Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(ci): graceful scan-images job execution during grype cdn failures #13507

Merged
merged 2 commits into from
Aug 19, 2024

Conversation

saisatishkarra
Copy link
Contributor

@saisatishkarra saisatishkarra commented Aug 16, 2024

Issue

The SCA tool (grype) invoked as part scan-images job downloads the vulnerability DB on each run. This is leading to issues dues to Grype CDN failures sporadically:
Long running jobs failing due to timeout (job resource wastage) when the job is stuck / hung up
Interim solutions to address from multiple fronts:

Summary

  • Fixes #140
  • Add job timeout for scan job to achieve early graceful job failure
  • Ability to bypass scan-images using the vars.DISABLE_SCA_SCAN in the repository variable of emergency when enforcement / fail_build is true. Only Github Admin / Repo Admin access can perform this.
  • Bump the scan-actions version to use GH cache as part of [2.4.0](https://github.com/Kong/public-shared-actions/releases/tag/v2.4.0)

Long term solutions:

  • The above interim problems Don't work when there first / initial scan job doesn't run until a cache is populated where is long CDN outage. Hence effort to maintain a Kong owned / controlled Grype DB mirror is required.

Effect:

  • Default pipeline will be run as-is without any changes when cache / CDN network to populate grype DB succeeds
  • when enforcement / input build_fail is false, CVE analysis is skipped
  • when enforcement / input build_fail is true, CVE analysis will failed / error the he downstream caller

Checklist

  • The Pull Request has tests
  • A changelog file has been created under changelog/unreleased/kong or skip-changelog label added on PR if changelog is unnecessary. README.md
  • There is a user-facing docs PR against https://github.com/Kong/docs.konghq.com - PUT DOCS PR HERE

Issue reference

Fix #[issue number]

@CLAassistant
Copy link

CLAassistant commented Aug 16, 2024

CLA assistant check
All committers have signed the CLA.

@github-actions github-actions bot added the chore Not part of the core functionality of kong, but still needed label Aug 16, 2024
@saisatishkarra saisatishkarra force-pushed the feat/scan-images-config branch from f681eec to d4a5680 Compare August 16, 2024 11:00
@saisatishkarra saisatishkarra force-pushed the feat/scan-images-config branch from 3b0fc13 to 0c110a9 Compare August 16, 2024 11:45
@Water-Melon Water-Melon force-pushed the feat/scan-images-config branch from 0c110a9 to bb7b5c9 Compare August 16, 2024 13:24
@saisatishkarra saisatishkarra force-pushed the feat/scan-images-config branch from bb7b5c9 to 1bfd375 Compare August 16, 2024 14:48
@saisatishkarra saisatishkarra force-pushed the feat/scan-images-config branch from 1bfd375 to 92ee750 Compare August 16, 2024 21:22
@saisatishkarra saisatishkarra force-pushed the feat/scan-images-config branch from 92ee750 to a6c3c3e Compare August 16, 2024 21:25
@saisatishkarra saisatishkarra changed the title chore(ci): Ability to skip scan-images job during grype cdn failures chore(ci): graceful scan-images job execution during grype cdn failures Aug 16, 2024
@saisatishkarra saisatishkarra force-pushed the feat/scan-images-config branch from a6c3c3e to ef5363f Compare August 19, 2024 13:35
Add grype GH cache to reuse across jobs

Add GH timeout for scan-images job
Signed-off-by: saisatishkarra <[email protected]>
@saisatishkarra saisatishkarra force-pushed the feat/scan-images-config branch from ef5363f to 7423df9 Compare August 19, 2024 13:45
@windmgc windmgc merged commit 2c7fe86 into master Aug 19, 2024
12 checks passed
@windmgc windmgc deleted the feat/scan-images-config branch August 19, 2024 15:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
chore Not part of the core functionality of kong, but still needed size/XS
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Grype CDN failures leading to Timedout workflows
4 participants