Automated image vulnerability scan

[c0c0n3]

Is your feature request related to a problem? Please describe.

Should we get a tool to scan the Docker images we build to sniff out any security vulnerabilities?

Describe the solution you'd like

Here's a nice example contributed by @jason-fox of a GitHub action to run Anchore scanner over an image:

• https://github.com/flopezag/fiware-security/blob/master/sample-github-actions/anchore-ubi.yml

The action outputs a bunch of CVE alerts you can then decide how to deal with, as shown in the image below

Describe alternatives you've considered

N/A

Additional context

N/A

[c0c0n3]

PR #588 actually implemented a vulnerability scan through the CodeQL Action. I haven't used myself any of those actions, so I've got no clue which one would be best for us and if they do pretty much the same thing.

@chicco785 is the scan done by the CodeQL action comparable to Anchore's? If so can we close this issue?

[chicco785]

not sure it's comparable (i.e. all the same feature are covered) but the tools analyse dependencies and code vulnerabilities

[chicco785]

https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository
https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph