with Security's recommendation and another product's recommendation. They asked to use alpine:3 but Security's recommendation was to bump to alpine:3.15 -- I can definitely make that change to be more prescriptive. Great call out.

@vercel vercel bot temporarily deployed to Preview – vault January 19, 2022 15:38 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook January 19, 2022 15:38 Inactive
sarahethompson
sarahethompson approved these changes Jan 19, 2022
View reviewed changes
Copy link
Collaborator

@sarahethompson sarahethompson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

mladlow
mladlow approved these changes Jan 21, 2022
View reviewed changes
Copy link
Collaborator

@mladlow mladlow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @claire-labry! Do you need someone on the Vault team to merge this?

@mladlow mladlow merged commit 935b12a into main Jan 31, 2022
@mladlow mladlow deleted the enable-security-scan branch January 31, 2022 16:35
claire-labry added a commit that referenced this pull request Feb 1, 2022
@claire-labry
add security-scan for CRT (#13627)
3d4f9b8 
* add security-scan

* updating the alpine version

* clean up

* update the alpine version to be more prescriptive
claire-labry added a commit that referenced this pull request Feb 1, 2022
@claire-labry
add security-scan for CRT (#13627)
aa3ca3a 
* add security-scan

* updating the alpine version

* clean up

* update the alpine version to be more prescriptive
claire-labry added a commit that referenced this pull request Feb 1, 2022
@claire-labry
add security-scan for CRT (#13627)
9a64bf4 
* add security-scan

* updating the alpine version

* clean up

* update the alpine version to be more prescriptive
claire-labry added a commit that referenced this pull request Feb 1, 2022
@claire-labry
add security-scan for CRT (#13627) (#13863)
c7101a5 
* add security-scan

* updating the alpine version

* clean up

* update the alpine version to be more prescriptive
claire-labry added a commit that referenced this pull request Feb 1, 2022
@claire-labry
add security-scan for CRT (#13627) (#13864)
bfeb7f1 
* add security-scan

* updating the alpine version

* clean up

* update the alpine version to be more prescriptive
claire-labry added a commit that referenced this pull request Feb 1, 2022
@claire-labry
add security-scan for CRT (#13627) (#13865)
4bfb63f 
* add security-scan

* updating the alpine version

* clean up

* update the alpine version to be more prescriptive
sarahethompson pushed a commit that referenced this pull request Feb 3, 2022
@claire-labry @sarahethompson
add security-scan for CRT (#13627)
dc590a7 
* add security-scan

* updating the alpine version

* clean up

* update the alpine version to be more prescriptive
@thiskevinwang thiskevinwang mentioned this pull request Apr 25, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jasonodonnell jasonodonnell jasonodonnell left review comments

@sarahethompson sarahethompson sarahethompson approved these changes

@mladlow mladlow mladlow approved these changes

@ncabatoff ncabatoff Awaiting requested review from ncabatoff

Assignees
No one assigned
Labels
pr/no-changelog
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@claire-labry @mladlow @jasonodonnell @sarahethompson