walterddr commented on PR #8991: URL: https://github.com/apache/pinot/pull/8991#issuecomment-1185681238
> > > > > > > > > the commit hash [438c53b](https://github.com/apache/pinot/commit/438c53b) was on May 12. would you be able to share exactly how we can generate this report from a docker image or dist-JAR? > > Well, that is interesting. The hash is old, but the date is recent. > > Yes, I was thinking that the scan could regularly run after the snapshot image is generated. In our environment we can pull a docker image from our artifactory image repo and running that image we can generate a report from any image that we pulled locally. A simpler report is emitted to the console and the full one is uploaded to our prisma cloud server. Whatever image we deploy to our infrastructure is scanned automatically and we are notified if there is a vulnerability in it. > > `$ twistcli images scan --details --address https://<prisma server address> -u '<user name>' apachepinot/pinot:0.11.0-SNAPSHOT-438c53b-20220715` > > I can ask the team that supports it how it could be set up. so we are setting up a pipeline to scan our docker image: https://github.com/apache/pinot/pull/9044. this should give a SARIF. so far for the latest commits we don't see any high/crit issue on the core pinot JAR. the remaining ones are from the optional plugins modules. which will take time to resolve after core release -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@pinot.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@pinot.apache.org For additional commands, e-mail: commits-h...@pinot.apache.org
