[FEATURE] Periodic maintenance of existing releases artifacts

[qu1queee]

Is there an existing feature request for this?

• I have searched the existing feature requests

Is your feature request related to a problem or use-case? Please describe.

To a use case. We should ensure that existing releases of Shipwright/Build are not subject to vulnerabilities. More specifically, the container images they produce. In order to ensure this, we need a regular update of existing releases images and manifests.

Describe the solution that you would like.

There is an automation that regularly validates existing Shipwright/Build releases images, and up-date them if needed.

Describe alternatives you have considered.

None

Anything else?

No

[qu1queee]

@SaschaSchwarze0 please complement the above if needed.

[SaschaSchwarze0]

Thanks @qu1queee, I think that we should aim to have this for our latest release. Implementation-wise, my proposal would be a GitHub action that ...

• downloads the release artifacts from the latest release
• extracts the image references
• pulls each image
• runs trivy image --ignore-unfixed --scanners vuln --timeout 30m --vuln-type os to scan for OS vulnerabilities
• runs govulncheck -mode=binary ENTRYPOINT to scan for Go vulnerabilities
• opens an issue for vulnerabilities that were found, if the issue exists, its description is updates with the latest scan findings

Sounds like a cool exercise.

[qu1queee]

From refinement, we are looking for more ideas on this.

[SaschaSchwarze0]

@adambkaplan I think that's what you're covering anyway through SHIP-0038.

[adambkaplan]

SHIP-0038 covers the process for backporting bug fixes and security patches. It doesn't cover active scanning.