scan_vulnerabilityreports.go

package cmd

import (
	"context"
	"fmt"

	"github.com/kubernetes-sigs/wg-policy-prototypes/policy-report/trivy-adapter/pkg/imgvuln"
	"github.com/kubernetes-sigs/wg-policy-prototypes/policy-report/trivy-adapter/pkg/params"
	"github.com/kubernetes-sigs/wg-policy-prototypes/policy-report/trivy-adapter/pkg/plugin"
	"github.com/kubernetes-sigs/wg-policy-prototypes/policy-report/trivy-adapter/pkg/vulnerabilityreport"
	"github.com/spf13/cobra"
	"k8s.io/cli-runtime/pkg/genericclioptions"
	"k8s.io/client-go/kubernetes"
	"sigs.k8s.io/controller-runtime/pkg/client"
)

const (
	vulnerabilitiesCmdShort = "Run static vulnerability scanner for each container image of a given workload"
	vulnerabilitiesCmdLong  = `Scan a given workload for vulnerabilities using Trivy scanner
TYPE is a Kubernetes workload. Shortcuts and API groups will be resolved, e.g. 'po' or 'deployments.apps'.
NAME is the name of a particular Kubernetes workload.
`
)

func NewScanPolicyReportsCmd(buildInfo imgvuln.BuildInfo, cf *genericclioptions.ConfigFlags) *cobra.Command {
	cmd := &cobra.Command{
		Aliases: []string{"prvulns", "prvuln"},
		Use:     "policyreports (NAME | TYPE/NAME)",
		Short:   vulnerabilitiesCmdShort,
		Long:    vulnerabilitiesCmdLong,
		Example: fmt.Sprintf(`  # Scan a pod with the specified name
  %[1]s scan policyreports nginx
  # Scan a pod with the specified name in the specified namespace
  %[1]s scan policyreports po/nginx -n staging`, buildInfo.Executable),
		RunE: ScanPolicyReports(buildInfo, cf),
	}

	registerScannerOpts(cmd)

	return cmd
}

func ScanPolicyReports(buildInfo imgvuln.BuildInfo, cf *genericclioptions.ConfigFlags) func(cmd *cobra.Command, args []string) error {
	return func(cmd *cobra.Command, args []string) error {
		ctx := context.Background()
		ns, _, err := cf.ToRawKubeConfigLoader().Namespace()
		if err != nil {
			return err
		}
		mapper, err := cf.ToRESTMapper()
		if err != nil {
			return err
		}
		workload, _, err := WorkloadFromArgs(mapper, ns, args)
		if err != nil {
			return err
		}
		kubeConfig, err := cf.ToRESTConfig()
		if err != nil {
			return err
		}
		kubeClientset, err := kubernetes.NewForConfig(kubeConfig)
		if err != nil {
			return err
		}
		scheme := imgvuln.NewScheme()
		kubeClient, err := client.New(kubeConfig, client.Options{Scheme: scheme})
		if err != nil {
			return err
		}
		config, err := imgvuln.NewConfigManager(kubeClientset, imgvuln.NamespaceName).Read(ctx)
		if err != nil {
			return err
		}
		opts, err := getScannerOpts(cmd)
		if err != nil {
			return err
		}
		plugin, pluginContext, err := plugin.NewResolver().
			WithBuildInfo(buildInfo).
			WithNamespace(imgvuln.NamespaceName).
			WithServiceAccountName(imgvuln.ServiceAccountName).
			WithConfig(config).
			WithClient(kubeClient).
			GetVulnerabilityPlugin()
		if err != nil {
			return err
		}
		scanner := vulnerabilityreport.NewScanner(kubeClientset, kubeClient, plugin, pluginContext, config, opts)
		reports, err := scanner.ScanPolicy(ctx, workload)
		if err != nil {
			return err
		}
		return Write(reports, params.Params.Kubeconfig)
	}
}