feat(security): Render security scan results during build (#1451)
* feat(security): Render security scan results during build. * move devcontainer to tccr in workflows * move vscode devcontainer to tccr * add fake bump to force tests to actually run * ok * work on building docs out of the security scan * slight fix * try to output container scan data * done * whoops * output container scan output to file (crude) * temporaryily encapsulate trivy output with code tags * add some console output while running security scans
This commit is contained in:
parent
462c2c167a
commit
e5e4c0950c
|
@ -2,7 +2,7 @@
|
|||
// https://github.com/microsoft/vscode-dev-containers/tree/v0.154.0/containers/ruby
|
||||
{
|
||||
"name": "Ruby",
|
||||
"image": "ghcr.io/truecharts/devcontainer:v2.1.0"
|
||||
"image": "tccr.io/truecharts/devcontainer:v2.1.0"
|
||||
|
||||
// Set *default* container specific settings.json values on container create.
|
||||
"settings": {
|
||||
|
|
|
@ -12,7 +12,7 @@ jobs:
|
|||
runs-on: ubuntu-latest
|
||||
concurrency: gitpush
|
||||
container:
|
||||
image: ghcr.io/truecharts/devcontainer:v2.0.2
|
||||
image: tccr.io/truecharts/devcontainer:v2.1.0
|
||||
steps:
|
||||
|
||||
- uses: actions/checkout@v2
|
||||
|
|
|
@ -159,7 +159,7 @@ jobs:
|
|||
release-test:
|
||||
runs-on: ubuntu-latest
|
||||
container:
|
||||
image: ghcr.io/truecharts/devcontainer:v2.0.2
|
||||
image: tccr.io/truecharts/devcontainer:v2.1.0
|
||||
steps:
|
||||
- name: Cache helm repo cache
|
||||
id: cache
|
||||
|
|
|
@ -18,7 +18,7 @@ jobs:
|
|||
name: Unit and Lint tests
|
||||
runs-on: ubuntu-latest
|
||||
container:
|
||||
image: ghcr.io/truecharts/devcontainer:v2.0.0
|
||||
image: tccr.io/truecharts/devcontainer:v2.1.0
|
||||
steps:
|
||||
- name: Cache helm repo cache
|
||||
id: cache
|
||||
|
|
|
@ -45,4 +45,5 @@ charts/library/common-test/charts/
|
|||
.cr-release-packages/
|
||||
Chart.lock
|
||||
charts/**/charts/*.tgz
|
||||
charts/**/render/*
|
||||
catalog/
|
||||
|
|
|
@ -21,7 +21,7 @@ name: jackett
|
|||
sources:
|
||||
- https://github.com/Jackett/Jackett
|
||||
type: application
|
||||
version: 9.0.27
|
||||
version: 9.0.28
|
||||
annotations:
|
||||
truecharts.org/catagories: |
|
||||
- media
|
||||
|
|
|
@ -1,19 +1,4 @@
|
|||
#!/usr/bin/env bash
|
||||
|
||||
# Copyright The Helm Authors
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# https://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
set -o errexit
|
||||
set -o nounset
|
||||
set -o pipefail
|
||||
|
@ -81,6 +66,10 @@ main() {
|
|||
train=$(basename $(dirname "$chart"))
|
||||
SCALESUPPORT=$(cat ${chart}/Chart.yaml | yq '.annotations."truecharts.org/SCALE-support"' -r)
|
||||
sync_tag "$chart" "$chartname" "$train" "$chartversion" || echo "Tag sync failed..."
|
||||
helm dependency update "${chart}" --skip-refresh || sleep 10 && helm dependency update "${chart}" --skip-refresh || sleep 10 && helm dependency update "${chart}" --skip-refresh
|
||||
helm_sec_scan "$chart" "$chartname" "$train" "$chartversion" || echo "helm-chart security-scan failed..."
|
||||
container_sec_scan "$chart" "$chartname" "$train" "$chartversion" || echo "container security-scan failed..."
|
||||
sec_scan_cleanup "$chart" "$chartname" "$train" "$chartversion" || echo "security-scan cleanup failed..."
|
||||
create_changelog "$chart" "$chartname" "$train" "$chartversion" || echo "changelog generation failed..."
|
||||
generate_docs "$chart" "$chartname" "$train" "$chartversion" || echo "Docs generation failed..."
|
||||
copy_docs "$chart" "$chartname" "$train" "$chartversion" || echo "Docs Copy failed..."
|
||||
|
@ -288,6 +277,63 @@ sync_tag() {
|
|||
sed -i -e "s|appVersion: .*|appVersion: \"${tag}\"|" "${chart}/Chart.yaml"
|
||||
}
|
||||
|
||||
helm_sec_scan() {
|
||||
local chart="$1"
|
||||
local chartname="$2"
|
||||
local train="$3"
|
||||
local chartversion="$4"
|
||||
echo "Scanning helm security for ${chartname}"
|
||||
mkdir -p ${chart}/render
|
||||
rm -rf ${chart}/sec-scan.md | echo "removing old sec-scan.md file failed..."
|
||||
echo "# Security Scan" >> ${chart}/sec-scan.md
|
||||
echo "" >> ${chart}/sec-scan.md
|
||||
echo "## Helm-Chart" >> ${chart}/sec-scan.md
|
||||
echo "" >> ${chart}/sec-scan.md
|
||||
echo "##### Scan Results" >> ${chart}/sec-scan.md
|
||||
echo "" >> ${chart}/sec-scan.md
|
||||
helm template ${chart} --output-dir ${chart}/render
|
||||
## TODO: Cleanup security scan layout
|
||||
echo '```' >> ${chart}/sec-scan.md
|
||||
trivy config ${chart}/render >> ${chart}/sec-scan.md
|
||||
echo '```' >> ${chart}/sec-scan.md
|
||||
echo "" >> ${chart}/sec-scan.md
|
||||
}
|
||||
|
||||
container_sec_scan() {
|
||||
local chart="$1"
|
||||
local chartname="$2"
|
||||
local train="$3"
|
||||
local chartversion="$4"
|
||||
echo "Scanning container security for ${chartname}"
|
||||
echo "## Containers" >> ${chart}/sec-scan.md
|
||||
echo "" >> ${chart}/sec-scan.md
|
||||
echo "##### Detected Containers" >> ${chart}/sec-scan.md
|
||||
echo "" >> ${chart}/sec-scan.md
|
||||
find ${chart}/render/ -name '*.yaml' -type f -exec cat {} \; | grep image: | sed "s/image: //g" | sed "s/\"//g" >> ${chart}/render/containers.tmp
|
||||
cat ${chart}/render/containers.tmp >> ${chart}/sec-scan.md
|
||||
echo "" >> ${chart}/sec-scan.md
|
||||
echo "##### Scan Results" >> ${chart}/sec-scan.md
|
||||
echo "" >> ${chart}/sec-scan.md
|
||||
## TODO: Cleanup security scan layout
|
||||
for container in $(cat ${chart}/render/containers.tmp); do
|
||||
echo "**Container: ${container}**" >> ${chart}/sec-scan.md
|
||||
echo "" >> ${chart}/sec-scan.md
|
||||
echo '```' >> ${chart}/sec-scan.md
|
||||
trivy image ${container} >> ${chart}/sec-scan.md
|
||||
echo '```' >> ${chart}/sec-scan.md
|
||||
echo "" >> ${chart}/sec-scan.md
|
||||
done
|
||||
|
||||
}
|
||||
|
||||
sec_scan_cleanup() {
|
||||
local chart="$1"
|
||||
local chartname="$2"
|
||||
local train="$3"
|
||||
local chartversion="$4"
|
||||
rm -rf ${chart}/render
|
||||
}
|
||||
|
||||
pre_commit() {
|
||||
if [[ -z "$standalone" ]]; then
|
||||
echo "Running pre-commit test-and-cleanup..."
|
||||
|
@ -397,6 +443,7 @@ copy_docs() {
|
|||
mkdir -p docs/apps/${train}/${chartname} || echo "app path already exists, continuing..."
|
||||
yes | cp -rf ${chart}/README.md docs/apps/${train}/${chartname}/index.md 2>/dev/null || :
|
||||
yes | cp -rf ${chart}/CHANGELOG.md docs/apps/${train}/${chartname}/CHANGELOG.md 2>/dev/null || :
|
||||
yes | cp -rf ${chart}/sec-scan.md docs/apps/${train}/${chartname}/sec-scan.md 2>/dev/null || :
|
||||
yes | cp -rf ${chart}/CONFIG.md docs/apps/${train}/${chartname}/CONFIG.md 2>/dev/null || :
|
||||
yes | cp -rf ${chart}/helm-values.md docs/apps/${train}/${chartname}/helm-values.md 2>/dev/null || :
|
||||
rm docs/apps/${train}/${chartname}/LICENSE.md 2>/dev/null || :
|
||||
|
|
Loading…
Reference in New Issue