This repository is an example of a Concourse pipeline that utilizes a scan task. This task allows an OSS CF Component contributor to scan a configured Github repository for CVEs with Anchore tools syft and grype.
Utilizing this example's scan-for-cves task enables contributors to check for CVEs earlier in their release processes, as it will scan a Github repository branch that can be configured in the pipeline's resources.
This work is being done by Ryan Hall as a member of TAS Slingshots. TAS Slingshots is a group within MAMBG.
If you would like assistance in implementing the Scan task in your Concourse pipeline, please reach out to Ryan for help:
This example can be suited for your purposes with a small amount of customization. To get you familiar with how this works, here's what's involved in this scan:
-
ci/ci.yml - A pipeline definition utilizing 3 resources and 1 task that can be customized using 6 inputs:
- L23:
uri:- Github URI of the Github Repo to be scanned. - L24:
branch:- Name of the Branch within the repo to be scanned. - L35:
GRYPE_FAILURE_LEVEL:- Sets the severity threshold forgrypeto fail on detected CVEs.- Configurable as: [
none|negligible|low|medium|high|critical] - Defaults to
noneif not configured.
- Configurable as: [
- L23:
-
tasks/scan.yml - The task definition for the
scantask. This is ready for consumption using theparams&inputsfrom the CI. -
tasks/scan.sh - The script definition for the
scantask. This is ready for consumption with the task definition. -
images/slingshot-scanner - The image definiton for the docker image used for the scan task. Pre-installs
syft,grype, and some other basic Linux tooling.
- If you would like to contribute, please do so utilizing a PR and a branch containing your changes. Request a review prior to merging. Tag @rhall-pivotal.
- Feedback & Feature Requests, please file a new issue and let me know what's on your mind!
- This work is being done as a part of Slingshot's CVE Plan.