sysdiglabs · e-minguez · Oct 28, 2022 · Oct 28, 2022
diff --git a/.github/workflows/sysdig-cli-scanner.yaml b/.github/workflows/sysdig-cli-scanner.yaml
@@ -0,0 +1,96 @@
+env:
+    SYSDIG_SECURE_ENDPOINT: "https://secure.sysdig.com"
+    REGISTRY_HOST: "ghcr.io"
+    IMAGE_NAME: "sysdig-cli-scanner"
+    DOCKERFILE_CONTEXT: "container-image/"
+
+name: Build, scan and push the sysdig-cli-scanner container
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 5 * * *"
+
+jobs:
+  build-scan-and-push:
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+      contents: read
+    steps:
+    - name: Check the latest version
+      env:
+        GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      run:  |
+        LATEST_VERSION=$(curl -sL https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt)
+        IMAGE_TAG=$(gh api -H "Accept: application/vnd.github+json" /orgs/sysdiglabs/packages/container/sysdig-cli-scanner/versions | jq -r 'sort_by(.created_at) | last | .metadata.container.tags[0]')
+        if [ ! -f ${GITHUB_WORKSPACE}/cache/latest_version.txt ] || [ ${LATEST_VERSION} != ${IMAGE_TAG} ]; then
+          echo "Container versions differ, building ${LATEST_VERSION}"
+          echo "IMAGE_TAG=${LATEST_VERSION}" >> ${GITHUB_ENV}
+        else
+          echo "Container already using latest version"
+          exit 1
+        fi
+
+    - name: Checkout
+      uses: actions/checkout@v2
+
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v2
+
+    - name: Build and save
+      uses: docker/build-push-action@v3
+      with:
+        context: ${{ env.DOCKERFILE_CONTEXT }}
+        file: "${{ env.DOCKERFILE_CONTEXT }}Containerfile"
+        tags: ${{ env.REGISTRY_HOST }}/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }}
+        load: true
+        build-args: |
+          VERSION=${{ env.IMAGE_TAG }}
+
+    - name: Setup cache
+      uses: actions/cache@v3
+      with:
+        path: cache
+        key: ${{ runner.os }}-cache-${{ hashFiles('**/sysdig-cli-scanner', '**/latest_version.txt', '**/db/main.db.meta.json', '**/scanner-cache/inlineScannerCache.db') }}
+        restore-keys: ${{ runner.os }}-cache-
+
+    - name: Download sysdig-cli-scanner if needed
+      run:  |
+        curl -sLO https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt
+        mkdir -p ${GITHUB_WORKSPACE}/cache/db/
+        if [ ! -f ${GITHUB_WORKSPACE}/cache/latest_version.txt ] || [ $(cat ./latest_version.txt) != $(cat ${GITHUB_WORKSPACE}/cache/latest_version.txt) ]; then
+          cp ./latest_version.txt ${GITHUB_WORKSPACE}/cache/latest_version.txt
+          curl -sL -o ${GITHUB_WORKSPACE}/cache/sysdig-cli-scanner "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/$(cat ${GITHUB_WORKSPACE}/cache/latest_version.txt)/linux/amd64/sysdig-cli-scanner"
+          chmod +x ${GITHUB_WORKSPACE}/cache/sysdig-cli-scanner
+        else
+          echo "sysdig-cli-scanner latest version already downloaded"
+        fi
+
+    - name: Scan the image using sysdig-cli-scanner
+      env:
+        SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }}
+      run: |
+        ${GITHUB_WORKSPACE}/cache/sysdig-cli-scanner \
+          --apiurl ${SYSDIG_SECURE_ENDPOINT} \
+          docker://${REGISTRY_HOST}/${{github.repository_owner}}/${IMAGE_NAME}:${IMAGE_TAG} \
+          --console-log \
+          --dbpath=${GITHUB_WORKSPACE}/cache/db/ \
+          --cachepath=${GITHUB_WORKSPACE}/cache/scanner-cache/
+
+    -  name: Login to the registry
+       uses: docker/login-action@v2
+       with:
+        registry: ${{ env.REGISTRY_HOST }}
+        username: ${{ github.repository_owner }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Push
+      uses: docker/build-push-action@v3
+      with:
+        context: ${{ env.DOCKERFILE_CONTEXT }}
+        push: true
+        file: "${{ env.DOCKERFILE_CONTEXT }}Containerfile"
+        build-args: |
+          VERSION=${{ env.IMAGE_TAG }}
+        tags: ${{ env.REGISTRY_HOST }}/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }}
diff --git a/container-image/Containerfile b/container-image/Containerfile
@@ -0,0 +1,10 @@
+FROM alpine:latest as builder
+ARG VERSION
+ENV VERSION=${VERSION}
+ADD https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/${VERSION}/linux/amd64/sysdig-cli-scanner /
+RUN chmod a+x /sysdig-cli-scanner
+
+FROM gcr.io/distroless/static-debian11:nonroot
+COPY --from=builder /sysdig-cli-scanner /home/nonroot/
+USER 65532:65532
+ENTRYPOINT ["/home/nonroot/sysdig-cli-scanner"]
diff --git a/container-image/README.md b/container-image/README.md
@@ -0,0 +1,53 @@
+# Unsupported container for the `sysdig-cli-scanner`
+
+A few notes:
+* It does a multistep build to get the binary and `chmod`-it from an alpine container, then it uses the debian distroless to save some disk space (the binary itself is 28MB and the image is 31MB)
+* The `sysdig-cli-scanner` version number is used also for the container label
+* The container image itself is scanned by the `sysdig-cli-scanner`!
+
+## Run it
+
+```
+$ docker run -e SECURE_API_TOKEN="X" ghcr.io/sysdiglabs/sysdig-cli-scanner:1.2.10 --apiurl https://eu1.app.sysdig.com pull://docker.io/sysdiglabs/dummy-vuln-app
+2022-10-28T10:23:05Z Starting analysis with Sysdig scanner version 1.2.10-rc
+2022-10-28T10:23:05Z Retrieving vulnerabilities DB...
+2022-10-28T10:23:07Z Done 116.3 MB
+2022-10-28T10:23:07Z Loading vulnerabilities DB...
+2022-10-28T10:23:07Z Done
+2022-10-28T10:23:07Z Retrieving image...
+2022-10-28T10:23:08Z Done
+2022-10-28T10:23:08Z Scan started...
+2022-10-28T10:23:16Z Uploading result to backend...
+2022-10-28T10:23:16Z Done
+2022-10-28T10:23:16Z Total execution time 11.019413828s
+
+Type: dockerImage
+ImageID: sha256:b670c067178c876d17363baec279d483ae07384351d1a0be7646230442471ac6
+Digest: sysdiglabs/dummy-vuln-app@sha256:bc86e8ba5741ab71ce50f13fbf89a1f27dc4e1d3b0c3345cee8e3238bc30022b
+BaseOS: debian 9.13
+PullString: docker.io/sysdiglabs/dummy-vuln-app
+
+13 vulnerabilities found
+2 Critical (0 fixable)
+5 High (2 fixable)
+6 Medium (5 fixable)
+0 Low (0 fixable)
+0 Negligible (0 fixable)
+
+  PACKAGE   TYPE   VERSION  SUGGESTED FIX  CRITICAL  HIGH  MEDIUM  LOW  NEGLIGIBLE  EXPLOIT
+  pip      python   9.0.1       19.2          0       2      1      0       0          0
+  numpy    python  1.12.1      1.19.0         0       1      3      0       0          0
+  pyxdg    python   0.25        0.26          0       1      0      0       0          0
+  Jinja2   python  2.11.2      2.11.3         0       0      1      0       0          0
+
+                  POLICIES EVALUATION
+    Policy: Sysdig Best Practices FAILED (8 failures)
+
+Policies evaluation FAILED at 2022-10-28T10:23:16Z
+Full image results here: https://eu1.app.sysdig.com/secure/#/scanning/assets/results/1722348e04906294017718c0cd082970/overview (id 1722348e04906294017718c0cd082970)
+Execution logs written to: /home/nonroot/scan-logs
+```
+
+## Build it
+
+The container is built by the [GitHub workflow](../.github/workflows/sysdig-cli-scanner.yaml) but in order to do it manually you can use the [doit.sh](./doit.sh) script. It requires you to be logged in your container image repository (docker login) and modify the REPO variable in the doit.sh script.
diff --git a/container-image/doit.sh b/container-image/doit.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+REPO=quay.io/e_minguez/sysdig-cli-scanner
+export VERSION=$(curl -L -s https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt)
+
+docker build --build-arg VERSION . -t ${REPO}:${VERSION}
+docker push ${REPO}:${VERSION}