Skip to content

Do security scanning in task step #8

New issue
New issue
Open
Open
Do security scanning in task step#8
@ArjanSchouten

Description

@ArjanSchouten
ArjanSchouten
opened on Nov 8, 2025

The setup-runtime-resource now by default scans for CVE's with https://github.com/anchore/grype. It will break when a critical CVE is found in the rootfs that will be used by the task step.

In the recommend security mode the rootfs security scanning should be moved to the task step. This will slow down builds since every build it will update the grype db and do the security scanning.

Doing this every build is safer (new CVE's) can be found in the meantime and although CVE exclusion can be added to the setup-runtime source config it requires a new setup-runtime get step and a fly set-pipeline.

Not sure if it would work well in practice but lets try...

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions