Static Vulnerability Analysis for container images in CI
We start by by doing static vulnerability analysis in our release process and releasing it to the public (docker hub).
In the future, we will also have to scan periodicallyBut on second thought that is not sufficient as vulnerabilities might be discovered AFTER the build has been released to the public.
We also need to regularly scan containers for vulnerabilities, but . Perhaps we could use quay for this.
- Static Vulnerability Analysis is running on our release process in CI pipeline
- New job that is allowed to fail
results are shown in Githab Security Dashboard(See comment, this moves to #602 and is actually unwanted here)
- Enable in Gitlab (Clair & DAST)
- See Gitlab docs https://gitlab.com/help/user/application_security/security_dashboard/index.md