extern/workspaces-core-images
1
0
Fork 0
mirror of https://github.com/kasmtech/workspaces-core-images.git synced 2024-11-25 08:53:12 +01:00
Code Issues Packages Projects Releases Wiki Activity

add squash layers back in, add trivy

Browse Source
This commit is contained in:
Matthew McClaskey 2023-11-21 20:20:53 +00:00
parent d76366154a
commit a7c5411959
5 changed files with 143 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
ci-scripts/download-trivy Normal file
View File

@ -0,0 +1,14 @@
#!/bin/bash
set -euo pipefail
TRIVY_VERSION=$(wget -qO - "https://api.github.com/repos/aquasecurity/trivy/releases/latest" | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/')
echo "$TRIVY_VERSION"
SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
trivy_dir="${SCRIPT_DIR}/trivy"
rm -rf $trivy_dir
mkdir $trivy_dir
cd $trivy_dir
wget --no-verbose "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" -O - | tar -zxvf -
cp "${SCRIPT_DIR}/junit.tpl" "${SCRIPT_DIR}/trivy/contrib/"

60
ci-scripts/gitlab-ci.template
View File

@ -127,6 +127,66 @@ test_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}:
retry: 1 retry: 1
{% endfor %} {% endfor %}
######################################
# Vulnerability Scans #
######################################
{% for IMAGE in multiImages %}
scan_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}:
stage: scan
when: always
script:
- apk add bash
- (cd ci-scripts && bash download-trivy)
- bash ci/scan image ${ORG_NAME}/image-cache-private:$(arch)-core-{{ IMAGE.name1 }}-{{ IMAGE.name2 }}-${SANITIZED_BRANCH}-${CI_PIPELINE_ID}
{% if FILE_LIMITS %}only:
changes:
{% for FILE in files %}- {{ FILE }}
{% endfor %}{% for FILE in IMAGE.changeFiles %}- {{ FILE }}
{% endfor %}{% endif %}
except:
variables:
- $README_USERNAME
- $README_PASSWORD
- $DOCKERHUB_REVERT
- $REVERT_IS_ROLLING
needs:
- build_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}
when: on_success
tags:
- oci-fixed-amd
retry: 1
parallel:
matrix:
- ARCH: [ "x86_64", "aarch64" ]
{% endfor %}
{% for IMAGE in singleImages %}
scan_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}:
stage: scan
when: always
script:
- apk add bash
- (cd ci-scripts && bash download-trivy)
- bash ci/scan image ${ORG_NAME}/image-cache-private:x86_64-core-{{ IMAGE.name1 }}-{{ IMAGE.name2 }}-${SANITIZED_BRANCH}-${CI_PIPELINE_ID}
{% if FILE_LIMITS %}only:
changes:
{% for FILE in files %}- {{ FILE }}
{% endfor %}{% for FILE in IMAGE.changeFiles %}- {{ FILE }}
{% endfor %}{% endif %}
except:
variables:
- $README_USERNAME
- $README_PASSWORD
- $DOCKERHUB_REVERT
- $REVERT_IS_ROLLING
needs:
- build_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}
when: on_success
tags:
- oci-fixed-amd
retry: 1
{% endfor %}
############################################ ############################################
# Manifest Containers if their test passed # # Manifest Containers if their test passed #
############################################ ############################################

31
ci-scripts/junit.tpl Normal file
View File

@ -0,0 +1,31 @@
<?xml version="1.0" ?>
<testsuites name="trivy">
{{- range . -}}
{{- $failures := len .Vulnerabilities }}
<testsuite tests="{{ $failures }}" failures="{{ $failures }}" name="{{ .Target }}" errors="0" skipped="0" time="">
{{- if not (eq .Type "") }}
<properties>
<property name="type" value="{{ .Type }}"></property>
</properties>
{{- end -}}
{{ range .Vulnerabilities }}
<testcase classname="{{ .PkgName }}-{{ .InstalledVersion }}" file="{{ if .FixedVersion -}} Upgrade to {{ .FixedVersion }} {{- else -}} No solution provided {{- end }}" name="[{{ .Vulnerability.Severity }}] {{ .VulnerabilityID }}" time="">
<{{ if .FixedVersion -}}error{{- else -}}skipped{{- end }} message="{{ escapeXML .Title }}" type="description">Upgrade {{ .PkgName }} to {{ .FixedVersion }} - {{ escapeXML .Description }}</{{ if .FixedVersion -}}error{{- else -}}skipped{{- end }}>
</testcase>
{{- end }}
</testsuite>
{{- $failures := len .Misconfigurations }}
<testsuite tests="{{ $failures }}" failures="{{ $failures }}" name="{{ .Target }}" errors="0" skipped="0" time="">
{{- if not (eq .Type "") }}
<properties>
<property name="type" value="{{ .Type }}"></property>
</properties>
{{- end -}}
{{ range .Misconfigurations }}
<testcase classname="{{ .Type }}" name="[{{ .Severity }}] {{ .ID }}" time="">
<error message="{{ escapeXML .Title }}" type="description">{{ escapeXML .Description }}</error>
</testcase>
{{- end }}
</testsuite>
{{- end }}
</testsuites>

36
ci-scripts/scan Normal file
View File

@ -0,0 +1,36 @@
#!/bin/bash
set -eo pipefail
build_report() {
$trivy_cmd --exit-code 0 --format template --template "@/$trivy_dir/contrib/junit.tpl" -o "$source_dir/trivy-report.xml" "$target"
#$trivy_cmd --exit-code 0 --format json -o "$source_dir/report.json" "$target"
}
print_report_and_fail_on_vulnerabilities() {
$trivy_cmd --exit-code 1 "$target"
}
scan_cmd="$1"
target="$2"
if [[ -z "$scan_cmd" || -z "$target" ]]; then
echo >&2 "Usage: $(basename "$0") <repo|image> <target>"
exit 1
fi
case "$scan_cmd" in
repo) options="--scanners config,secret,vuln" ;;
image) options="--scanners vuln" ;;
*) options="--scanners vuln,config,secret" ;;
esac
set -u
set -x
SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
trivy_dir="${SCRIPT_DIR}/trivy"
trivy_cmd="$trivy_dir/trivy $scan_cmd --no-progress --cache-dir $HOME/.trivycache $options"
source_dir="${CI_PROJECT_DIR:-$trivy_dir}"
build_report
#print_report_and_fail_on_vulnerabilities

4
dockerfile-kasm-core
View File

@ -172,8 +172,8 @@ COPY ./src/ubuntu/install/cleanup $INST_SCRIPTS/cleanup/
RUN bash $INST_SCRIPTS/cleanup/cleanup.sh && rm -rf $INST_SCRIPTS/cleanup/ RUN bash $INST_SCRIPTS/cleanup/cleanup.sh && rm -rf $INST_SCRIPTS/cleanup/
#### Runtime Stage #### #### Runtime Stage ####
#FROM scratch FROM scratch
#COPY --from=base_layer / / COPY --from=base_layer / /
### Labels ### Labels
LABEL "org.opencontainers.image.authors"='Kasm Tech "info@kasmweb.com"' LABEL "org.opencontainers.image.authors"='Kasm Tech "info@kasmweb.com"'