From fae2c733f628327cc0b3d497226b93f174dedc22 Mon Sep 17 00:00:00 2001 From: Shivam Kumar Date: Mon, 3 Mar 2025 20:05:09 +0530 Subject: [PATCH] Feat/trivy (#109) * Integrated trivy in code base and in Dockerfile * changed to dockerfile in action.yml * changed entrypoint.sh for aws auth * feat: changed action.yml image to version 2.0.0 release * feat: changed to release 1.0.0 in action.yml --- Dockerfile | 6 ++- cmd/sdkr/provisionHub.go | 16 ++------ cmd/sdkr/scan.go | 85 +++++++++++++++++++--------------------- entrypoint.sh | 9 ++++- internal/docker/scan.go | 52 ++++++++---------------- 5 files changed, 73 insertions(+), 95 deletions(-) diff --git a/Dockerfile b/Dockerfile index 4da4309..bc83bfe 100644 --- a/Dockerfile +++ b/Dockerfile @@ -7,7 +7,8 @@ RUN apk add --no-cache \ unzip \ docker-cli \ aws-cli \ - bash + bash \ + docker # Install Terraform RUN curl -fsSL https://releases.hashicorp.com/terraform/1.5.7/terraform_1.5.7_linux_amd64.zip -o terraform.zip && \ @@ -15,6 +16,9 @@ RUN curl -fsSL https://releases.hashicorp.com/terraform/1.5.7/terraform_1.5.7_li mv terraform /usr/local/bin/ && \ rm terraform.zip +# Install Trivy (Vulnerability Scanner) +RUN curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin + # Set working directory WORKDIR /go/src/app diff --git a/cmd/sdkr/provisionHub.go b/cmd/sdkr/provisionHub.go index 7a1c48e..5a89073 100644 --- a/cmd/sdkr/provisionHub.go +++ b/cmd/sdkr/provisionHub.go @@ -115,8 +115,8 @@ Set DOCKER_USERNAME and DOCKER_PASSWORD environment variables for Docker Hub aut } pterm.Success.Println("Build completed successfully.") - pterm.Info.Println("Starting scan...") - scanErr := docker.Scout(fullImageName, configs.SarifFile) + pterm.Info.Println("Starting scan with Trivy...") + scanErr := docker.Trivy(fullImageName) if scanErr != nil { pterm.Error.Println("Scan failed:", scanErr) } else { @@ -158,7 +158,7 @@ Set DOCKER_USERNAME and DOCKER_PASSWORD environment variables for Docker Hub aut # Provide "myuser/myimage:latest" as an argument smurf sdkr provision-hub myuser/myimage:latest --context . --file Dockerfile --no-cache \ --build-arg key1=value1 --build-arg key2=value2 --target my-target --platform linux/amd64 \ - --output myscan.sarif --yes --delete + --yes --delete # If you omit the argument, it will read from config and rely on "image_name" from there smurf sdkr provision-hub --yes --delete @@ -208,14 +208,6 @@ func init() { "", "Build context directory (default: current directory)", ) - - provisionHubCmd.Flags().StringVarP( - &configs.SarifFile, - "output", "o", - "", - "Output file for SARIF report", - ) - provisionHubCmd.Flags().BoolVarP( &configs.ConfirmAfterPush, "yes", "y", @@ -230,4 +222,4 @@ func init() { ) sdkrCmd.AddCommand(provisionHubCmd) -} +} \ No newline at end of file diff --git a/cmd/sdkr/scan.go b/cmd/sdkr/scan.go index f55b630..4b8d66e 100644 --- a/cmd/sdkr/scan.go +++ b/cmd/sdkr/scan.go @@ -1,58 +1,53 @@ package sdkr import ( - "errors" - "fmt" - - "github.com/clouddrove/smurf/configs" - "github.com/clouddrove/smurf/internal/docker" - "github.com/pterm/pterm" - "github.com/spf13/cobra" + "errors" + "fmt" + "github.com/clouddrove/smurf/configs" + "github.com/clouddrove/smurf/internal/docker" + "github.com/pterm/pterm" + "github.com/spf13/cobra" ) // scanCmd provides functionality to scan a Docker image for known security issues. // It supports both direct command-line arguments and configuration file values for the image name, // and optionally allows saving the scan report to a specified SARIF file. var scanCmd = &cobra.Command{ - Use: "scan [IMAGE_NAME[:TAG]]", - Short: "Scan a Docker image for known vulnerabilities.", - Args: cobra.MaximumNArgs(1), - RunE: func(cmd *cobra.Command, args []string) error { - var imageRef string - - if len(args) == 1 { - imageRef = args[0] - } else { - data, err := configs.LoadConfig(configs.FileName) - if err != nil { - return fmt.Errorf("failed to load config: %w", err) - } - if data.Sdkr.ImageName == "" { - return errors.New("image name (with optional tag) must be provided either as an argument or in the config") - } - imageRef = data.Sdkr.ImageName - } - - pterm.Info.Printf("Scanning Docker image %q...\n", imageRef) - err := docker.Scout(imageRef, configs.SarifFile) - if err != nil { - pterm.Error.Println("Scan failed:", err) - return err - } - pterm.Success.Println("Scan completed successfully.") - return nil - }, - Example: ` - smurf sdkr scan my-image:latest - smurf sdkr scan - # In the second example, it will read IMAGE_NAME from the config file - - smurf sdkr scan my-image:latest --output scan.json - # Saves the scan report to 'scan.json' in SARIF format + Use: "scan [IMAGE_NAME[:TAG]]", + Short: "Scan a Docker image for known vulnerabilities.", + Args: cobra.MaximumNArgs(1), + RunE: func(cmd *cobra.Command, args []string) error { + var imageRef string + if len(args) == 1 { + imageRef = args[0] + } else { + data, err := configs.LoadConfig(configs.FileName) + if err != nil { + return fmt.Errorf("failed to load config: %w", err) + } + if data.Sdkr.ImageName == "" { + return errors.New("image name (with optional tag) must be provided either as an argument or in the config") + } + imageRef = data.Sdkr.ImageName + } + + pterm.Info.Printf("Scanning Docker image %q...\n", imageRef) + err := docker.Trivy(imageRef) + if err != nil { + pterm.Error.Println("Scan failed:", err) + return err + } + + pterm.Success.Println("Scan completed successfully.") + return nil + }, + Example: ` + smurf sdkr scan my-image:latest + smurf sdkr scan + # In the second example, it will read IMAGE_NAME from the config file `, } func init() { - scanCmd.Flags().StringVarP(&configs.SarifFile, "output", "o", "", "Output file for SARIF report") - sdkrCmd.AddCommand(scanCmd) -} + sdkrCmd.AddCommand(scanCmd) +} \ No newline at end of file diff --git a/entrypoint.sh b/entrypoint.sh index 8ce6ffd..942d120 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -50,8 +50,13 @@ if [[ -n "$DOCKER_USERNAME" && -n "$DOCKER_PASSWORD" ]]; then echo "✅ Successfully logged into Docker Hub." fi -# Perform AWS and EKS login -aws_eks_login +# Perform AWS and EKS login only if AWS_AUTH=true +if [[ "$AWS_AUTH" == "true" ]]; then + echo "🔹 AWS authentication is enabled. Performing AWS login..." + aws_eks_login +else + echo "⚠️ AWS authentication is disabled. Skipping AWS login." +fi # Initialize command with base command SMURF_CMD="/usr/local/bin/smurf" diff --git a/internal/docker/scan.go b/internal/docker/scan.go index c158ad0..7d43fc0 100644 --- a/internal/docker/scan.go +++ b/internal/docker/scan.go @@ -4,62 +4,44 @@ import ( "bytes" "context" "fmt" - "os" "os/exec" - "github.com/fatih/color" "github.com/pterm/pterm" ) -// Scout runs 'docker scout cves' to scan a Docker image for vulnerabilities -// and optionally saves the results to a SARIF file. -// It displays the output of the scan and prints a success message upon completion. -func Scout(dockerTag, sarifFile string) error { +// Trivy runs 'trivy image' to scan a Docker image for vulnerabilities +// and displays the results. It's a simplified version that accepts just the image name and tag. +func Trivy(dockerImage string) error { ctx := context.Background() - - args := []string{"scout", "cves", dockerTag} - - if sarifFile != "" { - args = append(args, "--output", sarifFile) - } - - cmd := exec.CommandContext(ctx, "docker", args...) - + args := []string{"image", dockerImage, "--format", "table"} + + cmd := exec.CommandContext(ctx, "trivy", args...) var stdoutBuf, stderrBuf bytes.Buffer cmd.Stdout = &stdoutBuf cmd.Stderr = &stderrBuf - - spinner, _ := pterm.DefaultSpinner.Start("Running 'docker scout cves'") + + spinner, _ := pterm.DefaultSpinner.Start("Running 'trivy image' scan") defer spinner.Stop() - + err := cmd.Run() - spinner.Stop() - + outStr := stdoutBuf.String() errStr := stderrBuf.String() - + if err != nil { - pterm.Error.Println("Error running 'docker scout cves':", err) + pterm.Error.Println("Error running 'trivy image':", err) if errStr != "" { pterm.Error.Println(errStr) } - return fmt.Errorf("failed to run 'docker scout cves': %w", err) + return fmt.Errorf("failed to run 'trivy image': %w", err) } - + if outStr != "" { - pterm.Info.Println("Docker Scout CVEs output:") + pterm.Info.Println("Trivy scan results:") fmt.Println(color.YellowString(outStr)) } - - if sarifFile != "" { - if _, err := os.Stat(sarifFile); err == nil { - pterm.Success.Println("SARIF report saved to:", sarifFile) - } else { - pterm.Warning.Println("Expected SARIF report not found at:", sarifFile) - } - } - + pterm.Success.Println("Scan completed successfully.") return nil -} +} \ No newline at end of file