/
sig-security-trusted.yaml
120 lines (119 loc) · 4.79 KB
/
sig-security-trusted.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
periodics:
# Periodic CI job for running snyk scans against k/k master
# - It installs snyk CLI and requires 'snyk-token' secret available
# in test infra with key name 'SNYK_TOKEN'. This secret is used to
# populate env var 'SNYK_TOKEN', required for snyk CLI auth.
# - Licenses and few false positive deps (eg version '0.0.0') are
# filtered from the snyk scan results.
- name: ci-kubernetes-snyk-master
interval: 6h
cluster: k8s-infra-prow-build-trusted
decorate: true
extra_refs:
- org: kubernetes
repo: kubernetes
base_ref: master
path_alias: k8s.io/kubernetes
spec:
containers:
- image: golang
envFrom:
- secretRef:
# secret key should be defined as SNYK_TOKEN
name: snyk-token
command:
- /bin/bash
args:
- -c
- |
set -euo pipefail
apt update && apt -y install jq
wget -q -O /usr/local/bin/snyk https://static.snyk.io/cli/latest/snyk-linux && chmod +x /usr/local/bin/snyk
mkdir -p "${ARTIFACTS}"
if [ -z "${SNYK_TOKEN}" ]; then
echo "SNYK_TOKEN env var is not set, required for snyk scan"
exit 1
fi
echo "Running snyk scan .."
EXIT_CODE=0
RESULT_UNFILTERED=$(snyk test -d --json) || EXIT_CODE=$?
if [ $EXIT_CODE -gt 1 ]; then
echo "Failed to run snyk scan with exit code $EXIT_CODE "
exit 1
fi
RESULT=$(echo $RESULT_UNFILTERED | jq \
'{vulnerabilities: .vulnerabilities | map(select((.type != "license") and (.version != "0.0.0"))) | select(length > 0) }')
if [[ ${RESULT} ]]; then
CVE_IDs=$(echo $RESULT | jq '.vulnerabilities[].identifiers.CVE | unique[]' | sort -u)
#convert string to array
CVE_IDs_array=(`echo ${CVE_IDs}`)
#TODO:Implement deduplication of CVE IDs in future
for i in "${CVE_IDs_array[@]}"
do
if [[ "$i" == *"CVE"* ]]; then
#Look for presence of GitHub Issues for detected CVEs. If no issues are present, this CVE needs triage
#Once the job fails, CVE is triaged by SIG Security and a tracking issue is created.
#This will allow in the next run for the job to pass again
TOTAL_COUNT=$(curl -H "Accept: application/vnd.github.v3+json" "https://api.github.com/search/issues?q=repo:kubernetes/kubernetes+${i}" | jq .total_count)
if [[ $TOTAL_COUNT -eq 0 ]]; then
echo "Vulnerability filtering failed"
exit 1
fi
fi
done
fi
echo "Build time dependency scan completed"
# container images scan
echo "Fetch the list of k8s images"
curl -Ls https://sbom.k8s.io/$(curl -Ls https://dl.k8s.io/release/latest.txt)/release | grep "SPDXID: SPDXRef-Package-registry.k8s.io" | grep -v sha256 | cut -d- -f3- | sed 's/-/\//' | sed 's/-v1/:v1/' > images
while read image; do
echo "Running container image scan.."
EXIT_CODE=0
RESULT_UNFILTERED=$(snyk container test $image -d --json) || EXIT_CODE=$?
if [ $EXIT_CODE -gt 1 ]; then
echo "Failed to run snyk scan with exit code $EXIT_CODE . Error message: $RESULT_UNFILTERED"
exit 1
fi
RESULT=$(echo $RESULT_UNFILTERED | jq \
'{vulnerabilities: .vulnerabilities | map(select(.isUpgradable == true or .isPatchable == true)) | select(length > 0) }')
if [[ ${RESULT} ]]; then
echo "Vulnerability filtering failed"
# exit 1 (To allow other images to be scanned even if one fails)
else
echo "Scan completed image $image"
fi
done < images
annotations:
testgrid-create-test-group: "true"
testgrid-alert-email: security-tooling-private@kubernetes.io
testgrid-num-failures-to-alert: '1'
testgrid-dashboards: sig-security-snyk-scan
description: Run snyk scan on k/k master periodically
- name: auto-refreshing-official-cve-feed
interval: 2h
cluster: k8s-infra-prow-build-trusted
decorate: true
extra_refs:
- org: kubernetes
repo: sig-security
base_ref: main
workdir: true
labels:
preset-service-account: "true"
spec:
serviceAccountName: k8s-cve-feed
containers:
- image: gcr.io/k8s-staging-test-infra/gcloud-in-go:v20230111-cd1b3caf9c
command:
- sh
- "-c"
- "cd sig-security-tooling/cve-feed/hack/ && ./fetch-cve-feed.sh"
env:
- name: CVE_GCS_PATH
value: "gs://k8s-cve-feed"
annotations:
testgrid-create-test-group: "true"
testgrid-alert-email: security-tooling-private@kubernetes.io
testgrid-num-failures-to-alert: '1'
testgrid-dashboards: sig-security-cve-feed
description: Auto refreshing official cve feed KEP 3203