Skip to content

Commit

Permalink
Use fsargs for helm scans, add debug, deprecate security checks and a…
Browse files Browse the repository at this point in the history 
…dd scanners (#105)

* use fsargs for helm scans instead of running a config check - remove the call to `trivy config` when the helm overrides are passed
* add optional debug output for trivy plugin
* add support for "scanners" and notice about deprecated "security checks" option
* remove the deprecated `config` scanner and replace with misconfig
  • Loading branch information
@fishnix
fishnix committed Feb 20, 2024
1 parent ff9a9a0 commit c09118e
Show file tree
Hide file tree
Showing 4 changed files with 58 additions and 39 deletions.
17 changes: 12 additions & 5 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ step with the default plugin configuration parameters:
steps:
- command: ls
plugins:
- equinixmetal-buildkite/trivy#v1.18.3:
- equinixmetal-buildkite/trivy#v1.18.4:
```

## Additional examples
Expand All @@ -36,7 +36,7 @@ Specify the `--exit-code` option as a plugin parameter in `pipeline.yml` to fail
steps:
- command: ls
plugins:
- equinixmetal-buildkite/trivy#v1.18.3:
- equinixmetal-buildkite/trivy#v1.18.4:
exit-code: 1
```

Expand All @@ -46,7 +46,7 @@ Specify the `--severity` option as a plugin parameter in `pipeline.yml` to scan
steps:
- command: ls
plugins:
- equinixmetal-buildkite/trivy#v1.18.3:
- equinixmetal-buildkite/trivy#v1.18.4:
severity: "CRITICAL"
```

Expand All @@ -69,9 +69,13 @@ Controls the severity of the vulnerabilities to be scanned. (Defaults to "UNKNOW

Controls whether to display only fixed vulnerabilities. (Defaults to false)

### `security-checks` (Optional, string)
### `security-checks` (Optional, string) (DEPRECATED)

Controls the security checks to be performed. (Defaults to "vuln,config")
Controls the security checks to be performed. This option is deprecated and may be removed in the future. Use `scanners` instead. (Defaults to "vuln,misconfig")

### `scanners` (Optional, string)

Controls the security scanners to be used. This replaced security-checks (Defaults to "vuln,misconfig")

### `skip-files` (Optional, string)

Expand All @@ -95,6 +99,9 @@ Controls the version of trivy to be used.

To pass helm override values to trivy config scan

### `debug` (Optional, boolean)

Enable debug flag for trivy.

## Developing

Expand Down
20 changes: 14 additions & 6 deletions hooks/post-command
View file
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,11 @@ final_exit_code="${BUILDKITE_PLUGIN_TRIVY_EXIT_CODE:-1}"
args+=("--exit-code" "$final_exit_code")
echo "using exit-code=$final_exit_code option while scanning"

if [[ "${BUILDKITE_PLUGIN_TRIVY_DEBUG:-false}" == true ]] ; then
args+=("--debug")
echo "enabling debug output for trivy"
fi

if [[ -n "${BUILDKITE_PLUGIN_TRIVY_TIMEOUT:-}" ]] ; then
args+=("--timeout" "${BUILDKITE_PLUGIN_TRIVY_TIMEOUT}")
echo "using non-default timeout: '${BUILDKITE_PLUGIN_TRIVY_TIMEOUT}'"
Expand All @@ -93,21 +98,24 @@ if [[ -n "${BUILDKITE_PLUGIN_TRIVY_SKIP_DIRS:-}" ]] ; then
fi

if [[ -n "${BUILDKITE_PLUGIN_TRIVY_HELM_OVERRIDES_FILE:-}" ]]; then
fsargs+=("--helm-values" "${BUILDKITE_PLUGIN_TRIVY_HELM_OVERRIDES_FILE}")
echo "scanning with helm overrides"
trivy conf --helm-values "${BUILDKITE_PLUGIN_TRIVY_HELM_OVERRIDES_FILE}" "${args[@]}" "${fsargs[@]}" .
fi

if [[ "${BUILDKITE_PLUGIN_TRIVY_IGNORE_UNFIXED:-false}" == true ]] ; then
args+=("--ignore-unfixed")
echo "ignore-unfixed is set. Will ignore unfixed vulnerabilities"
fi

if [[ -n "${BUILDKITE_PLUGIN_TRIVY_SECURITY_CHECKS:-}" ]] ; then
fsargs+=("--security-checks" "${BUILDKITE_PLUGIN_TRIVY_SECURITY_CHECKS}")
echo "using $BUILDKITE_PLUGIN_TRIVY_SECURITY_CHECKS security checks"
if [[ -n "${BUILDKITE_PLUGIN_TRIVY_SCANNERS:-}" ]] ; then
fsargs+=("--scanners" "${BUILDKITE_PLUGIN_TRIVY_SCANNERS}")
echo "using $BUILDKITE_PLUGIN_TRIVY_SCANNERS scanners"
elif [[ -n "${BUILDKITE_PLUGIN_TRIVY_SECURITY_CHECKS:-}" ]] ; then
fsargs+=("--scanners" "${BUILDKITE_PLUGIN_TRIVY_SECURITY_CHECKS}")
echo "using $BUILDKITE_PLUGIN_TRIVY_SECURITY_CHECKS security checks - DEPRECATED, use scanners instead!"
else
echo "using default security checks"
fsargs+=("--security-checks" "vuln,config")
echo "using default scanners"
fsargs+=("--scanners" "vuln,misconfig")
fi

echo "+++ scanning filesystem"
Expand Down
4 changes: 4 additions & 0 deletions plugin.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,8 @@ configuration:
type: boolean
trivy-version:
type: string
scanners:
type: string
security-checks:
type: string
image-ref:
Expand All @@ -28,4 +30,6 @@ configuration:
type: string
helm-overrides-file:
type: string
debug:
type: boolean
additionalProperties: false
56 changes: 28 additions & 28 deletions tests/post-command.bats
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ default_exit_code="--exit-code 1"

@test "fs scan of a test app" {
# TODO(jaosorior): Change the exit code if we change the default
stub trivy "fs $default_exit_code --security-checks vuln,config . : echo fs scan success"
stub trivy "fs $default_exit_code --scanners vuln,misconfig . : echo fs scan success"
stub buildkite-agent "annotate --style success \"trivy didn't find any relevant vulnerabilities in the repository<br />\" --context trivy-fs-scan : echo fs scan success" \
"annotate --style success \"No container image was scanned due to a lack of an image reference. This is fine.<br />\" --context trivy-container-scan : echo no image scan happened" \

Expand All @@ -29,7 +29,7 @@ default_exit_code="--exit-code 1"
@test "fs scan of a test app with exit-code=1" {
export BUILDKITE_PLUGIN_TRIVY_EXIT_CODE=1

stub trivy "fs --exit-code 1 --security-checks vuln,config . : echo fs scan success"
stub trivy "fs --exit-code 1 --scanners vuln,misconfig . : echo fs scan success"
stub buildkite-agent "annotate --style success \"trivy didn't find any relevant vulnerabilities in the repository<br />\" --context trivy-fs-scan : echo fs scan success" \
"annotate --style success \"No container image was scanned due to a lack of an image reference. This is fine.<br />\" --context trivy-container-scan : echo no image scan happened" \

Expand All @@ -47,7 +47,7 @@ default_exit_code="--exit-code 1"
@test "fs scan of a test app with exit-code=0" {
export BUILDKITE_PLUGIN_TRIVY_EXIT_CODE=0

stub trivy "fs --exit-code 0 --security-checks vuln,config . : echo fs scan success"
stub trivy "fs --exit-code 0 --scanners vuln,misconfig . : echo fs scan success"
stub buildkite-agent "annotate --style success \"trivy didn't find any relevant vulnerabilities in the repository<br />\" --context trivy-fs-scan : echo fs scan success" \
"annotate --style success \"No container image was scanned due to a lack of an image reference. This is fine.<br />\" --context trivy-container-scan : echo no image scan happened" \

Expand All @@ -65,7 +65,7 @@ default_exit_code="--exit-code 1"
@test "fs scan of a test app with exit-code=1 with actual failure" {
export BUILDKITE_PLUGIN_TRIVY_EXIT_CODE=1

stub trivy "fs --exit-code 1 --security-checks vuln,config . : exit 1"
stub trivy "fs --exit-code 1 --scanners vuln,misconfig . : exit 1"
stub buildkite-agent "annotate --style error \"trivy found vulnerabilities in repository. See the job output for details.<br />\" --context trivy-fs-scan : echo fs scan failure" \
"annotate --style success \"No container image was scanned due to a lack of an image reference. This is fine.<br />\" --context trivy-container-scan : echo no image scan happened" \

Expand All @@ -83,7 +83,7 @@ default_exit_code="--exit-code 1"
@test "fs scan of test app with ignore-unfixed flag set" {
export BUILDKITE_PLUGIN_TRIVY_IGNORE_UNFIXED=true

stub trivy "fs $default_exit_code --ignore-unfixed --security-checks vuln,config . : echo fs scan success with --ignore-unfixed"
stub trivy "fs $default_exit_code --ignore-unfixed --scanners vuln,misconfig . : echo fs scan success with --ignore-unfixed"
stub buildkite-agent "annotate --style success \"trivy didn't find any relevant vulnerabilities in the repository<br />\" --context trivy-fs-scan : echo output success" \
"annotate --style success \"No container image was scanned due to a lack of an image reference. This is fine.<br />\" --context trivy-container-scan : echo no image scan happened" \

Expand All @@ -103,7 +103,7 @@ default_exit_code="--exit-code 1"
export BUILDKITE_PLUGIN_TRIVY_TIMEOUT="6h6m6s"
export BUILDKITE_PLUGIN_TRIVY_EXIT_CODE=1

stub trivy "fs --exit-code 1 --timeout $BUILDKITE_PLUGIN_TRIVY_TIMEOUT --security-checks vuln,config . : echo fs scan success"
stub trivy "fs --exit-code 1 --timeout $BUILDKITE_PLUGIN_TRIVY_TIMEOUT --scanners vuln,misconfig . : echo fs scan success"
stub buildkite-agent "annotate --style success \"trivy didn't find any relevant vulnerabilities in the repository<br />\" --context trivy-fs-scan : echo fs scan success" \
"annotate --style success \"No container image was scanned due to a lack of an image reference. This is fine.<br />\" --context trivy-container-scan : echo no image scan happened" \

Expand All @@ -121,7 +121,7 @@ default_exit_code="--exit-code 1"
export BUILDKITE_PLUGIN_TRIVY_SEVERITY="CRITICAL"
export BUILDKITE_PLUGIN_TRIVY_EXIT_CODE=1

stub trivy "fs --exit-code 1 --severity $BUILDKITE_PLUGIN_TRIVY_SEVERITY --security-checks vuln,config . : echo fs scan success"
stub trivy "fs --exit-code 1 --severity $BUILDKITE_PLUGIN_TRIVY_SEVERITY --scanners vuln,misconfig . : echo fs scan success"
stub buildkite-agent "annotate --style success \"trivy didn't find any relevant vulnerabilities in the repository<br />\" --context trivy-fs-scan : echo fs scan success" \
"annotate --style success \"No container image was scanned due to a lack of an image reference. This is fine.<br />\" --context trivy-container-scan : echo no image scan happened" \

Expand All @@ -139,7 +139,7 @@ default_exit_code="--exit-code 1"
export BUILDKITE_PLUGIN_TRIVY_SEVERITY="CRITICAL,HIGH"
export BUILDKITE_PLUGIN_TRIVY_EXIT_CODE=1

stub trivy "fs --exit-code 1 --severity $BUILDKITE_PLUGIN_TRIVY_SEVERITY --security-checks vuln,config . : echo fs scan success"
stub trivy "fs --exit-code 1 --severity $BUILDKITE_PLUGIN_TRIVY_SEVERITY --scanners vuln,misconfig . : echo fs scan success"
stub buildkite-agent "annotate --style success \"trivy didn't find any relevant vulnerabilities in the repository<br />\" --context trivy-fs-scan : echo fs scan success" \
"annotate --style success \"No container image was scanned due to a lack of an image reference. This is fine.<br />\" --context trivy-container-scan : echo no image scan happened" \

Expand All @@ -157,7 +157,7 @@ default_exit_code="--exit-code 1"
export BUILDKITE_PLUGIN_TRIVY_SEVERITY="CRITICAL,HIGH,MEDIUM"
export BUILDKITE_PLUGIN_TRIVY_EXIT_CODE=1

stub trivy "fs --exit-code 1 --severity $BUILDKITE_PLUGIN_TRIVY_SEVERITY --security-checks vuln,config . : echo fs scan success"
stub trivy "fs --exit-code 1 --severity $BUILDKITE_PLUGIN_TRIVY_SEVERITY --scanners vuln,misconfig . : echo fs scan success"
stub buildkite-agent "annotate --style success \"trivy didn't find any relevant vulnerabilities in the repository<br />\" --context trivy-fs-scan : echo fs scan success" \
"annotate --style success \"No container image was scanned due to a lack of an image reference. This is fine.<br />\" --context trivy-container-scan : echo no image scan happened" \

Expand All @@ -171,57 +171,57 @@ default_exit_code="--exit-code 1"
unstub buildkite-agent
}

@test "fs scan of a test app with only vulnerbility security check" {
export BUILDKITE_PLUGIN_TRIVY_SECURITY_CHECKS="vuln"
stub trivy "fs $default_exit_code --security-checks $BUILDKITE_PLUGIN_TRIVY_SECURITY_CHECKS . : echo fs scan success"
@test "fs scan of a test app with only vulnerbility scanner" {
export BUILDKITE_PLUGIN_TRIVY_SCANNERS="vuln"
stub trivy "fs $default_exit_code --scanners $BUILDKITE_PLUGIN_TRIVY_SCANNERS . : echo fs scan success"
stub buildkite-agent "annotate --style success \"trivy didn't find any relevant vulnerabilities in the repository<br />\" --context trivy-fs-scan : echo fs scan success" \
"annotate --style success \"No container image was scanned due to a lack of an image reference. This is fine.<br />\" --context trivy-container-scan : echo no image scan happened" \

run "$PWD/hooks/post-command"

assert_success
assert_output --partial "scanning filesystem"
assert_output --partial "using $BUILDKITE_PLUGIN_TRIVY_SECURITY_CHECKS security checks"
assert_output --partial "using $BUILDKITE_PLUGIN_TRIVY_SCANNERS scanners"

unstub trivy
unstub buildkite-agent
}

@test "fs scan of a test app with vulnerbility and configuration security check" {
export BUILDKITE_PLUGIN_TRIVY_SECURITY_CHECKS="vuln,config"
stub trivy "fs $default_exit_code --security-checks $BUILDKITE_PLUGIN_TRIVY_SECURITY_CHECKS . : echo fs scan success"
@test "fs scan of a test app with vulnerbility and configuration scanners" {
export BUILDKITE_PLUGIN_TRIVY_SCANNERS="vuln,misconfig"
stub trivy "fs $default_exit_code --scanners $BUILDKITE_PLUGIN_TRIVY_SCANNERS . : echo fs scan success"
stub buildkite-agent "annotate --style success \"trivy didn't find any relevant vulnerabilities in the repository<br />\" --context trivy-fs-scan : echo fs scan success" \
"annotate --style success \"No container image was scanned due to a lack of an image reference. This is fine.<br />\" --context trivy-container-scan : echo no image scan happened" \

run "$PWD/hooks/post-command"

assert_success
assert_output --partial "scanning filesystem"
assert_output --partial "using $BUILDKITE_PLUGIN_TRIVY_SECURITY_CHECKS security checks"
assert_output --partial "using $BUILDKITE_PLUGIN_TRIVY_SCANNERS scanners"

unstub trivy
unstub buildkite-agent
}

@test "fs scan of a test app with vulnerbility,secret and configuration security check" {
export BUILDKITE_PLUGIN_TRIVY_SECURITY_CHECKS="vuln,secret,config"
stub trivy "fs $default_exit_code --security-checks $BUILDKITE_PLUGIN_TRIVY_SECURITY_CHECKS . : echo fs scan success"
@test "fs scan of a test app with vulnerbility,secret and configuration scanners" {
export BUILDKITE_PLUGIN_TRIVY_SCANNERS="vuln,secret,misconfig"
stub trivy "fs $default_exit_code --scanners $BUILDKITE_PLUGIN_TRIVY_SCANNERS . : echo fs scan success"
stub buildkite-agent "annotate --style success \"trivy didn't find any relevant vulnerabilities in the repository<br />\" --context trivy-fs-scan : echo fs scan success" \
"annotate --style success \"No container image was scanned due to a lack of an image reference. This is fine.<br />\" --context trivy-container-scan : echo no image scan happened" \

run "$PWD/hooks/post-command"

assert_success
assert_output --partial "scanning filesystem"
assert_output --partial "using $BUILDKITE_PLUGIN_TRIVY_SECURITY_CHECKS security checks"
assert_output --partial "using $BUILDKITE_PLUGIN_TRIVY_SCANNERS scanners"

unstub trivy
unstub buildkite-agent
}

@test "fs scan of a test app skipping a file" {
export BUILDKITE_PLUGIN_TRIVY_SKIP_FILES="test.txt"
stub trivy "fs $default_exit_code --skip-files $BUILDKITE_PLUGIN_TRIVY_SKIP_FILES --security-checks vuln,config . : echo fs scan success"
stub trivy "fs $default_exit_code --skip-files $BUILDKITE_PLUGIN_TRIVY_SKIP_FILES --scanners vuln,misconfig . : echo fs scan success"
stub buildkite-agent "annotate --style success \"trivy didn't find any relevant vulnerabilities in the repository<br />\" --context trivy-fs-scan : echo fs scan success" \
"annotate --style success \"No container image was scanned due to a lack of an image reference. This is fine.<br />\" --context trivy-container-scan : echo no image scan happened" \

Expand All @@ -234,7 +234,7 @@ default_exit_code="--exit-code 1"

@test "fs scan of a test app skipping a dir" {
export BUILDKITE_PLUGIN_TRIVY_SKIP_DIRS="test"
stub trivy "fs $default_exit_code --skip-dirs $BUILDKITE_PLUGIN_TRIVY_SKIP_DIRS --security-checks vuln,config . : echo fs scan success"
stub trivy "fs $default_exit_code --skip-dirs $BUILDKITE_PLUGIN_TRIVY_SKIP_DIRS --scanners vuln,misconfig . : echo fs scan success"
stub buildkite-agent "annotate --style success \"trivy didn't find any relevant vulnerabilities in the repository<br />\" --context trivy-fs-scan : echo fs scan success" \
"annotate --style success \"No container image was scanned due to a lack of an image reference. This is fine.<br />\" --context trivy-container-scan : echo no image scan happened" \

Expand All @@ -249,7 +249,7 @@ default_exit_code="--exit-code 1"
export BUILDKITE_PLUGIN_TRIVY_IMAGE_REF="nginx:latest"

stub trivy \
"fs $default_exit_code --security-checks vuln,config . : echo fs scan success" \
"fs $default_exit_code --scanners vuln,misconfig . : echo fs scan success" \
"image $default_exit_code $BUILDKITE_PLUGIN_TRIVY_IMAGE_REF : echo container image scan success"
stub docker \
"images -q $BUILDKITE_PLUGIN_TRIVY_IMAGE_REF : echo ''" \
Expand All @@ -273,7 +273,7 @@ default_exit_code="--exit-code 1"
export BUILDKITE_PLUGIN_TRIVY_IMAGE_REF="nginx:latest"

stub trivy \
"fs $default_exit_code --security-checks vuln,config . : echo fs scan success" \
"fs $default_exit_code --scanners vuln,misconfig . : echo fs scan success" \
"image $default_exit_code $BUILDKITE_PLUGIN_TRIVY_IMAGE_REF : echo container image scan success"
stub docker \
"images -q $BUILDKITE_PLUGIN_TRIVY_IMAGE_REF : echo 'Found image!'"
Expand All @@ -296,7 +296,7 @@ default_exit_code="--exit-code 1"
export BUILDKITE_PLUGIN_TRIVY_IMAGE_REF="nginx:latest"

stub trivy \
"fs $default_exit_code --security-checks vuln,config . : echo fs scan success" \
"fs $default_exit_code --scanners vuln,misconfig . : echo fs scan success" \
"image $default_exit_code $BUILDKITE_PLUGIN_TRIVY_IMAGE_REF : exit 1"
stub docker \
"images -q $BUILDKITE_PLUGIN_TRIVY_IMAGE_REF : echo ''" \
Expand Down Expand Up @@ -324,7 +324,7 @@ default_exit_code="--exit-code 1"
echo "$_TAGS_0" >> "$DOCKER_METADATA_DIR/tags"

stub trivy \
"fs $default_exit_code --security-checks vuln,config . : echo fs scan success" \
"fs $default_exit_code --scanners vuln,misconfig . : echo fs scan success" \
"image $default_exit_code $_TAGS_0 : echo container image scan success"
stub docker \
"images -q $_TAGS_0 : echo 'Found image!'"
Expand All @@ -350,7 +350,7 @@ default_exit_code="--exit-code 1"
echo "$_TAGS_0" >> "$DOCKER_METADATA_DIR/tags"

stub trivy \
"fs $default_exit_code --security-checks vuln,config . : echo fs scan success" \
"fs $default_exit_code --scanners vuln,misconfig . : echo fs scan success" \
"image $default_exit_code $_TAGS_0 : echo container image scan success"
stub docker \
"images -q $_TAGS_0 : echo ''" \
Expand Down

0 comments on commit c09118e

Please sign in to comment.