feat: support for managing critical/high severity CVEs #2696
Labels
enhancement
New feature or request
triage
Add this label to issues that should be triaged and prioretized in the next planning call
Comments
jbalonso
added
enhancement
|
If we complete the work on the #1914 - we can just expose a very simple way to rebuild images to fix CVEs at OS base image level. However, this won't cover CVEs that might affect Kairos components versions, however - we can have a github action that trigger hotfixes to our framework images, which is considerably easier then having a full kairos release. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
At times, critical or high severity vulnerabilities are discovered in the distro base images that kairos uses. There are two problems:
Identifying risks on older releases of kairos standard images is a manual process for kairos devs (yes?) and for kairos users.
Because kairos will architecturally immutable, the kairos release cycle is generally the "rate-limiting step" for rolling out fixes.
Describe the solution you'd like
The kairos CLI should be able to report the known CVEs for the running image if it comes from the quay.io registry (this could be compiled into a json/yaml file by a periodic github action that the consults the quay.io scans)
A github action that triggers hotfix releases when they are available.
The text was updated successfully, but these errors were encountered: