-
Type:
Task
-
Resolution: Done
-
Priority:
L3 - Default
-
Affects Version/s: None
-
Component/s: continuous integration
-
None
-
S
Trivy for docker image scanning: https://github.com/aquasecurity/trivy
Snyk misses some stuff and there was one occasion where customers found a vulnerability that we hadn't seen. It is worth integrating such a check into our release process for added confidence.
The Zeebe controller repo has this integrated already. Maybe we can learn/copy something here.
The trivy check should get triggered when the pipeline does the smoketest for docker when merging to master