From 1e965123c916bc0d125e38d87da6535fec9803e8 Mon Sep 17 00:00:00 2001 From: Eduardo Minguez Date: Fri, 28 Oct 2022 12:28:20 +0200 Subject: [PATCH] Added a container for sysdig-cli-scanner --- .github/workflows/sysdig-cli-scanner.yaml | 96 +++++++++++++++++++++++ container-image/Containerfile | 10 +++ container-image/README.md | 53 +++++++++++++ container-image/doit.sh | 7 ++ 4 files changed, 166 insertions(+) create mode 100644 .github/workflows/sysdig-cli-scanner.yaml create mode 100644 container-image/Containerfile create mode 100644 container-image/README.md create mode 100644 container-image/doit.sh diff --git a/.github/workflows/sysdig-cli-scanner.yaml b/.github/workflows/sysdig-cli-scanner.yaml new file mode 100644 index 0000000..183bb50 --- /dev/null +++ b/.github/workflows/sysdig-cli-scanner.yaml @@ -0,0 +1,96 @@ +env: + SYSDIG_SECURE_ENDPOINT: "https://secure.sysdig.com" + REGISTRY_HOST: "ghcr.io" + IMAGE_NAME: "sysdig-cli-scanner" + DOCKERFILE_CONTEXT: "container-image/" + +name: Build, scan and push the sysdig-cli-scanner container + +on: + workflow_dispatch: + schedule: + - cron: "0 5 * * *" + +jobs: + build-scan-and-push: + runs-on: ubuntu-latest + permissions: + packages: write + contents: read + steps: + - name: Check the latest version + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + LATEST_VERSION=$(curl -sL https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt) + IMAGE_TAG=$(gh api -H "Accept: application/vnd.github+json" /orgs/sysdiglabs/packages/container/sysdig-cli-scanner/versions | jq -r 'sort_by(.created_at) | last | .metadata.container.tags[0]') + if [ ! -f ${GITHUB_WORKSPACE}/cache/latest_version.txt ] || [ ${LATEST_VERSION} != ${IMAGE_TAG} ]; then + echo "Container versions differ, building ${LATEST_VERSION}" + echo "IMAGE_TAG=${LATEST_VERSION}" >> ${GITHUB_ENV} + else + echo "Container already using latest version" + exit 1 + fi + + - name: Checkout + uses: actions/checkout@v2 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v2 + + - name: Build and save + uses: docker/build-push-action@v3 + with: + context: ${{ env.DOCKERFILE_CONTEXT }} + file: "${{ env.DOCKERFILE_CONTEXT }}Containerfile" + tags: ${{ env.REGISTRY_HOST }}/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }} + load: true + build-args: | + VERSION=${{ env.IMAGE_TAG }} + + - name: Setup cache + uses: actions/cache@v3 + with: + path: cache + key: ${{ runner.os }}-cache-${{ hashFiles('**/sysdig-cli-scanner', '**/latest_version.txt', '**/db/main.db.meta.json', '**/scanner-cache/inlineScannerCache.db') }} + restore-keys: ${{ runner.os }}-cache- + + - name: Download sysdig-cli-scanner if needed + run: | + curl -sLO https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt + mkdir -p ${GITHUB_WORKSPACE}/cache/db/ + if [ ! -f ${GITHUB_WORKSPACE}/cache/latest_version.txt ] || [ $(cat ./latest_version.txt) != $(cat ${GITHUB_WORKSPACE}/cache/latest_version.txt) ]; then + cp ./latest_version.txt ${GITHUB_WORKSPACE}/cache/latest_version.txt + curl -sL -o ${GITHUB_WORKSPACE}/cache/sysdig-cli-scanner "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/$(cat ${GITHUB_WORKSPACE}/cache/latest_version.txt)/linux/amd64/sysdig-cli-scanner" + chmod +x ${GITHUB_WORKSPACE}/cache/sysdig-cli-scanner + else + echo "sysdig-cli-scanner latest version already downloaded" + fi + + - name: Scan the image using sysdig-cli-scanner + env: + SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }} + run: | + ${GITHUB_WORKSPACE}/cache/sysdig-cli-scanner \ + --apiurl ${SYSDIG_SECURE_ENDPOINT} \ + docker://${REGISTRY_HOST}/${{github.repository_owner}}/${IMAGE_NAME}:${IMAGE_TAG} \ + --console-log \ + --dbpath=${GITHUB_WORKSPACE}/cache/db/ \ + --cachepath=${GITHUB_WORKSPACE}/cache/scanner-cache/ + + - name: Login to the registry + uses: docker/login-action@v2 + with: + registry: ${{ env.REGISTRY_HOST }} + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Push + uses: docker/build-push-action@v3 + with: + context: ${{ env.DOCKERFILE_CONTEXT }} + push: true + file: "${{ env.DOCKERFILE_CONTEXT }}Containerfile" + build-args: | + VERSION=${{ env.IMAGE_TAG }} + tags: ${{ env.REGISTRY_HOST }}/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }} \ No newline at end of file diff --git a/container-image/Containerfile b/container-image/Containerfile new file mode 100644 index 0000000..e502f7a --- /dev/null +++ b/container-image/Containerfile @@ -0,0 +1,10 @@ +FROM alpine:latest as builder +ARG VERSION +ENV VERSION=${VERSION} +ADD https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/${VERSION}/linux/amd64/sysdig-cli-scanner / +RUN chmod a+x /sysdig-cli-scanner + +FROM gcr.io/distroless/static-debian11:nonroot +COPY --from=builder /sysdig-cli-scanner /home/nonroot/ +USER 65532:65532 +ENTRYPOINT ["/home/nonroot/sysdig-cli-scanner"] \ No newline at end of file diff --git a/container-image/README.md b/container-image/README.md new file mode 100644 index 0000000..4ebac34 --- /dev/null +++ b/container-image/README.md @@ -0,0 +1,53 @@ +# Unsupported container for the `sysdig-cli-scanner` + +A few notes: +* It does a multistep build to get the binary and `chmod`-it from an alpine container, then it uses the debian distroless to save some disk space (the binary itself is 28MB and the image is 31MB) +* The `sysdig-cli-scanner` version number is used also for the container label +* The container image itself is scanned by the `sysdig-cli-scanner`! + +## Run it + +``` +$ docker run -e SECURE_API_TOKEN="X" ghcr.io/sysdiglabs/sysdig-cli-scanner:1.2.10 --apiurl https://eu1.app.sysdig.com pull://docker.io/sysdiglabs/dummy-vuln-app +2022-10-28T10:23:05Z Starting analysis with Sysdig scanner version 1.2.10-rc +2022-10-28T10:23:05Z Retrieving vulnerabilities DB... +2022-10-28T10:23:07Z Done 116.3 MB +2022-10-28T10:23:07Z Loading vulnerabilities DB... +2022-10-28T10:23:07Z Done +2022-10-28T10:23:07Z Retrieving image... +2022-10-28T10:23:08Z Done +2022-10-28T10:23:08Z Scan started... +2022-10-28T10:23:16Z Uploading result to backend... +2022-10-28T10:23:16Z Done +2022-10-28T10:23:16Z Total execution time 11.019413828s + +Type: dockerImage +ImageID: sha256:b670c067178c876d17363baec279d483ae07384351d1a0be7646230442471ac6 +Digest: sysdiglabs/dummy-vuln-app@sha256:bc86e8ba5741ab71ce50f13fbf89a1f27dc4e1d3b0c3345cee8e3238bc30022b +BaseOS: debian 9.13 +PullString: docker.io/sysdiglabs/dummy-vuln-app + +13 vulnerabilities found +2 Critical (0 fixable) +5 High (2 fixable) +6 Medium (5 fixable) +0 Low (0 fixable) +0 Negligible (0 fixable) + + PACKAGE TYPE VERSION SUGGESTED FIX CRITICAL HIGH MEDIUM LOW NEGLIGIBLE EXPLOIT + pip python 9.0.1 19.2 0 2 1 0 0 0 + numpy python 1.12.1 1.19.0 0 1 3 0 0 0 + pyxdg python 0.25 0.26 0 1 0 0 0 0 + Jinja2 python 2.11.2 2.11.3 0 0 1 0 0 0 + + POLICIES EVALUATION + Policy: Sysdig Best Practices FAILED (8 failures) + +Policies evaluation FAILED at 2022-10-28T10:23:16Z +Full image results here: https://eu1.app.sysdig.com/secure/#/scanning/assets/results/1722348e04906294017718c0cd082970/overview (id 1722348e04906294017718c0cd082970) +Execution logs written to: /home/nonroot/scan-logs +``` + +## Build it + +The container is built by the [GitHub workflow](../.github/workflows/sysdig-cli-scanner.yaml) but in order to do it manually you can use the [doit.sh](./doit.sh) script. It requires you to be logged in your container image repository (docker login) and modify the REPO variable in the doit.sh script. diff --git a/container-image/doit.sh b/container-image/doit.sh new file mode 100644 index 0000000..545440d --- /dev/null +++ b/container-image/doit.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +REPO=quay.io/e_minguez/sysdig-cli-scanner +export VERSION=$(curl -L -s https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt) + +docker build --build-arg VERSION . -t ${REPO}:${VERSION} +docker push ${REPO}:${VERSION} \ No newline at end of file