-
Notifications
You must be signed in to change notification settings - Fork 1.2k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[github] Basic lacework integration (#18178)
* [lacework] Script and GHA workflow for triggering lacework image scans on every main build * EXCLUDE_DOCKER_IO
- Loading branch information
Showing
2 changed files
with
146 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,85 @@ | ||
name: Lacework Inline Scanner | ||
on: | ||
workflow_run: | ||
workflows: ["Build"] | ||
types: [completed] | ||
branches: | ||
- 'main' | ||
workflow_dispatch: | ||
inputs: | ||
version: | ||
required: true | ||
type: string | ||
description: "What Gitpod version to scan for CVEs" | ||
|
||
jobs: | ||
configuration: | ||
name: Configuration | ||
runs-on: [self-hosted] | ||
outputs: | ||
skip: ${{ steps.configuration.outputs.skip }} | ||
version: ${{ steps.configuration.outputs.version }} | ||
steps: | ||
- name: "Set outputs" | ||
id: configuration | ||
run: | | ||
if [[ '${{ github.event.inputs.name }}' != '' ]]; then | ||
# The workflow was triggered by workflow_dispatch | ||
{ | ||
echo "version=${{ github.event.inputs.version }}" | ||
echo "skip=false" | ||
} >> $GITHUB_OUTPUT | ||
else | ||
# The workflow was triggered by workflow_run | ||
{ | ||
echo "version=main-gha.${{ github.event.workflow_run.run_number }}" | ||
echo "skip=${{ github.event.workflow_run.conclusion == 'failure' }}" | ||
} >> $GITHUB_OUTPUT | ||
fi | ||
scan-images: | ||
# TODO(gpl) Could easily be run on ubuntu:latest if we pushed some bash in lw-scan-images.sh into the installer | ||
runs-on: [self-hosted] | ||
name: Scan all docker images for CVEs | ||
# Only run if the build was successful | ||
if: ${{ needs.configuration.outputs.skip == 'false' }} | ||
steps: | ||
# Most of this is taken over from the Build workflow/preview-env-check-regressions workflow | ||
- uses: actions/checkout@v3 | ||
- name: Configure workspace | ||
run: | | ||
cp -r /__w/gitpod/gitpod /workspace | ||
# Needed by google-github-actions/setup-gcloud | ||
sudo chown -R gitpod:gitpod /__t | ||
# Needed by docker/login-action | ||
sudo chmod goa+rw /var/run/docker.sock | ||
- id: auth | ||
uses: google-github-actions/auth@v1 | ||
with: | ||
token_format: access_token | ||
credentials_json: "${{ secrets.GCP_CREDENTIALS }}" | ||
- name: Set up Cloud SDK | ||
uses: google-github-actions/setup-gcloud@v1 | ||
# TODO(gpl) How to configure proper docker.io access here, so that the inline scanner does not fail? | ||
- uses: docker/login-action@v2 | ||
with: | ||
registry: eu.gcr.io | ||
username: oauth2accesstoken | ||
password: "${{ steps.auth.outputs.access_token }}" | ||
- name: Get Secrets from GCP | ||
id: 'secrets' | ||
uses: 'google-github-actions/get-secretmanager-secrets@v1' | ||
with: | ||
secrets: |- | ||
lacework-access-token:gitpod-core-dev/lacework-access-token | ||
- name: Lacework Inline Scanner | ||
id: lacework-inline-scanner | ||
shell: bash | ||
working-directory: /workspace/gitpod | ||
env: | ||
VERSION: ${{needs.configuration.outputs.version}} | ||
LW_ACCESS_TOKEN: '${{ steps.secrets.outputs.lacework-access-token }}' | ||
# TODO(gpl) See docker.io access above | ||
EXCLUDE_DOCKER_IO: true | ||
run: | | ||
./scripts/lw-scan-images.sh |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,61 @@ | ||
#!/bin/bash | ||
set -euo pipefail | ||
|
||
if [[ -z "$VERSION" ]]; then | ||
echo "VERSION env var is required" | ||
exit 1 | ||
fi | ||
|
||
if [[ -z "$LW_ACCESS_TOKEN" ]]; then | ||
echo "LW_ACCESS_TOKEN env var is required" | ||
exit 1 | ||
fi | ||
|
||
EXCLUDE_DOCKER_IO="${EXCLUDE_DOCKER_IO:-"false"}" | ||
|
||
TMP=$(mktemp -d) | ||
echo "workdir: $TMP" | ||
|
||
HOME="/home/gitpod" | ||
BIN="$HOME/bin" | ||
mkdir -p "$BIN" | ||
|
||
SCANNER="$BIN/lw-scanner" | ||
if [ ! -f "$SCANNER" ]; then | ||
curl -L https://github.com/lacework/lacework-vulnerability-scanner/releases/latest/download/lw-scanner-linux-amd64 -o "$SCANNER" | ||
chmod +x "$SCANNER" | ||
fi | ||
|
||
echo "Gathering list of _all_ images for $VERSION" | ||
# TODO(gpl) If we like this approach we should think about moving this into the installer as "list-images" or similar | ||
# This would also remove the dependency to our dev image (yq4) | ||
docker run -v "$TMP":/workdir "eu.gcr.io/gitpod-core-dev/build/installer:${VERSION}" config init -c "/workdir/config.yaml" --log-level=warn | ||
docker run -v "$TMP":/workdir "eu.gcr.io/gitpod-core-dev/build/installer:${VERSION}" render -c "/workdir/config.yaml" --no-validation > "$TMP/rendered.yaml" | ||
yq4 --no-doc '(.. | select(key == "image" and tag == "!!str"))' "$TMP/rendered.yaml" > "$TMP/images.txt" | ||
# shellcheck disable=SC2002 | ||
echo "Found $(cat "$TMP/images.txt" | wc -l) images to scan" | ||
|
||
# Scan all images, and push the result to Lacework | ||
# There, we can see the results in the "Vulnerabilities" tab, by searching for the Gitpod version | ||
# Note: Does not fail on CVEs! | ||
while IFS= read -r IMAGE_REF; do | ||
# TODO(gpl) Unclear why we can't access the docker.io images the GitHub workflow; it works from a workspace? | ||
if [[ "$EXCLUDE_DOCKER_IO" == "true" ]]; then | ||
if [[ "$IMAGE_REF" == "docker.io/"* ]]; then | ||
echo "Skipping docker.io image: $IMAGE_REF" | ||
continue | ||
fi | ||
fi | ||
|
||
NAME=$(echo "$IMAGE_REF" | cut -d ":" -f 1) | ||
TAG=$(echo "$IMAGE_REF" | cut -d ":" -f 2) | ||
echo "Scanning $NAME : $TAG" | ||
"$SCANNER" image evaluate "$NAME" "$TAG" \ | ||
--account-name gitpod \ | ||
--access-token "$LW_ACCESS_TOKEN" \ | ||
--build-id "$VERSION" \ | ||
--ci-build=true \ | ||
--disable-library-package-scanning=false \ | ||
--save=true \ | ||
--tags version="$VERSION" > /dev/null | ||
done < "$TMP/images.txt" |