Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FEATURE] Add CI to scan docker image vulnerabilities #2169

Closed
ChenYi015 opened this issue Sep 13, 2024 · 4 comments
Closed

[FEATURE] Add CI to scan docker image vulnerabilities #2169

ChenYi015 opened this issue Sep 13, 2024 · 4 comments
Labels
enhancement New feature or request

Comments

@ChenYi015
Copy link
Contributor

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

What is the outcome that you are trying to reach?

Describe the solution you would like

Describe alternatives you have considered

Additional context
@ChenYi015 ChenYi015 added the enhancement New feature or request label Sep 13, 2024
@ImpSy
Copy link
Contributor

ImpSy commented Sep 13, 2024
edited
Loading

Hey 👋

I've already a fully functioning scanning pipeline on my company fork, would you be interested in a contribution for this ?
It's build around trivy

It's important to note before activating it that you'll mostly pickup security errors from the spark base image
Patching JVM related issue could be out-of-scope for this project

A daily/weekly rebuild of the image + a dependabot like tool to upgrade the base spark image to the latest version could also replace/compliment this feature

@ChenYi015
Copy link
Contributor Author

@ImpSy It would be great if you are willing to contribute this CI, there is an issue #2152 related to the image vulnerabilities.

A daily/weekly rebuild of the image + a dependabot like tool to upgrade the base spark image to the latest version could also replace/compliment this feature

Totally agree, we should use the latest spark base image to rebuild spark operator images.

@jacobsalway
Copy link
Member

jacobsalway commented Sep 15, 2024
edited
Loading

I'd need to research whether there's anything else in the apache/spark image that the operator depends on, but it's possible we may be able to construct a different base image that downloads the Spark JARs separately (from Maven for example). This may reduce the surface area of CVEs but would obviously be more effort to maintain.

If there are a significant number of users of the Spark operator who need the final image to have no critical or high CVEs for example, this may be worth the maintenance effort.

@ImpSy ImpSy mentioned this issue Sep 17, 2024
Merged
8 tasks
@ChenYi015
Copy link
Contributor Author

Close this issue by #2177.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ImpSy @jacobsalway @ChenYi015