README
¶
Trivy Security Scanning
Trivy is a security scanning tool which we use to scan our images for vulnerabilities. You can run a trivy scan identical to CI on your own command line by installing trivy and running
trivy image --severity HIGH,CRITICAL quay.io/solo-io/<IMAGE>:<VERSION>
Using securityscanutils
The following code snippet shows how to import and use the SecurityScanner to scan a repositories' releases. Multiple
repositories can be specified for scanning.
The GITHUB_TOKEN environment variable must be set for security scanning to work.
package main
import (
"context"
"log"
"github.com/Masterminds/semver/v3"
. "github.com/solo-io/go-utils/securityscanutils"
)
func main() {
// This is a constraint on which releases from the repository are scanned.
// Any releases that don't pass this constraint will not be scanned. Passed into the `VersionConstraint` option.
constraint, _ := semver.NewConstraint(">= v1.7.0")
scanner := SecurityScanner{
Repos: []*SecurityScanRepo{
{
Repo: "gloo",
Owner: "solo-io",
Opts: &SecurityScanOpts{
OutputDir: "_output/scans",
// Different release versions may have different images to scan.
// In this example, we introduced the "discovery" image in 1.7.0, and
// specify the constraint as such.
// Each version should only match only ONE constraint, else an error will be thrown.
// Read https://github.com/Masterminds/semver#checking-version-constraints for more about how to use
// semver constraints
ImagesPerVersion: map[string][]string{
"1.7.x": {"gloo", "gloo-envoy-wrapper"},
">=v1.7.0 <= v1.8.0": {"gloo", "gloo-envoy-wrapper", "discovery"},
},
// If VersionConstraint is not specified, all releases from the repo will be scanned, including
// pre-releases, which is not recommended.
VersionConstraint: constraint,
ImageRepo: "quay.io/solo-io",
// Setting this to true will upload any generated sarif files to the github repository
// endpoint, e.g. https://github.com/solo-io/gloo/security/code-scanning
// read more here: https://docs.github.com/en/rest/reference/code-scanning
UploadCodeScanToGithub: true,
// Opens/Updates Github Issue for each version that has images that have vulnerabilities
CreateGithubIssuePerVersion: true,
},
},
},
}
err := scanner.GenerateSecurityScans(context.Background())
if err != nil {
log.Fatalf(err.Error())
}
}
Documentation
¶
Index ¶
- Constants
- Variables
- func GetTemplateFile(trivyTemplate string) (string, error)
- func IsImageNotFoundErr(logs string) bool
- func RunTrivyScan(image, version, templateFile, output string) (bool, bool, error)
- type SarifMetadata
- type SecurityScanOpts
- type SecurityScanRepo
- func (r *SecurityScanRepo) CreateUpdateVulnerabilityIssue(ctx context.Context, client *github.Client, ...) error
- func (r *SecurityScanRepo) GetImagesToScan(versionToScan *semver.Version) ([]string, error)
- func (r *SecurityScanRepo) RunGithubSarifScan(versionToScan *semver.Version, sarifTplFile string) error
- func (r *SecurityScanRepo) RunMarkdownScan(ctx context.Context, client *github.Client, versionToScan *semver.Version, ...) error
- func (r *SecurityScanRepo) UploadSecurityScanToGithub(fileName, versionTag string) error
- type SecurityScanRepositoryReleasePredicate
- type SecurityScanner
Constants ¶
const MarkdownTrivyTemplate = `` /* 505-byte string literal not displayed */
Template for markdown docs
const SarifTrivyTemplate = `` /* 3578-byte string literal not displayed */
Template for Sarif files to be uploaded to Github, which displays results on the 'Security' tab. Taken from https://github.com/aquasecurity/trivy/blob/main/contrib/sarif.tpl
const VulnerabilityFoundStatusCode = 52
Status code returned by Trivy if a vulnerability is found
Variables ¶
var TrivyLabels = []string{"trivy", "vulnerability"}
Labels that are applied to github issues that security scan generates
Functions ¶
func GetTemplateFile ¶
Create tempoarary file that contains the trivy template Trivy CLI only accepts files as input for a template, so this is a workaround
func IsImageNotFoundErr ¶
Types ¶
type SarifMetadata ¶
type SecurityScanOpts ¶
type SecurityScanOpts struct {
// The following directory structure will be created in your output dir.
/*
OUTPUT_DIR/
├─ markdown_results/
│ ├─ repo1/
│ │ ├─ 1.4.12/
│ │ ├─ 1.5.0/
│ ├─ repo2/
│ │ ├─ 1.4.13/
│ │ ├─ 1.5.1/
├─ sarif_results/
│ ├─ repo1/
│ │ ├─ 1.4.12/
│ │ ├─ 1.5.0/
│ ├─ repo2/
│ │ ├─ 1.4.13/
│ │ ├─ 1.5.1/
*/
OutputDir string
// A mapping of version constraints to images scanned.
// If 1.6 had images "gloo", "discovery" and 1.7 introduced a new image "rate-limit",
// the map would look like:
/*
' >= 1.6': ["gloo", "discovery"]
' >= 1.7': ["gloo", "discovery", "rate-limit"]
*/
// where the patch number is explicitly not set so that these versions can match all
// 1.6.x-x releases
ImagesPerVersion map[string][]string
// VersionConstraint on releases to security scan
// any releases that do not pass this constraint will not be security scanned.
// If left empty, all versions will be scanned
VersionConstraint *semver.Constraints
// Required: image repo (quay.io, grc.io, gchr.io)
ImageRepo string
// Uploads Sarif file to github security code-scanning results
// e.g. https://github.com/solo-io/gloo/security/code-scanning
UploadCodeScanToGithub bool
// Creates github issue if image vulnerabilities are found
CreateGithubIssuePerVersion bool
}
type SecurityScanRepo ¶
type SecurityScanRepo struct {
Repo string
Owner string
Opts *SecurityScanOpts
// contains filtered or unexported fields
}
func (*SecurityScanRepo) CreateUpdateVulnerabilityIssue ¶ added in v0.21.11
func (r *SecurityScanRepo) CreateUpdateVulnerabilityIssue(ctx context.Context, client *github.Client, version, vulnerabilityMarkdown string) error
Creates/Updates a Github Issue per image The github issue will have the markdown table report of the image's vulnerabilities example: https://github.com/solo-io/solo-projects/issues/2458
func (*SecurityScanRepo) GetImagesToScan ¶
func (r *SecurityScanRepo) GetImagesToScan(versionToScan *semver.Version) ([]string, error)
func (*SecurityScanRepo) RunGithubSarifScan ¶
func (r *SecurityScanRepo) RunGithubSarifScan(versionToScan *semver.Version, sarifTplFile string) error
func (*SecurityScanRepo) RunMarkdownScan ¶
func (*SecurityScanRepo) UploadSecurityScanToGithub ¶
func (r *SecurityScanRepo) UploadSecurityScanToGithub(fileName, versionTag string) error
Uploads Github security scan in .sarif file format to Github Security Tab under "Code Scanning"
type SecurityScanRepositoryReleasePredicate ¶ added in v0.21.16
type SecurityScanRepositoryReleasePredicate struct {
// contains filtered or unexported fields
}
The SecurityScanRepositoryReleasePredicate is responsible for defining which github.RepositoryRelease artifacts should be included in the bulk security scan At the moment, the two requirements are that: 1. The release is not a pre-release or draft 2. The release matches the configured version constraint
func (*SecurityScanRepositoryReleasePredicate) Apply ¶ added in v0.21.16
func (s *SecurityScanRepositoryReleasePredicate) Apply(release *github.RepositoryRelease) bool
type SecurityScanner ¶
type SecurityScanner struct {
Repos []*SecurityScanRepo
// contains filtered or unexported fields
}
func (*SecurityScanner) GenerateSecurityScans ¶
func (s *SecurityScanner) GenerateSecurityScans(ctx context.Context) error
Main method to call on SecurityScanner which generates .md and .sarif files in OutputDir as defined above per repo. If UploadCodeScanToGithub is true, sarif files will be uploaded to the repository's code-scanning endpoint.
Source Files