Merge pull request #5 from tks98/build

Build and Testing

.github/workflows/docker-image.yml

@@ -2,7 +2,10 @@ name: ci
 on:
   push:
     branches:
-      - 'main'
+      - main
+  pull_request:
+    branches:
+      - main
 jobs:
   docker:
     runs-on: ubuntu-latest

pkg/scanner/trivy.go

@@ -38,7 +38,7 @@ func (s *Scanner) ScanImages(pod *v1.Pod) ([]*types.Report, error) {
 
 	var reports []*types.Report
 	for _, container := range pod.Spec.Containers {
-		report, err := s.sendScanRequest(container.Image)
+		report, err := s.SendScanRequest(container.Image)
 		if err != nil {
 			return nil, err
 		}
@@ -62,8 +62,8 @@ func (s *Scanner) ScanImages(pod *v1.Pod) ([]*types.Report, error) {
 
 }
 
-// sendScanRequest sends the image to trivy for scanning and returns the result
-func (s *Scanner) sendScanRequest(image string) (*types.Report, error) {
+// SendScanRequest sends the image to trivy for scanning and returns the result
+func (s *Scanner) SendScanRequest(image string) (*types.Report, error) {
 
 	command := "trivy"
 	args := []string{"client", "-f", "json", "--remote", s.RemoteURL, image}

pkg/webhook/webhook.go

@@ -70,11 +70,11 @@ func (is *ImageScanner) Validate(_ context.Context, _ *kwhmodel.AdmissionReview,
 	is.Logger.Infof("%s images have been scanned", pod.Name)
 
 	// check if scan report for pod images meets validation criteria defined by user
-	return is.getValidatorResult(results), nil
+	return is.GetValidatorResult(results), nil
 }
 
-// getValidatorResult checks if the trivy scan results for all pod container images violated any of the rules defined by the user in RejectionCriteria
-func (is *ImageScanner) getValidatorResult(results []*types.Report) *kwhvalidating.ValidatorResult {
+// GetValidatorResult checks if the trivy scan results for all pod container images violated any of the rules defined by the user in RejectionCriteria
+func (is *ImageScanner) GetValidatorResult(results []*types.Report) *kwhvalidating.ValidatorResult {
 
 	var rulesViolated []string
 

pkg/webhook/webhook_test.go

@@ -0,0 +1,76 @@
+package webhook
+
+import (
+	"github.com/aquasecurity/trivy/pkg/types"
+	"github.com/tks98/kube-sentry/pkg/exec"
+	"github.com/tks98/kube-sentry/pkg/logging"
+	"github.com/tks98/kube-sentry/pkg/scanner"
+	v1 "k8s.io/api/core/v1"
+	"testing"
+)
+
+// TestValidationResult tests that the scanning and validation logic works as expected with a known image and set rejection parameters
+func TestValidationResult(t *testing.T) {
+
+	// start trivy server
+	go func() {
+		command := "trivy"
+		args := []string{"server", "--listen", "0.0.0.0:8080"}
+		_, err := exec.RunCommand(command, args...)
+		if err != nil {
+			t.Errorf(err.Error())
+		}
+	}()
+
+	t.Log("trivy server started")
+
+	// set image validation rejection criteria
+	forbiddenCVEs := "CVE-2020-36309, CVE-2013-0337"
+	numCriticalCVEs := "10"
+	numAllowedCVEs := "30"
+
+	rejectionCriteria, err := InitRejectionCriteria(forbiddenCVEs, numCriticalCVEs, numAllowedCVEs)
+	if err != nil {
+		t.Error(err)
+	}
+
+	// create logger
+	logger, err := logging.NewLogger("debug")
+	if err != nil {
+		t.Error(err)
+	}
+
+	// create scanner
+	scanner, err := scanner.NewScanner("0.0.0.0:8080", false, logger, "http")
+	if err != nil {
+		t.Error(err)
+	}
+
+	// create image scanner type
+	var is ImageScanner
+	is.RejectionCriteria = *rejectionCriteria
+	is.Scanner = *scanner
+	is.Logger = logger
+
+	// create mock container
+	container := v1.Container{
+		Name:  "nginx",
+		Image: "nginx:1.14.2",
+	}
+
+	// send scan request
+	var results []*types.Report
+	result, err := is.Scanner.SendScanRequest(container.Image)
+	if err != nil {
+		t.Error(err)
+	}
+
+	t.Logf("image %s scanned", container.Image)
+
+	// determine if scan results are expected
+	results = append(results, result)
+	validationResult := is.GetValidatorResult(results)
+	if validationResult.Valid != false {
+		t.Errorf("validation result: got %v, wanted %v", validationResult.Valid, false)
+	}
+}