[github] Basic lacework integration (#18178)

* [lacework] Script and GHA workflow for triggering lacework image scans on every main build * EXCLUDE_DOCKER_IO
gitpod-io · Jul 6, 2023 · e13da1f · e13da1f
1 parent 08b228b
commit e13da1f
Show file tree

Hide file tree

Showing 2 changed files with 146 additions and 0 deletions.
diff --git a/.github/workflows/lacework-inline-scanner.yml b/.github/workflows/lacework-inline-scanner.yml
@@ -0,0 +1,85 @@
+name: Lacework Inline Scanner
+on:
+  workflow_run:
+    workflows: ["Build"]
+    types: [completed]
+    branches:
+      - 'main'
+  workflow_dispatch:
+    inputs:
+      version:
+        required: true
+        type: string
+        description: "What Gitpod version to scan for CVEs"
+
+jobs:
+  configuration:
+    name: Configuration
+    runs-on: [self-hosted]
+    outputs:
+      skip: ${{ steps.configuration.outputs.skip }}
+      version: ${{ steps.configuration.outputs.version }}
+    steps:
+      - name: "Set outputs"
+        id: configuration
+        run: |
+            if [[ '${{ github.event.inputs.name }}' != '' ]]; then
+                # The workflow was triggered by workflow_dispatch
+                {
+                    echo "version=${{ github.event.inputs.version }}"
+                    echo "skip=false"
+                } >> $GITHUB_OUTPUT
+            else
+                # The workflow was triggered by workflow_run
+                {
+                    echo "version=main-gha.${{ github.event.workflow_run.run_number }}"
+                    echo "skip=${{ github.event.workflow_run.conclusion == 'failure' }}"
+                } >> $GITHUB_OUTPUT
+            fi
+
+  scan-images:
+    # TODO(gpl) Could easily be run on ubuntu:latest if we pushed some bash in lw-scan-images.sh into the installer
+    runs-on: [self-hosted]
+    name: Scan all docker images for CVEs
+    # Only run if the build was successful
+    if: ${{ needs.configuration.outputs.skip == 'false' }}
+    steps:
+      # Most of this is taken over from the Build workflow/preview-env-check-regressions workflow
+      - uses: actions/checkout@v3
+      - name: Configure workspace
+        run: |
+          cp -r /__w/gitpod/gitpod /workspace
+          # Needed by google-github-actions/setup-gcloud
+          sudo chown -R gitpod:gitpod /__t
+          # Needed by docker/login-action
+          sudo chmod goa+rw /var/run/docker.sock
+      - id: auth
+        uses: google-github-actions/auth@v1
+        with:
+          token_format: access_token
+          credentials_json: "${{ secrets.GCP_CREDENTIALS }}"
+      - name: Set up Cloud SDK
+        uses: google-github-actions/setup-gcloud@v1
+      # TODO(gpl) How to configure proper docker.io access here, so that the inline scanner does not fail?
+      - uses: docker/login-action@v2
+        with:
+          registry: eu.gcr.io
+          username: oauth2accesstoken
+          password: "${{ steps.auth.outputs.access_token }}"
+      - name: Get Secrets from GCP
+        id: 'secrets'
+        uses: 'google-github-actions/get-secretmanager-secrets@v1'
+        with:
+          secrets: |-
+            lacework-access-token:gitpod-core-dev/lacework-access-token
+      - name: Lacework Inline Scanner
+        id: lacework-inline-scanner
+        shell: bash
+        working-directory: /workspace/gitpod
+        env:
+          VERSION: ${{needs.configuration.outputs.version}}
+          LW_ACCESS_TOKEN: '${{ steps.secrets.outputs.lacework-access-token }}'
+          # TODO(gpl) See docker.io access above
+          EXCLUDE_DOCKER_IO: true
+        run: |
+          ./scripts/lw-scan-images.sh
diff --git a/scripts/lw-scan-images.sh b/scripts/lw-scan-images.sh
@@ -0,0 +1,61 @@
+#!/bin/bash
+set -euo pipefail
+
+if [[ -z "$VERSION" ]]; then
+  echo "VERSION env var is required"
+  exit 1
+fi
+
+if [[ -z "$LW_ACCESS_TOKEN" ]]; then
+  echo "LW_ACCESS_TOKEN env var is required"
+  exit 1
+fi
+
+EXCLUDE_DOCKER_IO="${EXCLUDE_DOCKER_IO:-"false"}"
+
+TMP=$(mktemp -d)
+echo "workdir: $TMP"
+
+HOME="/home/gitpod"
+BIN="$HOME/bin"
+mkdir -p "$BIN"
+
+SCANNER="$BIN/lw-scanner"
+if [ ! -f "$SCANNER" ]; then
+  curl -L https://github.com/lacework/lacework-vulnerability-scanner/releases/latest/download/lw-scanner-linux-amd64 -o "$SCANNER"
+  chmod +x "$SCANNER"
+fi
+
+echo "Gathering list of _all_ images for $VERSION"
+# TODO(gpl) If we like this approach we should think about moving this into the installer as "list-images" or similar
+#           This would also remove the dependency to our dev image (yq4)
+docker run -v "$TMP":/workdir "eu.gcr.io/gitpod-core-dev/build/installer:${VERSION}" config init -c "/workdir/config.yaml" --log-level=warn
+docker run -v "$TMP":/workdir "eu.gcr.io/gitpod-core-dev/build/installer:${VERSION}" render -c "/workdir/config.yaml" --no-validation > "$TMP/rendered.yaml"
+yq4 --no-doc '(.. | select(key == "image" and tag == "!!str"))' "$TMP/rendered.yaml" > "$TMP/images.txt"
+# shellcheck disable=SC2002
+echo "Found $(cat "$TMP/images.txt" | wc -l) images to scan"
+
+# Scan all images, and push the result to Lacework
+# There, we can see the results in the "Vulnerabilities" tab, by searching for the Gitpod version
+# Note: Does not fail on CVEs!
+while IFS= read -r IMAGE_REF; do
+  # TODO(gpl) Unclear why we can't access the docker.io images the GitHub workflow; it works from a workspace?
+  if [[ "$EXCLUDE_DOCKER_IO" == "true" ]]; then
+    if [[ "$IMAGE_REF" == "docker.io/"* ]]; then
+      echo "Skipping docker.io image: $IMAGE_REF"
+      continue
+    fi
+  fi
+
+  NAME=$(echo "$IMAGE_REF" | cut -d ":" -f 1)
+  TAG=$(echo "$IMAGE_REF" | cut -d ":" -f 2)
+  echo "Scanning $NAME : $TAG"
+  "$SCANNER" image evaluate "$NAME" "$TAG" \
+    --account-name gitpod \
+    --access-token "$LW_ACCESS_TOKEN" \
+    --build-id "$VERSION" \
+    --ci-build=true \
+    --disable-library-package-scanning=false \
+    --save=true \
+    --tags version="$VERSION" > /dev/null
+done < "$TMP/images.txt"