Merge pull request #324 from RADAR-base/feature/docker-image-scans

Update docker image scans to ignore external depenency vulns
RADAR-base · Feb 20, 2025 · 2846db0 · 2846db0
2 parents c385158 + a6d43c9
commit 2846db0
Show file tree

Hide file tree

Showing 6 changed files with 866 additions and 9 deletions.
diff --git a/.github/bin/external_docker_image_matrix b/.github/bin/external_docker_image_matrix
@@ -17,6 +17,9 @@ for location in charts external
 do
   for chart in `ls -1 ../$location`
   do
+    # skip when the chart is present in the EXCLUDE_CHARTS environment variable
+    echo $EXCLUDE_CHARTS | grep -qw $chart && continue
+    echo Analyzing chart $chart ...
     helm template ../$location/$chart 2> /dev/null | grep -oP "(?<=image: ).*" | tr -d \" >> $location.tmp
   done
 done
@@ -29,9 +32,9 @@ cat images.tmp1 | grep ".*\/.*\/.*" > images.tmp2
 cat images.tmp1 | grep -v ".*\/.*\/.*" | sed "s/^/docker.io\//g" > images.tmp3
 cat images.tmp2 images.tmp3 | sort | uniq > images.txt
 
-# Exclude images refs that match any of the patterns passed in with the EXCLUDE_PATTERNS environment variable.
-if [ -n "$EXCLUDE_PATTERNS" ]; then
-  for pattern in $EXCLUDE_PATTERNS
+# Exclude images refs that match any of the patterns passed in with the EXCLUDE_IMAGE_PATTERNS environment variable.
+if [ -n "$EXCLUDE_IMAGE_PATTERNS" ]; then
+  for pattern in $EXCLUDE_IMAGE_PATTERNS
   do
     grep -v $pattern images.txt > images.tmp
     mv images.tmp images.txt

diff --git a/.github/workflows/scheduled-snyk-docker.yaml b/.github/workflows/scheduled-snyk-docker.yaml
@@ -29,9 +29,21 @@ jobs:
         name: Generate image matrix of current master branch
         env:
           # Any image that matches any of these patterns will be ignored for scanning.
-          # FIXME: the elasticsearch image gives sarif related errors, so it is excluded for now.
+          # Reasons:
+          # - bats: init container
+          # - busybox: init container
+          # - alpine: init container
+          # - linuxserver/yq: init container
+          EXCLUDE_IMAGE_PATTERNS:  bats busybox docker.io/alpine linuxserver/yq
+          # Any chart name (dir name) in here will be ignored for scanning.
+          # Reasons:
+          # - elasticsearch:
+          #   FIXME: the elasticsearch image gives sarif related errors, so it is excluded for now.
           #        we need a better way to handle this.
-          EXCLUDE_PATTERNS: mockserver bats busybox elasticsearch
+          # - mockserver: only used during testing
+          # - postgresql: external chart used by internal chart radar-postgresql
+          # - trivy: only used for security scanning, not used during runtime
+          EXCLUDE_CHARTS: mockserver postgresql elasticsearch radar-mockserver trivy
         working-directory: .github/bin
         run: ./external_docker_image_matrix