Skip to content

Commit

Permalink
default security-checks flag to vuln and allow it to be tuned via env…
Browse files Browse the repository at this point in the history 
… var (#261)

* default security-checks flag to vuln and allow it to be tuned via env
var

* fix integration tests

* fix formatting

* update docs
  • Loading branch information
@dkulchinsky
dkulchinsky committed Sep 28, 2022
1 parent 3673e5c commit b19cf82
Show file tree
Hide file tree
Showing 8 changed files with 113 additions and 94 deletions.
1 change: 1 addition & 0 deletions README.md
View file
Expand Up @@ -143,6 +143,7 @@ Configuration of the adapter is done via environment variables at startup.
| `SCANNER_TRIVY_REPORTS_DIR` | `/home/scanner/.cache/reports` | Trivy reports directory |
| `SCANNER_TRIVY_DEBUG_MODE` | `false` | The flag to enable or disable Trivy debug mode |
| `SCANNER_TRIVY_VULN_TYPE` | `os,library` | Comma-separated list of vulnerability types. Possible values are `os` and `library`. |
| `SCANNER_TRIVY_SECURITY_CHECKS` | `vuln,config,secret` | comma-separated list of what security issues to detect. Possible values are `vuln`, `config` and `secret`. Defaults to `vuln`. |
| `SCANNER_TRIVY_SEVERITY` | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | Comma-separated list of vulnerabilities severities to be displayed |
| `SCANNER_TRIVY_IGNORE_UNFIXED` | `false` | The flag to display only fixed vulnerabilities |
| `SCANNER_TRIVY_IGNORE_POLICY` | `` | The path for the Trivy ignore policy OPA Rego file |
Expand Down
25 changes: 13 additions & 12 deletions pkg/etc/config.go
View file
Expand Up @@ -24,18 +24,19 @@ type Config struct {
}

type Trivy struct {
CacheDir string `env:"SCANNER_TRIVY_CACHE_DIR" envDefault:"/home/scanner/.cache/trivy"`
ReportsDir string `env:"SCANNER_TRIVY_REPORTS_DIR" envDefault:"/home/scanner/.cache/reports"`
DebugMode bool `env:"SCANNER_TRIVY_DEBUG_MODE" envDefault:"false"`
VulnType string `env:"SCANNER_TRIVY_VULN_TYPE" envDefault:"os,library"`
Severity string `env:"SCANNER_TRIVY_SEVERITY" envDefault:"UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"`
IgnoreUnfixed bool `env:"SCANNER_TRIVY_IGNORE_UNFIXED" envDefault:"false"`
IgnorePolicy string `env:"SCANNER_TRIVY_IGNORE_POLICY"`
SkipUpdate bool `env:"SCANNER_TRIVY_SKIP_UPDATE" envDefault:"false"`
OfflineScan bool `env:"SCANNER_TRIVY_OFFLINE_SCAN" envDefault:"false"`
GitHubToken string `env:"SCANNER_TRIVY_GITHUB_TOKEN"`
Insecure bool `env:"SCANNER_TRIVY_INSECURE" envDefault:"false"`
Timeout time.Duration `env:"SCANNER_TRIVY_TIMEOUT" envDefault:"5m0s"`
CacheDir string `env:"SCANNER_TRIVY_CACHE_DIR" envDefault:"/home/scanner/.cache/trivy"`
ReportsDir string `env:"SCANNER_TRIVY_REPORTS_DIR" envDefault:"/home/scanner/.cache/reports"`
DebugMode bool `env:"SCANNER_TRIVY_DEBUG_MODE" envDefault:"false"`
VulnType string `env:"SCANNER_TRIVY_VULN_TYPE" envDefault:"os,library"`
SecurityChecks string `env:"SCANNER_TRIVY_SECURITY_CHECKS" envDefault:"vuln"`
Severity string `env:"SCANNER_TRIVY_SEVERITY" envDefault:"UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"`
IgnoreUnfixed bool `env:"SCANNER_TRIVY_IGNORE_UNFIXED" envDefault:"false"`
IgnorePolicy string `env:"SCANNER_TRIVY_IGNORE_POLICY"`
SkipUpdate bool `env:"SCANNER_TRIVY_SKIP_UPDATE" envDefault:"false"`
OfflineScan bool `env:"SCANNER_TRIVY_OFFLINE_SCAN" envDefault:"false"`
GitHubToken string `env:"SCANNER_TRIVY_GITHUB_TOKEN"`
Insecure bool `env:"SCANNER_TRIVY_INSECURE" envDefault:"false"`
Timeout time.Duration `env:"SCANNER_TRIVY_TIMEOUT" envDefault:"5m0s"`
}

type API struct {
Expand Down
80 changes: 42 additions & 38 deletions pkg/etc/config_test.go
View file
Expand Up @@ -67,14 +67,15 @@ func TestGetConfig(t *testing.T) {
IdleTimeout: parseDuration(t, "60s"),
},
Trivy: Trivy{
DebugMode: true,
CacheDir: "/home/scanner/.cache/trivy",
ReportsDir: "/home/scanner/.cache/reports",
VulnType: "os,library",
Severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL",
Insecure: false,
GitHubToken: "",
Timeout: parseDuration(t, "5m0s"),
DebugMode: true,
CacheDir: "/home/scanner/.cache/trivy",
ReportsDir: "/home/scanner/.cache/reports",
VulnType: "os,library",
SecurityChecks: "vuln",
Severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL",
Insecure: false,
GitHubToken: "",
Timeout: parseDuration(t, "5m0s"),
},
RedisPool: RedisPool{
URL: "redis://localhost:6379",
Expand Down Expand Up @@ -105,14 +106,15 @@ func TestGetConfig(t *testing.T) {
IdleTimeout: parseDuration(t, "60s"),
},
Trivy: Trivy{
DebugMode: false,
CacheDir: "/home/scanner/.cache/trivy",
ReportsDir: "/home/scanner/.cache/reports",
VulnType: "os,library",
Severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL",
Insecure: false,
GitHubToken: "",
Timeout: parseDuration(t, "5m0s"),
DebugMode: false,
CacheDir: "/home/scanner/.cache/trivy",
ReportsDir: "/home/scanner/.cache/reports",
VulnType: "os,library",
SecurityChecks: "vuln",
Severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL",
Insecure: false,
GitHubToken: "",
Timeout: parseDuration(t, "5m0s"),
},
RedisPool: RedisPool{
URL: "redis://localhost:6379",
Expand Down Expand Up @@ -146,17 +148,18 @@ func TestGetConfig(t *testing.T) {
"SCANNER_API_SERVER_WRITE_TIMEOUT": "2m",
"SCANNER_API_SERVER_IDLE_TIMEOUT": "3m10s",

"SCANNER_TRIVY_CACHE_DIR": "/home/scanner/trivy-cache",
"SCANNER_TRIVY_REPORTS_DIR": "/home/scanner/trivy-reports",
"SCANNER_TRIVY_DEBUG_MODE": "true",
"SCANNER_TRIVY_VULN_TYPE": "os,library",
"SCANNER_TRIVY_SEVERITY": "CRITICAL",
"SCANNER_TRIVY_IGNORE_UNFIXED": "true",
"SCANNER_TRIVY_INSECURE": "true",
"SCANNER_TRIVY_SKIP_UPDATE": "true",
"SCANNER_TRIVY_OFFLINE_SCAN": "true",
"SCANNER_TRIVY_GITHUB_TOKEN": "<GITHUB_TOKEN>",
"SCANNER_TRIVY_TIMEOUT": "15m30s",
"SCANNER_TRIVY_CACHE_DIR": "/home/scanner/trivy-cache",
"SCANNER_TRIVY_REPORTS_DIR": "/home/scanner/trivy-reports",
"SCANNER_TRIVY_DEBUG_MODE": "true",
"SCANNER_TRIVY_VULN_TYPE": "os,library",
"SCANNER_TRIVY_SECURITY_CHECKS": "vuln",
"SCANNER_TRIVY_SEVERITY": "CRITICAL",
"SCANNER_TRIVY_IGNORE_UNFIXED": "true",
"SCANNER_TRIVY_INSECURE": "true",
"SCANNER_TRIVY_SKIP_UPDATE": "true",
"SCANNER_TRIVY_OFFLINE_SCAN": "true",
"SCANNER_TRIVY_GITHUB_TOKEN": "<GITHUB_TOKEN>",
"SCANNER_TRIVY_TIMEOUT": "15m30s",

"SCANNER_STORE_REDIS_NAMESPACE": "store.ns",
"SCANNER_STORE_REDIS_SCAN_JOB_TTL": "2h45m15s",
Expand All @@ -180,17 +183,18 @@ func TestGetConfig(t *testing.T) {
IdleTimeout: parseDuration(t, "3m10s"),
},
Trivy: Trivy{
CacheDir: "/home/scanner/trivy-cache",
ReportsDir: "/home/scanner/trivy-reports",
DebugMode: true,
VulnType: "os,library",
Severity: "CRITICAL",
IgnoreUnfixed: true,
SkipUpdate: true,
OfflineScan: true,
Insecure: true,
GitHubToken: "<GITHUB_TOKEN>",
Timeout: parseDuration(t, "15m30s"),
CacheDir: "/home/scanner/trivy-cache",
ReportsDir: "/home/scanner/trivy-reports",
DebugMode: true,
VulnType: "os,library",
SecurityChecks: "vuln",
Severity: "CRITICAL",
IgnoreUnfixed: true,
SkipUpdate: true,
OfflineScan: true,
Insecure: true,
GitHubToken: "<GITHUB_TOKEN>",
Timeout: parseDuration(t, "15m30s"),
},
RedisPool: RedisPool{
URL: "redis://harbor-harbor-redis:6379",
Expand Down
17 changes: 9 additions & 8 deletions pkg/http/api/v1/handler.go
View file
Expand Up @@ -219,14 +219,15 @@ func (h *requestHandler) GetMetadata(res http.ResponseWriter, _ *http.Request) {
"org.label-schema.vcs-ref": h.info.Commit,
"org.label-schema.vcs": "https://github.com/aquasecurity/harbor-scanner-trivy",

"env.SCANNER_TRIVY_SKIP_UPDATE": strconv.FormatBool(h.config.Trivy.SkipUpdate),
"env.SCANNER_TRIVY_OFFLINE_SCAN": strconv.FormatBool(h.config.Trivy.OfflineScan),
"env.SCANNER_TRIVY_IGNORE_UNFIXED": strconv.FormatBool(h.config.Trivy.IgnoreUnfixed),
"env.SCANNER_TRIVY_DEBUG_MODE": strconv.FormatBool(h.config.Trivy.DebugMode),
"env.SCANNER_TRIVY_INSECURE": strconv.FormatBool(h.config.Trivy.Insecure),
"env.SCANNER_TRIVY_VULN_TYPE": h.config.Trivy.VulnType,
"env.SCANNER_TRIVY_SEVERITY": h.config.Trivy.Severity,
"env.SCANNER_TRIVY_TIMEOUT": h.config.Trivy.Timeout.String(),
"env.SCANNER_TRIVY_SKIP_UPDATE": strconv.FormatBool(h.config.Trivy.SkipUpdate),
"env.SCANNER_TRIVY_OFFLINE_SCAN": strconv.FormatBool(h.config.Trivy.OfflineScan),
"env.SCANNER_TRIVY_IGNORE_UNFIXED": strconv.FormatBool(h.config.Trivy.IgnoreUnfixed),
"env.SCANNER_TRIVY_DEBUG_MODE": strconv.FormatBool(h.config.Trivy.DebugMode),
"env.SCANNER_TRIVY_INSECURE": strconv.FormatBool(h.config.Trivy.Insecure),
"env.SCANNER_TRIVY_VULN_TYPE": h.config.Trivy.VulnType,
"env.SCANNER_TRIVY_SECURITY_CHECKS": h.config.Trivy.SecurityChecks,
"env.SCANNER_TRIVY_SEVERITY": h.config.Trivy.Severity,
"env.SCANNER_TRIVY_TIMEOUT": h.config.Trivy.Timeout.String(),
}

vi, err := h.wrapper.GetVersion()
Expand Down
42 changes: 24 additions & 18 deletions pkg/http/api/v1/handler_test.go
View file
Expand Up @@ -447,13 +447,14 @@ func TestRequestHandler_GetMetadata(t *testing.T) {
},
},
config: etc.Config{Trivy: etc.Trivy{
SkipUpdate: false,
IgnoreUnfixed: true,
DebugMode: true,
Insecure: true,
VulnType: "os,library",
Severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL",
Timeout: 5 * time.Minute,
SkipUpdate: false,
IgnoreUnfixed: true,
DebugMode: true,
Insecure: true,
VulnType: "os,library",
SecurityChecks: "vuln",
Severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL",
Timeout: 5 * time.Minute,
}},
expectedHTTPCode: http.StatusOK,
expectedResp: `{
Expand Down Expand Up @@ -487,6 +488,7 @@ func TestRequestHandler_GetMetadata(t *testing.T) {
"env.SCANNER_TRIVY_DEBUG_MODE": "true",
"env.SCANNER_TRIVY_INSECURE": "true",
"env.SCANNER_TRIVY_VULN_TYPE": "os,library",
"env.SCANNER_TRIVY_SECURITY_CHECKS": "vuln",
"env.SCANNER_TRIVY_SEVERITY": "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL",
"env.SCANNER_TRIVY_TIMEOUT": "5m0s"
}
Expand All @@ -499,13 +501,14 @@ func TestRequestHandler_GetMetadata(t *testing.T) {
Version: "v0.5.2-17-g3c9af62",
},
config: etc.Config{Trivy: etc.Trivy{
SkipUpdate: false,
IgnoreUnfixed: true,
DebugMode: true,
Insecure: true,
VulnType: "os,library",
Severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL",
Timeout: 5 * time.Minute,
SkipUpdate: false,
IgnoreUnfixed: true,
DebugMode: true,
Insecure: true,
VulnType: "os,library",
SecurityChecks: "vuln",
Severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL",
Timeout: 5 * time.Minute,
}},
expectedHTTPCode: http.StatusOK,
expectedResp: `{
Expand Down Expand Up @@ -537,6 +540,7 @@ func TestRequestHandler_GetMetadata(t *testing.T) {
"env.SCANNER_TRIVY_DEBUG_MODE": "true",
"env.SCANNER_TRIVY_INSECURE": "true",
"env.SCANNER_TRIVY_VULN_TYPE": "os,library",
"env.SCANNER_TRIVY_SECURITY_CHECKS": "vuln",
"env.SCANNER_TRIVY_SEVERITY": "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL",
"env.SCANNER_TRIVY_TIMEOUT": "5m0s"
}
Expand All @@ -548,10 +552,11 @@ func TestRequestHandler_GetMetadata(t *testing.T) {
buildInfo: etc.BuildInfo{Version: "0.1", Commit: "abc", Date: "2019-01-03T13:40"},
config: etc.Config{
Trivy: etc.Trivy{
VulnType: "os,library",
Severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL",
Timeout: 5 * time.Minute,
OfflineScan: true,
VulnType: "os,library",
SecurityChecks: "vuln",
Severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL",
Timeout: 5 * time.Minute,
OfflineScan: true,
},
},
expectedHTTPCode: http.StatusOK,
Expand Down Expand Up @@ -584,6 +589,7 @@ func TestRequestHandler_GetMetadata(t *testing.T) {
"env.SCANNER_TRIVY_DEBUG_MODE": "false",
"env.SCANNER_TRIVY_INSECURE": "false",
"env.SCANNER_TRIVY_VULN_TYPE": "os,library",
"env.SCANNER_TRIVY_SECURITY_CHECKS": "vuln",
"env.SCANNER_TRIVY_SEVERITY": "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL",
"env.SCANNER_TRIVY_TIMEOUT": "5m0s"
}
Expand Down
1 change: 1 addition & 0 deletions pkg/trivy/wrapper.go
View file
Expand Up @@ -122,6 +122,7 @@ func (w *wrapper) prepareScanCmd(imageRef ImageRef, outputFile string) (*exec.Cm
"--no-progress",
"--severity", w.config.Severity,
"--vuln-type", w.config.VulnType,
"--security-checks", w.config.SecurityChecks,
"--format", "json",
"--output", outputFile,
imageRef.Name,
Expand Down
25 changes: 14 additions & 11 deletions pkg/trivy/wrapper_test.go
View file
Expand Up @@ -90,17 +90,18 @@ func TestWrapper_Scan(t *testing.T) {
ambassador.On("LookPath", "trivy").Return("/usr/local/bin/trivy", nil)

config := etc.Trivy{
CacheDir: "/home/scanner/.cache/trivy",
ReportsDir: "/home/scanner/.cache/reports",
DebugMode: true,
VulnType: "os,library",
Severity: "CRITICAL,MEDIUM",
IgnoreUnfixed: true,
IgnorePolicy: "/home/scanner/opa/policy.rego",
SkipUpdate: true,
GitHubToken: "<github_token>",
Insecure: true,
Timeout: 5 * time.Minute,
CacheDir: "/home/scanner/.cache/trivy",
ReportsDir: "/home/scanner/.cache/reports",
DebugMode: true,
VulnType: "os,library",
SecurityChecks: "vuln",
Severity: "CRITICAL,MEDIUM",
IgnoreUnfixed: true,
IgnorePolicy: "/home/scanner/opa/policy.rego",
SkipUpdate: true,
GitHubToken: "<github_token>",
Insecure: true,
Timeout: 5 * time.Minute,
}

imageRef := ImageRef{
Expand All @@ -124,6 +125,8 @@ func TestWrapper_Scan(t *testing.T) {
"CRITICAL,MEDIUM",
"--vuln-type",
"os,library",
"--security-checks",
"vuln",
"--format",
"json",
"--output",
Expand Down
16 changes: 9 additions & 7 deletions test/integration/api/rest_api_test.go
View file
Expand Up @@ -41,13 +41,14 @@ func TestRestApi(t *testing.T) {
},
etc.Config{
Trivy: etc.Trivy{
SkipUpdate: false,
IgnoreUnfixed: true,
DebugMode: true,
Insecure: true,
VulnType: "os,library",
Severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL",
Timeout: 5 * time.Minute,
SkipUpdate: false,
IgnoreUnfixed: true,
DebugMode: true,
Insecure: true,
VulnType: "os,library",
Severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL",
SecurityChecks: "vuln",
Timeout: 5 * time.Minute,
},
}, enqueuer, store, wrapper)

Expand Down Expand Up @@ -218,6 +219,7 @@ func TestRestApi(t *testing.T) {
"env.SCANNER_TRIVY_INSECURE": "true",
"env.SCANNER_TRIVY_VULN_TYPE": "os,library",
"env.SCANNER_TRIVY_SEVERITY": "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL",
"env.SCANNER_TRIVY_SECURITY_CHECKS": "vuln",
"env.SCANNER_TRIVY_TIMEOUT": "5m0s"
}
}`, string(bodyBytes))
Expand Down

0 comments on commit b19cf82

Please sign in to comment.