feat(security): Render security scan results during build (#1451)

* feat(security): Render security scan results during build. * move devcontainer to tccr in workflows * move vscode devcontainer to tccr * add fake bump to force tests to actually run * ok * work on building docs out of the security scan * slight fix * try to output container scan data * done * whoops * output container scan output to file (crude) * temporaryily encapsulate trivy output with code tags * add some console output while running security scans
2021-12-03 19:31:19 +01:00 · 2021-12-03 19:31:19 +01:00 · e5e4c0950c
parent 462c2c167a
commit e5e4c0950c
7 changed files with 68 additions and 20 deletions
--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@ -2,7 +2,7 @@
 // https://github.com/microsoft/vscode-dev-containers/tree/v0.154.0/containers/ruby
 {
    "name": "Ruby",
-    "image": "ghcr.io/truecharts/devcontainer:v2.1.0"
+    "image": "tccr.io/truecharts/devcontainer:v2.1.0"

    // Set *default* container specific settings.json values on container create.
    "settings": {
--- a/.github/workflows/apps.release.yaml
+++ b/.github/workflows/apps.release.yaml
@ -12,7 +12,7 @@ jobs:
    runs-on: ubuntu-latest
    concurrency: gitpush
    container:
-      image: ghcr.io/truecharts/devcontainer:v2.0.2
+      image: tccr.io/truecharts/devcontainer:v2.1.0
    steps:

      - uses: actions/checkout@v2
--- a/.github/workflows/apps.test.yaml
+++ b/.github/workflows/apps.test.yaml
@ -159,7 +159,7 @@ jobs:
  release-test:
    runs-on: ubuntu-latest
    container:
-      image: ghcr.io/truecharts/devcontainer:v2.0.2
+      image: tccr.io/truecharts/devcontainer:v2.1.0
    steps:
      - name: Cache helm repo cache
        id: cache
--- a/.github/workflows/common.test.yaml
+++ b/.github/workflows/common.test.yaml
@ -18,7 +18,7 @@ jobs:
    name: Unit and Lint tests
    runs-on: ubuntu-latest
    container:
-      image: ghcr.io/truecharts/devcontainer:v2.0.0
+      image: tccr.io/truecharts/devcontainer:v2.1.0
    steps:
      - name: Cache helm repo cache
        id: cache
--- a/.gitignore
+++ b/.gitignore
@ -45,4 +45,5 @@ charts/library/common-test/charts/
 .cr-release-packages/
 Chart.lock
 charts/**/charts/*.tgz
+charts/**/render/*
 catalog/
--- a/charts/stable/jackett/Chart.yaml
+++ b/charts/stable/jackett/Chart.yaml
@ -21,7 +21,7 @@ name: jackett
 sources:
 - https://github.com/Jackett/Jackett
 type: application
-version: 9.0.27
+version: 9.0.28
 annotations:
  truecharts.org/catagories: |
    - media
--- a/tools/build-release.sh
+++ b/tools/build-release.sh
@ -1,19 +1,4 @@
 #!/usr/bin/env bash
-
-# Copyright The Helm Authors
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     https://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
 set -o errexit
 set -o nounset
 set -o pipefail
@ -81,6 +66,10 @@ main() {
                train=$(basename $(dirname "$chart"))
                SCALESUPPORT=$(cat ${chart}/Chart.yaml | yq '.annotations."truecharts.org/SCALE-support"' -r)
                sync_tag "$chart" "$chartname" "$train" "$chartversion" || echo "Tag sync failed..."
+                helm dependency update "${chart}" --skip-refresh || sleep 10 && helm dependency update "${chart}" --skip-refresh || sleep 10 &&  helm dependency update "${chart}" --skip-refresh
+                helm_sec_scan "$chart" "$chartname" "$train" "$chartversion" || echo "helm-chart security-scan failed..."
+                container_sec_scan "$chart" "$chartname" "$train" "$chartversion" || echo "container security-scan failed..."
+                sec_scan_cleanup "$chart" "$chartname" "$train" "$chartversion" || echo "security-scan cleanup failed..."
                create_changelog "$chart" "$chartname" "$train" "$chartversion" || echo "changelog generation failed..."
                generate_docs "$chart" "$chartname" "$train" "$chartversion" || echo "Docs generation failed..."
                copy_docs "$chart" "$chartname" "$train" "$chartversion" || echo "Docs Copy failed..."
@ -288,6 +277,63 @@ sync_tag() {
    sed -i -e "s|appVersion: .*|appVersion: \"${tag}\"|" "${chart}/Chart.yaml"
    }

+helm_sec_scan() {
+    local chart="$1"
+    local chartname="$2"
+    local train="$3"
+    local chartversion="$4"
+    echo "Scanning helm security for ${chartname}"
+    mkdir -p ${chart}/render
+    rm -rf ${chart}/sec-scan.md | echo "removing old sec-scan.md file failed..."
+    echo "# Security Scan" >> ${chart}/sec-scan.md
+    echo "" >> ${chart}/sec-scan.md
+    echo "## Helm-Chart" >> ${chart}/sec-scan.md
+    echo "" >> ${chart}/sec-scan.md
+    echo "##### Scan Results" >> ${chart}/sec-scan.md
+    echo "" >> ${chart}/sec-scan.md
+    helm template ${chart} --output-dir ${chart}/render
+    ## TODO: Cleanup security scan layout
+    echo '```' >> ${chart}/sec-scan.md
+    trivy config ${chart}/render >> ${chart}/sec-scan.md
+    echo '```' >> ${chart}/sec-scan.md
+    echo "" >> ${chart}/sec-scan.md
+    }
+
+container_sec_scan() {
+    local chart="$1"
+    local chartname="$2"
+    local train="$3"
+    local chartversion="$4"
+    echo "Scanning container security for ${chartname}"
+    echo "## Containers" >> ${chart}/sec-scan.md
+    echo "" >> ${chart}/sec-scan.md
+    echo "##### Detected Containers" >> ${chart}/sec-scan.md
+    echo "" >> ${chart}/sec-scan.md
+    find ${chart}/render/ -name '*.yaml' -type f -exec cat {} \; | grep image: | sed "s/image: //g" | sed "s/\"//g" >> ${chart}/render/containers.tmp
+    cat ${chart}/render/containers.tmp >> ${chart}/sec-scan.md
+    echo "" >> ${chart}/sec-scan.md
+    echo "##### Scan Results" >> ${chart}/sec-scan.md
+    echo "" >> ${chart}/sec-scan.md
+    ## TODO: Cleanup security scan layout
+    for container in $(cat ${chart}/render/containers.tmp); do
+      echo "**Container: ${container}**" >> ${chart}/sec-scan.md
+      echo "" >> ${chart}/sec-scan.md
+      echo '```' >> ${chart}/sec-scan.md
+      trivy image ${container} >> ${chart}/sec-scan.md
+      echo '```' >> ${chart}/sec-scan.md
+      echo "" >> ${chart}/sec-scan.md
+      done
+
+    }
+
+sec_scan_cleanup() {
+    local chart="$1"
+    local chartname="$2"
+    local train="$3"
+    local chartversion="$4"
+    rm -rf ${chart}/render
+    }
+
 pre_commit() {
    if [[ -z "$standalone" ]]; then
      echo "Running pre-commit test-and-cleanup..."
@ -397,6 +443,7 @@ copy_docs() {
        mkdir -p docs/apps/${train}/${chartname} || echo "app path already exists, continuing..."
        yes | cp -rf ${chart}/README.md docs/apps/${train}/${chartname}/index.md 2>/dev/null || :
        yes | cp -rf ${chart}/CHANGELOG.md docs/apps/${train}/${chartname}/CHANGELOG.md 2>/dev/null || :
+        yes | cp -rf ${chart}/sec-scan.md docs/apps/${train}/${chartname}/sec-scan.md 2>/dev/null || :
        yes | cp -rf ${chart}/CONFIG.md docs/apps/${train}/${chartname}/CONFIG.md 2>/dev/null || :
        yes | cp -rf ${chart}/helm-values.md docs/apps/${train}/${chartname}/helm-values.md 2>/dev/null || :
        rm docs/apps/${train}/${chartname}/LICENSE.md 2>/dev/null || :