Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[cli] create a vulnerability command #51

Closed
ghost opened this issue Apr 13, 2020 · 2 comments
Closed

[cli] create a vulnerability command #51

ghost opened this issue Apr 13, 2020 · 2 comments

Comments

@ghost
Copy link

ghost commented Apr 13, 2020
edited by ghost
Loading

Motivation

As a Developer using the Lacework Platform,
I want to be able to integrate the vulnerability scan/reports into my pipeline,
so I can detect early on of potential threads that could be introduced during development.

This work requires two major changes:

  1. An abstraction of the API endpoint into the Go api package
  2. The implementation of X number of commands to access the vulnerability endpoints

New Functionalities (API)

  • Request an on-demand vulnerability scan
  • Track progress of an on-demand vulnerability scan
  • Access vulnerability reports from container images

New Commands (CLI)

$ lacework vulnerability scan run <registry> <repo> <tag/image_id>
$ lacework vulnerability scan show <request_id>
$ lacework vulnerability report <image_id>

Aliases

$ lacework vul scan
$ lacework vul report

# Also add one for integrations
$ lacework int list
@ghost ghost self-assigned this Apr 13, 2020
@scottford-lw
Copy link
Contributor

@afiunelw one thing I think we think through the behavior of the lacework vulnerability scan capability. There are a few apis we need to account for...

image_id scan

This type of scan would take an image_id as an argument and return a result

curl "https://YourLacework.lacework.net/api/v1/external/vulnerabilities/container/imageId/sha256:1ee...1d3b" -H "Authorization: Bearer YourAPIToken"

you can also filter the results by severity...

curl "https://YourLacework.lacework.net/api/v1/external/vulnerabilities/container/imageId/sha256:1ee...1d3b?severity=medium" -H "Authorization: Bearer YourAPIToken"

image_digest scan

USAGE EXAMPLES
curl "https://YourLacework.lacework.net/api/v1/external/vulnerabilities/container/imageDigest/sha256:5ee...c5b" -H "Authorization: Bearer YourAPIToken"
Where sha256:5ee...c5b is the Digest Id (sha256 hash) that Docker generated for the manifest of this image.

Optionally filter by severity.

curl "https://YourLacework.lacework.net/api/v1/external/vulnerabilities/container/imageDigest/sha256:5ee...c5b"?severity=medium" -H "Authorization: Bearer YourAPIToken"
Where sha256:5ee...c5b is the Digest Id (sha256 hash) that Docker generated for the manifest of this image.

Optionally filter by a date range.

curl "https://YourLacework.lacework.net/api/v1/external/vulnerabilities/container/imageDigest/sha256:5ee...c5b"?StartTime=2020-01-14T01:01:00Z?EndTime=2020-01-15T22:01:00Z" -H "Authorization: Bearer YourAPIToken"
Where sha256:5ee...c5b is the Digest Id (sha256 hash) that Docker generated for the manifest of this image.

On demand scan of the repository

This one seems to kick off a scan of the repository, but what if you have a number of repos. Which one are you scanning??

curl -X POST -H 'Content-Type: application/json' -d '{ "registry":"index.docker.io", "repository":"yourDockerOrg/yourRepository", "tag":"yourTag" }' "https://YourLacework.lacework.net/api/v1/external/vulnerabilities/container/repository/images/scan" -H "Authorization: Bearer YourAPIToken"

Get status of scan jobs

USAGE EXAMPLES
curl "https://YourLacework.lacework.net/api/v1/external/vulnerabilities/container/reqId/498...1f0" -H "Authorization: Bearer YourAPIToken"
Where 498...1f0 is the request id returned from the POST /api/v1/external/repository/images/scan operation.

Optionally filter by severity.

curl "https://YourLacework.lacework.net/api/v1/external/vulnerabilities/container/reqId/498...1f0?severity=medium" -H "Authorization: Bearer YourAPIToken"
Where 498...1f0 is the request id returned from the POST /api/v1/external/repository/images/scan operation.

@ghost
Copy link
Author

ghost commented Apr 14, 2020
edited by ghost
Loading

Thank you, Scott! Great feedback.

To elaborate a little bit more the thinking I did inside the description of this card, in
my opinion, there are three main functionalities we want to provide to the end-user:

  • Get information about the last scan of a container image: Pretty straight forward, a command that can get the information about the last scan, these scans happen in the platform periodically, but if we want to integrate this functionality into pipelines and workflows, we need to have a way to trigger scans on demand.
  • Request an on-demand vulnerability scan: This command will trigger a new vulnerability scan on-demand. Once a user generates an image and publishes it to their container registry, they can trigger a scan to be able to analyze the container.
  • Track the progress of an on-demand vulnerability scan: Once a scan is triggered, the user will want to track the progress so that, when the scan is completed, the user can then get the information/report from the scan that just ran, but if the scan fails, the user will be able to ack upon it.

These are the main functionalities I see, if we agree on them we can then add
parameters that can modify the main functionalities, things you mentioned like,
filter by severity or by date range, search by image digest instead of image ID, etc.

Let's zoom to clarify these ideas. 💯

@ghost ghost mentioned this issue Apr 14, 2020
Merged
@ghost ghost closed this as completed Apr 16, 2020
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@scottford-lw