-
Notifications
You must be signed in to change notification settings - Fork 2
/
pindocker.go
76 lines (62 loc) · 2.05 KB
/
pindocker.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
package pin
import (
"fmt"
"net/http"
"strings"
"github.com/google/go-containerregistry/pkg/authn"
"github.com/google/go-containerregistry/pkg/name"
"github.com/google/go-containerregistry/pkg/v1/remote"
metadata "github.com/nextlinux/secure-repo/remediation/workflow/metadata"
"gopkg.in/yaml.v3"
)
var Tr http.RoundTripper = remote.DefaultTransport
func PinDocker(inputYaml string) (string, bool, error) {
updated := false
workflow := metadata.Workflow{}
err := yaml.Unmarshal([]byte(inputYaml), &workflow)
if err != nil {
return inputYaml, updated, fmt.Errorf("unable to parse yaml %v", err)
}
out := inputYaml
for jobName, job := range workflow.Jobs {
for _, step := range job.Steps {
if len(step.Uses) > 0 && strings.HasPrefix(step.Uses, "docker://") && !strings.Contains(step.Uses, "@") {
localUpdated := false
out, localUpdated = pinDocker(step.Uses, jobName, out)
updated = updated || localUpdated
}
}
}
return out, updated, nil
}
func pinDocker(action, jobName, inputYaml string) (string, bool) {
updated := false
leftOfAt := strings.Split(action, ":")
tag := "latest"
// Reference :latest tag if no tag is present
if len(leftOfAt) > 2 {
tag = leftOfAt[2]
}
image := leftOfAt[1][2:]
ref, err := name.ParseReference(image, name.WithDefaultTag(tag))
if err != nil {
return inputYaml, updated
}
img, err := remote.Image(ref, remote.WithAuthFromKeychain(authn.DefaultKeychain), remote.WithTransport(Tr))
if err != nil {
//TODO: Log the error
return inputYaml, updated
}
// Getting image digest
imghash, err := img.Digest()
if err != nil {
return inputYaml, updated
}
pinnedAction := fmt.Sprintf("%s:%s:%s@%s", leftOfAt[0], leftOfAt[1], tag, imghash.String())
inputYaml = strings.ReplaceAll(inputYaml, action, pinnedAction)
// Revert the extra hash for already pinned docker actions
inputYaml = strings.ReplaceAll(inputYaml, pinnedAction+"@", action+"@")
inputYaml = strings.ReplaceAll(inputYaml, pinnedAction+":", action+":")
updated = !strings.EqualFold(action, pinnedAction)
return inputYaml, updated
}