A basic sample application using Java Spring Boot with customized stonesoup tekton pipeline to include the CRDA static code analysis task.
All the CRDA cli dependencies are built into the docker image - quay.io/lrangine/crda-maven:11.0. If you want to customize this docker image then please take look at the source code here.
CRDA CLI needs to have the authentication and CRDA token. You can find more information about obtaining those tokens here.
If you have already configured CRDA CLI on your local environment then you can get all the required tokens using the command crda config get.
Once you obtain above tokens create the secret so that your pipeline can use above tokens required by CRDA CLI.
apiVersion: v1
kind: Secret
metadata:
name: crda-scan-secrets
namespace: lrangine-tenant
type: Opaque
stringData:
AUTH_TOKEN: 9e7da12345fe123d8c10fa123e12345f
CRDA_KEY: 12345678-bf9c-45ad-b236-a04a62312d9a
HOST: https://f8a-analytics-2445582058137.production.gw.apicast.iocrda-scan task is added to the default java pipeline provided by the Stone Soup.
Here is the task definition.
- name: crda-scan
description: CRDA tool Scans for static code vulneribilities.
taskSpec:
results:
- name: CLAIR_SCAN_RESULT
description: CRDA scan result
- name: HACBS_TEST_OUTPUT
description: CRDA scan test output
workspaces:
- name: source
steps:
- name: run-redhat-crda-scan-step
image: quay.io/lrangine/crda-maven:11.0
workingDir: "$(workspaces.source.path)"
env:
- name: AUTH_TOKEN
valueFrom:
secretKeyRef:
name: crda-scan-secrets
key: AUTH_TOKEN
- name: CONSENT_TELEMETRY
value: "false"
- name: CRDA_KEY
valueFrom:
secretKeyRef:
name: crda-scan-secrets
key: CRDA_KEY
- name: HOST
valueFrom:
secretKeyRef:
name: crda-scan-secrets
key: HOST
script: |
#!/usr/bin/env bash
/crda.sh pom.xml crda_scan_output.json
echo 'CRDA Scan is completed'
echo 'Printing scan results'
more crda_scan_output.json
echo 'Formatting the Task Results'
jq -rce \
'{vulnerabilities:{
critical: (.report."critical_vulnerabilities"),
high: (.report."high_vulnerabilities"),
medium: (.report."medium_vulnerabilities"),
low: (.report."low_vulnerabilities")
}}' crda_scan_output.json | tee $(results.CLAIR_SCAN_RESULT.path)
NOTE="Task $(context.task.name) completed: Refer to Tekton task result CLAIR_SCAN_RESULT for vulnerabilities scanned by CRDA."
HACBS_TEST_OUTPUT="SUCCESS $NOTE"
echo "${HACBS_TEST_OUTPUT}" | tee $(results.HACBS_TEST_OUTPUT.path)
runAfter:
- clone-repository
workspaces:
- name: source
workspace: workspacecrda-scan task definition is dependent on clone-repository task. clone-repository task will clone github source code to the workspace then 'crda-scan' task will perform the static code analysis using CRDA CLI tool.