From e5e4c0950c1eb8570b612eca867f2faa5271d0bd Mon Sep 17 00:00:00 2001 From: Kjeld Schouten-Lebbing Date: Fri, 3 Dec 2021 19:31:19 +0100 Subject: [PATCH] feat(security): Render security scan results during build (#1451) * feat(security): Render security scan results during build. * move devcontainer to tccr in workflows * move vscode devcontainer to tccr * add fake bump to force tests to actually run * ok * work on building docs out of the security scan * slight fix * try to output container scan data * done * whoops * output container scan output to file (crude) * temporaryily encapsulate trivy output with code tags * add some console output while running security scans --- .devcontainer/devcontainer.json | 2 +- .github/workflows/apps.release.yaml | 2 +- .github/workflows/apps.test.yaml | 2 +- .github/workflows/common.test.yaml | 2 +- .gitignore | 1 + charts/stable/jackett/Chart.yaml | 2 +- tools/build-release.sh | 77 +++++++++++++++++++++++------ 7 files changed, 68 insertions(+), 20 deletions(-) diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index 15065d01753..cefa8eea0c2 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -2,7 +2,7 @@ // https://github.com/microsoft/vscode-dev-containers/tree/v0.154.0/containers/ruby { "name": "Ruby", - "image": "ghcr.io/truecharts/devcontainer:v2.1.0" + "image": "tccr.io/truecharts/devcontainer:v2.1.0" // Set *default* container specific settings.json values on container create. "settings": { diff --git a/.github/workflows/apps.release.yaml b/.github/workflows/apps.release.yaml index a4dab6c68eb..a7590ab465c 100644 --- a/.github/workflows/apps.release.yaml +++ b/.github/workflows/apps.release.yaml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest concurrency: gitpush container: - image: ghcr.io/truecharts/devcontainer:v2.0.2 + image: tccr.io/truecharts/devcontainer:v2.1.0 steps: - uses: actions/checkout@v2 diff --git a/.github/workflows/apps.test.yaml b/.github/workflows/apps.test.yaml index f9b4f071969..d936912b968 100644 --- a/.github/workflows/apps.test.yaml +++ b/.github/workflows/apps.test.yaml @@ -159,7 +159,7 @@ jobs: release-test: runs-on: ubuntu-latest container: - image: ghcr.io/truecharts/devcontainer:v2.0.2 + image: tccr.io/truecharts/devcontainer:v2.1.0 steps: - name: Cache helm repo cache id: cache diff --git a/.github/workflows/common.test.yaml b/.github/workflows/common.test.yaml index 97c3f0e5256..eeaa189dbdb 100644 --- a/.github/workflows/common.test.yaml +++ b/.github/workflows/common.test.yaml @@ -18,7 +18,7 @@ jobs: name: Unit and Lint tests runs-on: ubuntu-latest container: - image: ghcr.io/truecharts/devcontainer:v2.0.0 + image: tccr.io/truecharts/devcontainer:v2.1.0 steps: - name: Cache helm repo cache id: cache diff --git a/.gitignore b/.gitignore index 1d0b3ca23b5..6620e77cc45 100644 --- a/.gitignore +++ b/.gitignore @@ -45,4 +45,5 @@ charts/library/common-test/charts/ .cr-release-packages/ Chart.lock charts/**/charts/*.tgz +charts/**/render/* catalog/ diff --git a/charts/stable/jackett/Chart.yaml b/charts/stable/jackett/Chart.yaml index 434db2c4c4f..3754c7f72db 100644 --- a/charts/stable/jackett/Chart.yaml +++ b/charts/stable/jackett/Chart.yaml @@ -21,7 +21,7 @@ name: jackett sources: - https://github.com/Jackett/Jackett type: application -version: 9.0.27 +version: 9.0.28 annotations: truecharts.org/catagories: | - media diff --git a/tools/build-release.sh b/tools/build-release.sh index de5b80779dd..ed80e6e40f4 100755 --- a/tools/build-release.sh +++ b/tools/build-release.sh @@ -1,19 +1,4 @@ #!/usr/bin/env bash - -# Copyright The Helm Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - set -o errexit set -o nounset set -o pipefail @@ -81,6 +66,10 @@ main() { train=$(basename $(dirname "$chart")) SCALESUPPORT=$(cat ${chart}/Chart.yaml | yq '.annotations."truecharts.org/SCALE-support"' -r) sync_tag "$chart" "$chartname" "$train" "$chartversion" || echo "Tag sync failed..." + helm dependency update "${chart}" --skip-refresh || sleep 10 && helm dependency update "${chart}" --skip-refresh || sleep 10 && helm dependency update "${chart}" --skip-refresh + helm_sec_scan "$chart" "$chartname" "$train" "$chartversion" || echo "helm-chart security-scan failed..." + container_sec_scan "$chart" "$chartname" "$train" "$chartversion" || echo "container security-scan failed..." + sec_scan_cleanup "$chart" "$chartname" "$train" "$chartversion" || echo "security-scan cleanup failed..." create_changelog "$chart" "$chartname" "$train" "$chartversion" || echo "changelog generation failed..." generate_docs "$chart" "$chartname" "$train" "$chartversion" || echo "Docs generation failed..." copy_docs "$chart" "$chartname" "$train" "$chartversion" || echo "Docs Copy failed..." @@ -288,6 +277,63 @@ sync_tag() { sed -i -e "s|appVersion: .*|appVersion: \"${tag}\"|" "${chart}/Chart.yaml" } +helm_sec_scan() { + local chart="$1" + local chartname="$2" + local train="$3" + local chartversion="$4" + echo "Scanning helm security for ${chartname}" + mkdir -p ${chart}/render + rm -rf ${chart}/sec-scan.md | echo "removing old sec-scan.md file failed..." + echo "# Security Scan" >> ${chart}/sec-scan.md + echo "" >> ${chart}/sec-scan.md + echo "## Helm-Chart" >> ${chart}/sec-scan.md + echo "" >> ${chart}/sec-scan.md + echo "##### Scan Results" >> ${chart}/sec-scan.md + echo "" >> ${chart}/sec-scan.md + helm template ${chart} --output-dir ${chart}/render + ## TODO: Cleanup security scan layout + echo '```' >> ${chart}/sec-scan.md + trivy config ${chart}/render >> ${chart}/sec-scan.md + echo '```' >> ${chart}/sec-scan.md + echo "" >> ${chart}/sec-scan.md + } + +container_sec_scan() { + local chart="$1" + local chartname="$2" + local train="$3" + local chartversion="$4" + echo "Scanning container security for ${chartname}" + echo "## Containers" >> ${chart}/sec-scan.md + echo "" >> ${chart}/sec-scan.md + echo "##### Detected Containers" >> ${chart}/sec-scan.md + echo "" >> ${chart}/sec-scan.md + find ${chart}/render/ -name '*.yaml' -type f -exec cat {} \; | grep image: | sed "s/image: //g" | sed "s/\"//g" >> ${chart}/render/containers.tmp + cat ${chart}/render/containers.tmp >> ${chart}/sec-scan.md + echo "" >> ${chart}/sec-scan.md + echo "##### Scan Results" >> ${chart}/sec-scan.md + echo "" >> ${chart}/sec-scan.md + ## TODO: Cleanup security scan layout + for container in $(cat ${chart}/render/containers.tmp); do + echo "**Container: ${container}**" >> ${chart}/sec-scan.md + echo "" >> ${chart}/sec-scan.md + echo '```' >> ${chart}/sec-scan.md + trivy image ${container} >> ${chart}/sec-scan.md + echo '```' >> ${chart}/sec-scan.md + echo "" >> ${chart}/sec-scan.md + done + + } + +sec_scan_cleanup() { + local chart="$1" + local chartname="$2" + local train="$3" + local chartversion="$4" + rm -rf ${chart}/render + } + pre_commit() { if [[ -z "$standalone" ]]; then echo "Running pre-commit test-and-cleanup..." @@ -397,6 +443,7 @@ copy_docs() { mkdir -p docs/apps/${train}/${chartname} || echo "app path already exists, continuing..." yes | cp -rf ${chart}/README.md docs/apps/${train}/${chartname}/index.md 2>/dev/null || : yes | cp -rf ${chart}/CHANGELOG.md docs/apps/${train}/${chartname}/CHANGELOG.md 2>/dev/null || : + yes | cp -rf ${chart}/sec-scan.md docs/apps/${train}/${chartname}/sec-scan.md 2>/dev/null || : yes | cp -rf ${chart}/CONFIG.md docs/apps/${train}/${chartname}/CONFIG.md 2>/dev/null || : yes | cp -rf ${chart}/helm-values.md docs/apps/${train}/${chartname}/helm-values.md 2>/dev/null || : rm docs/apps/${train}/${chartname}/LICENSE.md 2>/dev/null || :