You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Right now our Trivy code scanning workflow will send Slack alerts based on whether the Trivy CLI finds any unresolved issues in our images/binaries. It also posts them to GitHub's Code Scanning tool for our repo, which allows us to mark them as resolved/wontfix.
The problem is that if we have a wontfix it will be closed from GitHub, but Trivy will still report it as present. If we could trigger based on the open Code Scanning tickets instead we could have a better picture of unresolved items. It looks like it should be possible using GitHub's API.
If we get this working we should also fix this with other Carvel projects.
The text was updated successfully, but these errors were encountered:
This turned out to be slightly more complicated than I thought since we're scanning the latest release as well. I don't think there's a good way to associate a code scan alert with a release, so for instance if we had a fixed vulnerability in develop but that was still vulnerable in the latest release, I'm not sure it's simple to distinguish where it's fixed
Reopening since this is gonna bother me forever. I looked into it a bit today but was blocked by github/codeql-action#890. There looks like there will be a fix there shortly so I'll revisit once that's merged.
Right now our Trivy code scanning workflow will send Slack alerts based on whether the Trivy CLI finds any unresolved issues in our images/binaries. It also posts them to GitHub's Code Scanning tool for our repo, which allows us to mark them as resolved/wontfix.
The problem is that if we have a wontfix it will be closed from GitHub, but Trivy will still report it as present. If we could trigger based on the open Code Scanning tickets instead we could have a better picture of unresolved items. It looks like it should be possible using GitHub's API.
If we get this working we should also fix this with other Carvel projects.
The text was updated successfully, but these errors were encountered: