feat(security): Render security scan results during build (#1451)

* feat(security): Render security scan results during build.

* move devcontainer to tccr in workflows

* move vscode devcontainer to tccr

* add fake bump to force tests to actually run

* ok

* work on building docs out of the security scan

* slight fix

* try to output container scan data

* done

* whoops

* output container scan output to file (crude)

* temporaryily encapsulate trivy output with code tags

* add some console output while running security scans
This commit is contained in:
Kjeld Schouten-Lebbing 2021-12-03 19:31:19 +01:00 committed by GitHub
parent 462c2c167a
commit e5e4c0950c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 68 additions and 20 deletions

View File

@ -2,7 +2,7 @@
// https://github.com/microsoft/vscode-dev-containers/tree/v0.154.0/containers/ruby // https://github.com/microsoft/vscode-dev-containers/tree/v0.154.0/containers/ruby
{ {
"name": "Ruby", "name": "Ruby",
"image": "ghcr.io/truecharts/devcontainer:v2.1.0" "image": "tccr.io/truecharts/devcontainer:v2.1.0"
// Set *default* container specific settings.json values on container create. // Set *default* container specific settings.json values on container create.
"settings": { "settings": {

View File

@ -12,7 +12,7 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
concurrency: gitpush concurrency: gitpush
container: container:
image: ghcr.io/truecharts/devcontainer:v2.0.2 image: tccr.io/truecharts/devcontainer:v2.1.0
steps: steps:
- uses: actions/checkout@v2 - uses: actions/checkout@v2

View File

@ -159,7 +159,7 @@ jobs:
release-test: release-test:
runs-on: ubuntu-latest runs-on: ubuntu-latest
container: container:
image: ghcr.io/truecharts/devcontainer:v2.0.2 image: tccr.io/truecharts/devcontainer:v2.1.0
steps: steps:
- name: Cache helm repo cache - name: Cache helm repo cache
id: cache id: cache

View File

@ -18,7 +18,7 @@ jobs:
name: Unit and Lint tests name: Unit and Lint tests
runs-on: ubuntu-latest runs-on: ubuntu-latest
container: container:
image: ghcr.io/truecharts/devcontainer:v2.0.0 image: tccr.io/truecharts/devcontainer:v2.1.0
steps: steps:
- name: Cache helm repo cache - name: Cache helm repo cache
id: cache id: cache

1
.gitignore vendored
View File

@ -45,4 +45,5 @@ charts/library/common-test/charts/
.cr-release-packages/ .cr-release-packages/
Chart.lock Chart.lock
charts/**/charts/*.tgz charts/**/charts/*.tgz
charts/**/render/*
catalog/ catalog/

View File

@ -21,7 +21,7 @@ name: jackett
sources: sources:
- https://github.com/Jackett/Jackett - https://github.com/Jackett/Jackett
type: application type: application
version: 9.0.27 version: 9.0.28
annotations: annotations:
truecharts.org/catagories: | truecharts.org/catagories: |
- media - media

View File

@ -1,19 +1,4 @@
#!/usr/bin/env bash #!/usr/bin/env bash
# Copyright The Helm Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
set -o errexit set -o errexit
set -o nounset set -o nounset
set -o pipefail set -o pipefail
@ -81,6 +66,10 @@ main() {
train=$(basename $(dirname "$chart")) train=$(basename $(dirname "$chart"))
SCALESUPPORT=$(cat ${chart}/Chart.yaml | yq '.annotations."truecharts.org/SCALE-support"' -r) SCALESUPPORT=$(cat ${chart}/Chart.yaml | yq '.annotations."truecharts.org/SCALE-support"' -r)
sync_tag "$chart" "$chartname" "$train" "$chartversion" || echo "Tag sync failed..." sync_tag "$chart" "$chartname" "$train" "$chartversion" || echo "Tag sync failed..."
helm dependency update "${chart}" --skip-refresh || sleep 10 && helm dependency update "${chart}" --skip-refresh || sleep 10 && helm dependency update "${chart}" --skip-refresh
helm_sec_scan "$chart" "$chartname" "$train" "$chartversion" || echo "helm-chart security-scan failed..."
container_sec_scan "$chart" "$chartname" "$train" "$chartversion" || echo "container security-scan failed..."
sec_scan_cleanup "$chart" "$chartname" "$train" "$chartversion" || echo "security-scan cleanup failed..."
create_changelog "$chart" "$chartname" "$train" "$chartversion" || echo "changelog generation failed..." create_changelog "$chart" "$chartname" "$train" "$chartversion" || echo "changelog generation failed..."
generate_docs "$chart" "$chartname" "$train" "$chartversion" || echo "Docs generation failed..." generate_docs "$chart" "$chartname" "$train" "$chartversion" || echo "Docs generation failed..."
copy_docs "$chart" "$chartname" "$train" "$chartversion" || echo "Docs Copy failed..." copy_docs "$chart" "$chartname" "$train" "$chartversion" || echo "Docs Copy failed..."
@ -288,6 +277,63 @@ sync_tag() {
sed -i -e "s|appVersion: .*|appVersion: \"${tag}\"|" "${chart}/Chart.yaml" sed -i -e "s|appVersion: .*|appVersion: \"${tag}\"|" "${chart}/Chart.yaml"
} }
helm_sec_scan() {
local chart="$1"
local chartname="$2"
local train="$3"
local chartversion="$4"
echo "Scanning helm security for ${chartname}"
mkdir -p ${chart}/render
rm -rf ${chart}/sec-scan.md | echo "removing old sec-scan.md file failed..."
echo "# Security Scan" >> ${chart}/sec-scan.md
echo "" >> ${chart}/sec-scan.md
echo "## Helm-Chart" >> ${chart}/sec-scan.md
echo "" >> ${chart}/sec-scan.md
echo "##### Scan Results" >> ${chart}/sec-scan.md
echo "" >> ${chart}/sec-scan.md
helm template ${chart} --output-dir ${chart}/render
## TODO: Cleanup security scan layout
echo '```' >> ${chart}/sec-scan.md
trivy config ${chart}/render >> ${chart}/sec-scan.md
echo '```' >> ${chart}/sec-scan.md
echo "" >> ${chart}/sec-scan.md
}
container_sec_scan() {
local chart="$1"
local chartname="$2"
local train="$3"
local chartversion="$4"
echo "Scanning container security for ${chartname}"
echo "## Containers" >> ${chart}/sec-scan.md
echo "" >> ${chart}/sec-scan.md
echo "##### Detected Containers" >> ${chart}/sec-scan.md
echo "" >> ${chart}/sec-scan.md
find ${chart}/render/ -name '*.yaml' -type f -exec cat {} \; | grep image: | sed "s/image: //g" | sed "s/\"//g" >> ${chart}/render/containers.tmp
cat ${chart}/render/containers.tmp >> ${chart}/sec-scan.md
echo "" >> ${chart}/sec-scan.md
echo "##### Scan Results" >> ${chart}/sec-scan.md
echo "" >> ${chart}/sec-scan.md
## TODO: Cleanup security scan layout
for container in $(cat ${chart}/render/containers.tmp); do
echo "**Container: ${container}**" >> ${chart}/sec-scan.md
echo "" >> ${chart}/sec-scan.md
echo '```' >> ${chart}/sec-scan.md
trivy image ${container} >> ${chart}/sec-scan.md
echo '```' >> ${chart}/sec-scan.md
echo "" >> ${chart}/sec-scan.md
done
}
sec_scan_cleanup() {
local chart="$1"
local chartname="$2"
local train="$3"
local chartversion="$4"
rm -rf ${chart}/render
}
pre_commit() { pre_commit() {
if [[ -z "$standalone" ]]; then if [[ -z "$standalone" ]]; then
echo "Running pre-commit test-and-cleanup..." echo "Running pre-commit test-and-cleanup..."
@ -397,6 +443,7 @@ copy_docs() {
mkdir -p docs/apps/${train}/${chartname} || echo "app path already exists, continuing..." mkdir -p docs/apps/${train}/${chartname} || echo "app path already exists, continuing..."
yes | cp -rf ${chart}/README.md docs/apps/${train}/${chartname}/index.md 2>/dev/null || : yes | cp -rf ${chart}/README.md docs/apps/${train}/${chartname}/index.md 2>/dev/null || :
yes | cp -rf ${chart}/CHANGELOG.md docs/apps/${train}/${chartname}/CHANGELOG.md 2>/dev/null || : yes | cp -rf ${chart}/CHANGELOG.md docs/apps/${train}/${chartname}/CHANGELOG.md 2>/dev/null || :
yes | cp -rf ${chart}/sec-scan.md docs/apps/${train}/${chartname}/sec-scan.md 2>/dev/null || :
yes | cp -rf ${chart}/CONFIG.md docs/apps/${train}/${chartname}/CONFIG.md 2>/dev/null || : yes | cp -rf ${chart}/CONFIG.md docs/apps/${train}/${chartname}/CONFIG.md 2>/dev/null || :
yes | cp -rf ${chart}/helm-values.md docs/apps/${train}/${chartname}/helm-values.md 2>/dev/null || : yes | cp -rf ${chart}/helm-values.md docs/apps/${train}/${chartname}/helm-values.md 2>/dev/null || :
rm docs/apps/${train}/${chartname}/LICENSE.md 2>/dev/null || : rm docs/apps/${train}/${chartname}/LICENSE.md 2>/dev/null || :