Skip to content

fix(build): check for CVEs before merge #6869

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 68 commits into
base: fix/core-1-CVEs
Choose a base branch
from
Open

fix(build): check for CVEs before merge #6869

wants to merge 68 commits into from

Conversation

domsolutions
Copy link
Contributor

@domsolutions domsolutions commented Oct 10, 2025
edited
Loading

Motivation

Currently we have to merge PRs and then trigger a release and push images to docker hub to then scan them for CVEs. This is quite dangerous as we could be merging unsafe code and also causes long feedback loop, to know if a change has introduced a CVE.

Summary of changes

  • Within github workflow V1 Security Tests we now build the images but do not push to a repo, and scan with snyk
  • Upgraded base images to use latest registry.access.redhat.com/ubi9/ubi-minimal:9.6, removed the latest tag which would have achieved the same thing, but it's safer and gives a better audit trail to specify a specific tag.
  • upgrade rlcone to latest version - there is now only one high CVE but there has not been a released fix yet so this is not fixable.

NOTE

Commented out building/scanning Alibi Detect as GH runner runs out of disk space. It is possible to build the image locally as we push the base image up to GH artifactory but not ideal. Potentially look at using private GH runner.

Checklist

  • Added/updated unit tests
  • Added/updated documentation
  • Checked for typos in variable names, comments, etc.
  • Added licences for new files

Testing

@domsolutions domsolutions changed the title test locally built img fix(build): check for CVEs before merge Oct 20, 2025
@domsolutions domsolutions changed the base branch from master to fix/core-1-CVEs October 21, 2025 15:30
@domsolutions domsolutions force-pushed the INFRA-1609/docker-image-CVEs branch from 4403ec1 to 9e4001d Compare October 22, 2025 08:11
@domsolutions domsolutions requested a review from vtaskow October 22, 2025 09:02
@domsolutions
fix not reporting failure
1546d60
@domsolutions
fix not reporting failure
e4f6378 
Removed file argument from Snyk scan command.
@domsolutions
Fix indentation in security_tests_v1.yml
c19840f
@domsolutions
Enhance Snyk scan with SARIF output and upload
635c63c 
Added SARIF output option for Snyk scan results and upload step.
@github-advanced-security
Copy link

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

domsolutions and others added 10 commits October 22, 2025 10:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vtaskow vtaskow Awaiting requested review from vtaskow

Assignees

No one assigned

Labels

v1

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@domsolutions