-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
141 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1 +1,141 @@ | ||
# chart-scanner | ||
# chart-scanner | ||
|
||
## Background | ||
|
||
This tool will attempt to detect any charts that may have been uploaded via [this vulnerability](https://need-a-link) in [ChartMuseum](https://github.com/helm/chartmuseum). | ||
|
||
## Usage | ||
|
||
Command-line options are identical to the ones in ChartMuseum 0.8.0 (the package is imported and re-used). | ||
|
||
### Using with Amazon S3 | ||
|
||
Make sure your environment is properly setup to access `my-s3-bucket` | ||
|
||
```bash | ||
chart-scanner \ | ||
--storage="amazon" \ | ||
--storage-amazon-bucket="my-s3-bucket" \ | ||
--storage-amazon-prefix="" \ | ||
--storage-amazon-region="us-east-1" | ||
``` | ||
|
||
You need at least the following permissions inside your IAM Policy | ||
```yaml | ||
{ | ||
"Version": "2012-10-17", | ||
"Statement": [ | ||
{ | ||
"Sid": "AllowListObjects", | ||
"Effect": "Allow", | ||
"Action": [ | ||
"s3:ListBucket" | ||
], | ||
"Resource": "arn:aws:s3:::my-s3-bucket" | ||
}, | ||
{ | ||
"Sid": "AllowObjectsCRUD", | ||
"Effect": "Allow", | ||
"Action": [ | ||
"s3:GetObject" | ||
], | ||
"Resource": "arn:aws:s3:::my-s3-bucket/*" | ||
} | ||
] | ||
} | ||
``` | ||
|
||
### Using with Google Cloud Storage | ||
Make sure your environment is properly setup to access `my-gcs-bucket`. | ||
|
||
One way to do so is to set the `GOOGLE_APPLICATION_CREDENTIALS` var in your environment, pointing to the JSON file containing your service account key: | ||
``` | ||
export GOOGLE_APPLICATION_CREDENTIALS="/home/user/Downloads/[FILE_NAME].json" | ||
``` | ||
|
||
More info on Google Cloud authentication can be found [here](https://cloud.google.com/docs/authentication/getting-started). | ||
|
||
```bash | ||
chart-scanner \ | ||
--storage="google" \ | ||
--storage-google-bucket="my-gcs-bucket" \ | ||
--storage-google-prefix="" | ||
``` | ||
|
||
### Using with Microsoft Azure Blob Storage | ||
|
||
Make sure your environment is properly setup to access `mycontainer`. | ||
|
||
To do so, you must set the following env vars: | ||
- `AZURE_STORAGE_ACCOUNT` | ||
- `AZURE_STORAGE_ACCESS_KEY` | ||
|
||
```bash | ||
chart-scanner \ | ||
--storage="microsoft" \ | ||
--storage-microsoft-container="mycontainer" \ | ||
--storage-microsoft-prefix="" | ||
``` | ||
|
||
### Using with Alibaba Cloud OSS Storage | ||
|
||
Make sure your environment is properly setup to access `my-oss-bucket`. | ||
|
||
To do so, you must set the following env vars: | ||
- `ALIBABA_CLOUD_ACCESS_KEY_ID` | ||
- `ALIBABA_CLOUD_ACCESS_KEY_SECRET` | ||
|
||
```bash | ||
chart-scanner \ | ||
--storage="alibaba" \ | ||
--storage-alibaba-bucket="my-oss-bucket" \ | ||
--storage-alibaba-prefix="" \ | ||
--storage-alibaba-endpoint="oss-cn-beijing.aliyuncs.com" | ||
``` | ||
|
||
### Using with Openstack Object Storage | ||
|
||
Make sure your environment is properly setup to access `mycontainer`. | ||
|
||
To do so, you must set the following env vars (depending on your openstack version): | ||
- `OS_AUTH_URL` | ||
- either `OS_PROJECT_NAME` or `OS_TENANT_NAME` or `OS_PROJECT_ID` or `OS_TENANT_ID` | ||
- either `OS_DOMAIN_NAME` or `OS_DOMAIN_ID` | ||
- either `OS_USERNAME` or `OS_USERID` | ||
- `OS_PASSWORD` | ||
|
||
```bash | ||
chart-scanner \ | ||
--storage="openstack" \ | ||
--storage-openstack-container="mycontainer" \ | ||
--storage-openstack-prefix="" \ | ||
--storage-openstack-region="myregion" | ||
``` | ||
|
||
### Using with Oracle Cloud Infrastructure Object Storage | ||
|
||
Make sure your environment is properly setup to access `my-ocs-bucket`. | ||
|
||
More info on Oracle Cloud Infrastructure authentication can be found [here](https://docs.cloud.oracle.com/iaas/Content/API/Concepts/apisigningkey.htm). | ||
|
||
```bash | ||
chart-scanner \ | ||
--storage="oracle" \ | ||
--storage-oracle-bucket="my-ocs-bucket" \ | ||
--storage-oracle-prefix="" \ | ||
--storage-oracle-compartmentid="ocid1.compartment.oc1..1234" | ||
``` | ||
|
||
### Using with local filesystem storage | ||
Make sure you have read access to `./chartstorage`. | ||
|
||
```bash | ||
chart-scanner \ | ||
--storage="local" \ | ||
--storage-local-rootdir="./chartstorage" | ||
``` | ||
|
||
### Note on environment variables | ||
All command-line options can be specified as environment variables, which are defined by the command-line option, capitalized, with all -'s replaced with _'s. | ||
|
||
For example, the env var STORAGE_AMAZON_BUCKET can be used in place of --storage-amazon-bucket. |