mirror of
https://github.com/kasmtech/workspaces-core-images.git
synced 2024-11-29 02:43:28 +01:00
add squash layers back in, add trivy
This commit is contained in:
parent
d76366154a
commit
a7c5411959
14
ci-scripts/download-trivy
Normal file
14
ci-scripts/download-trivy
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
TRIVY_VERSION=$(wget -qO - "https://api.github.com/repos/aquasecurity/trivy/releases/latest" | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/')
|
||||||
|
echo "$TRIVY_VERSION"
|
||||||
|
SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
|
||||||
|
trivy_dir="${SCRIPT_DIR}/trivy"
|
||||||
|
rm -rf $trivy_dir
|
||||||
|
mkdir $trivy_dir
|
||||||
|
cd $trivy_dir
|
||||||
|
wget --no-verbose "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" -O - | tar -zxvf -
|
||||||
|
|
||||||
|
cp "${SCRIPT_DIR}/junit.tpl" "${SCRIPT_DIR}/trivy/contrib/"
|
@ -127,6 +127,66 @@ test_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}:
|
|||||||
retry: 1
|
retry: 1
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
|
||||||
|
######################################
|
||||||
|
# Vulnerability Scans #
|
||||||
|
######################################
|
||||||
|
{% for IMAGE in multiImages %}
|
||||||
|
scan_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}:
|
||||||
|
stage: scan
|
||||||
|
when: always
|
||||||
|
script:
|
||||||
|
- apk add bash
|
||||||
|
- (cd ci-scripts && bash download-trivy)
|
||||||
|
- bash ci/scan image ${ORG_NAME}/image-cache-private:$(arch)-core-{{ IMAGE.name1 }}-{{ IMAGE.name2 }}-${SANITIZED_BRANCH}-${CI_PIPELINE_ID}
|
||||||
|
{% if FILE_LIMITS %}only:
|
||||||
|
changes:
|
||||||
|
{% for FILE in files %}- {{ FILE }}
|
||||||
|
{% endfor %}{% for FILE in IMAGE.changeFiles %}- {{ FILE }}
|
||||||
|
{% endfor %}{% endif %}
|
||||||
|
except:
|
||||||
|
variables:
|
||||||
|
- $README_USERNAME
|
||||||
|
- $README_PASSWORD
|
||||||
|
- $DOCKERHUB_REVERT
|
||||||
|
- $REVERT_IS_ROLLING
|
||||||
|
needs:
|
||||||
|
- build_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}
|
||||||
|
when: on_success
|
||||||
|
tags:
|
||||||
|
- oci-fixed-amd
|
||||||
|
retry: 1
|
||||||
|
parallel:
|
||||||
|
matrix:
|
||||||
|
- ARCH: [ "x86_64", "aarch64" ]
|
||||||
|
{% endfor %}
|
||||||
|
|
||||||
|
{% for IMAGE in singleImages %}
|
||||||
|
scan_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}:
|
||||||
|
stage: scan
|
||||||
|
when: always
|
||||||
|
script:
|
||||||
|
- apk add bash
|
||||||
|
- (cd ci-scripts && bash download-trivy)
|
||||||
|
- bash ci/scan image ${ORG_NAME}/image-cache-private:x86_64-core-{{ IMAGE.name1 }}-{{ IMAGE.name2 }}-${SANITIZED_BRANCH}-${CI_PIPELINE_ID}
|
||||||
|
{% if FILE_LIMITS %}only:
|
||||||
|
changes:
|
||||||
|
{% for FILE in files %}- {{ FILE }}
|
||||||
|
{% endfor %}{% for FILE in IMAGE.changeFiles %}- {{ FILE }}
|
||||||
|
{% endfor %}{% endif %}
|
||||||
|
except:
|
||||||
|
variables:
|
||||||
|
- $README_USERNAME
|
||||||
|
- $README_PASSWORD
|
||||||
|
- $DOCKERHUB_REVERT
|
||||||
|
- $REVERT_IS_ROLLING
|
||||||
|
needs:
|
||||||
|
- build_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}
|
||||||
|
when: on_success
|
||||||
|
tags:
|
||||||
|
- oci-fixed-amd
|
||||||
|
retry: 1
|
||||||
|
{% endfor %}
|
||||||
|
|
||||||
############################################
|
############################################
|
||||||
# Manifest Containers if their test passed #
|
# Manifest Containers if their test passed #
|
||||||
############################################
|
############################################
|
||||||
|
31
ci-scripts/junit.tpl
Normal file
31
ci-scripts/junit.tpl
Normal file
@ -0,0 +1,31 @@
|
|||||||
|
<?xml version="1.0" ?>
|
||||||
|
<testsuites name="trivy">
|
||||||
|
{{- range . -}}
|
||||||
|
{{- $failures := len .Vulnerabilities }}
|
||||||
|
<testsuite tests="{{ $failures }}" failures="{{ $failures }}" name="{{ .Target }}" errors="0" skipped="0" time="">
|
||||||
|
{{- if not (eq .Type "") }}
|
||||||
|
<properties>
|
||||||
|
<property name="type" value="{{ .Type }}"></property>
|
||||||
|
</properties>
|
||||||
|
{{- end -}}
|
||||||
|
{{ range .Vulnerabilities }}
|
||||||
|
<testcase classname="{{ .PkgName }}-{{ .InstalledVersion }}" file="{{ if .FixedVersion -}} Upgrade to {{ .FixedVersion }} {{- else -}} No solution provided {{- end }}" name="[{{ .Vulnerability.Severity }}] {{ .VulnerabilityID }}" time="">
|
||||||
|
<{{ if .FixedVersion -}}error{{- else -}}skipped{{- end }} message="{{ escapeXML .Title }}" type="description">Upgrade {{ .PkgName }} to {{ .FixedVersion }} - {{ escapeXML .Description }}</{{ if .FixedVersion -}}error{{- else -}}skipped{{- end }}>
|
||||||
|
</testcase>
|
||||||
|
{{- end }}
|
||||||
|
</testsuite>
|
||||||
|
{{- $failures := len .Misconfigurations }}
|
||||||
|
<testsuite tests="{{ $failures }}" failures="{{ $failures }}" name="{{ .Target }}" errors="0" skipped="0" time="">
|
||||||
|
{{- if not (eq .Type "") }}
|
||||||
|
<properties>
|
||||||
|
<property name="type" value="{{ .Type }}"></property>
|
||||||
|
</properties>
|
||||||
|
{{- end -}}
|
||||||
|
{{ range .Misconfigurations }}
|
||||||
|
<testcase classname="{{ .Type }}" name="[{{ .Severity }}] {{ .ID }}" time="">
|
||||||
|
<error message="{{ escapeXML .Title }}" type="description">{{ escapeXML .Description }}</error>
|
||||||
|
</testcase>
|
||||||
|
{{- end }}
|
||||||
|
</testsuite>
|
||||||
|
{{- end }}
|
||||||
|
</testsuites>
|
36
ci-scripts/scan
Normal file
36
ci-scripts/scan
Normal file
@ -0,0 +1,36 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
set -eo pipefail
|
||||||
|
|
||||||
|
build_report() {
|
||||||
|
$trivy_cmd --exit-code 0 --format template --template "@/$trivy_dir/contrib/junit.tpl" -o "$source_dir/trivy-report.xml" "$target"
|
||||||
|
#$trivy_cmd --exit-code 0 --format json -o "$source_dir/report.json" "$target"
|
||||||
|
}
|
||||||
|
|
||||||
|
print_report_and_fail_on_vulnerabilities() {
|
||||||
|
$trivy_cmd --exit-code 1 "$target"
|
||||||
|
}
|
||||||
|
|
||||||
|
scan_cmd="$1"
|
||||||
|
target="$2"
|
||||||
|
if [[ -z "$scan_cmd" || -z "$target" ]]; then
|
||||||
|
echo >&2 "Usage: $(basename "$0") <repo|image> <target>"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
case "$scan_cmd" in
|
||||||
|
repo) options="--scanners config,secret,vuln" ;;
|
||||||
|
image) options="--scanners vuln" ;;
|
||||||
|
*) options="--scanners vuln,config,secret" ;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
set -u
|
||||||
|
set -x
|
||||||
|
|
||||||
|
SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
|
||||||
|
trivy_dir="${SCRIPT_DIR}/trivy"
|
||||||
|
trivy_cmd="$trivy_dir/trivy $scan_cmd --no-progress --cache-dir $HOME/.trivycache $options"
|
||||||
|
source_dir="${CI_PROJECT_DIR:-$trivy_dir}"
|
||||||
|
|
||||||
|
build_report
|
||||||
|
#print_report_and_fail_on_vulnerabilities
|
@ -172,8 +172,8 @@ COPY ./src/ubuntu/install/cleanup $INST_SCRIPTS/cleanup/
|
|||||||
RUN bash $INST_SCRIPTS/cleanup/cleanup.sh && rm -rf $INST_SCRIPTS/cleanup/
|
RUN bash $INST_SCRIPTS/cleanup/cleanup.sh && rm -rf $INST_SCRIPTS/cleanup/
|
||||||
|
|
||||||
#### Runtime Stage ####
|
#### Runtime Stage ####
|
||||||
#FROM scratch
|
FROM scratch
|
||||||
#COPY --from=base_layer / /
|
COPY --from=base_layer / /
|
||||||
|
|
||||||
### Labels
|
### Labels
|
||||||
LABEL "org.opencontainers.image.authors"='Kasm Tech "info@kasmweb.com"'
|
LABEL "org.opencontainers.image.authors"='Kasm Tech "info@kasmweb.com"'
|
||||||
|
Loading…
Reference in New Issue
Block a user