From 2673b71716d8e2fa1453de0624d72fe32395fe87 Mon Sep 17 00:00:00 2001 From: rfaircloth-splunk Date: Mon, 7 Oct 2019 09:45:44 -0400 Subject: [PATCH] Update config.yml --- .circleci/config.yml | 78 ++++++++++++++++++++++++++++++++++++-------- 1 file changed, 64 insertions(+), 14 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 7c24dd0..c79348b 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -158,7 +158,6 @@ jobs: - checkout - setup_remote_docker - run: docker pull $IMAGE_NAME:$CIRCLE_SHA1 - - run: sudo mkdir /clair-reports - snyk/scan: docker-image-name: $IMAGE_NAME:$CIRCLE_SHA1 @@ -168,19 +167,70 @@ jobs: environment: IMAGE_NAME: rfaircloth/scs steps: - - clair-scanner/scan: - image: $IMAGE_NAME:$CIRCLE_SHA1 - whitelist: clair-whitelist.yml -# - run: -# command: | -# mkdir -p /root/project/test-results -# pip install -r requirements.txt -# python clair_to_junit_parser.py "/clair-reports/$IMAGE_NAME:$CIRCLE_SHA1.json" --output test-results/results.xml -# when: on_fail -# - store_test_results: -# path: test-results/results.xml -# - store_artifacts: -# path: /clair-reports + - checkout + - setup_remote_docker: + - run: + name: "Vulnerability scan" + command: | + #!/usr/bin/env bash + + set -e + + REPORT_DIR=clair-reports + mkdir $REPORT_DIR + + DB=$(docker run -p 5432:5432 -d arminc/clair-db:latest) + CLAIR=$(docker run -p 6060:6060 --link "$DB":postgres -d arminc/clair-local-scan:latest) + CLAIR_SCANNER=$(docker run -v /var/run/docker.sock:/var/run/docker.sock -d ovotech/clair-scanner@sha256:53fe8e8ac63af330d2dfc63498d23d8825d07f916f7d230271176de06d12acd6 tail -f /dev/null) + + clair_ip=$(docker exec -it "$CLAIR" hostname -i | grep -oE '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+') + scanner_ip=$(docker exec -it "$CLAIR_SCANNER" hostname -i | grep -oE '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+') + + docker cp "clair-whitelist.yml" "$CLAIR_SCANNER:/whitelist.yml" + WHITELIST="-w /whitelist.yml" + + function scan() { + local image=$1 + # replace forward-slashes and colons with underscores + munged_image=$(echo "$image" | sed 's/\//_/g' | sed 's/:/_/g') + sanitised_image_filename="${munged_image}.json" + local ret=0 + local docker_cmd=(docker exec -it "$CLAIR_SCANNER" clair-scanner \ + --ip "$scanner_ip" \ + --clair=http://"$clair_ip":6060 \ + -t "high" \ + --report "/$sanitised_image_filename" \ + --log "/log.json" ${WHITELIST:+"-x"} + --reportAll=true \ + --exit-when-no-features=false \ + "$image") + + docker pull "$image" + + "${docker_cmd[@]}" 2>&1 || ret=$? + if [ $ret -eq 0 ]; then + echo "No unapproved vulnerabilities" + elif [ $ret -eq 1 ]; then + echo "Unapproved vulnerabilities found" + EXIT_STATUS=1 + elif [ $ret -eq 5 ]; then + echo "Image was not scanned, not supported." + EXIT_STATUS=1 + else + echo "Unknown clair-scanner return code $ret." + EXIT_STATUS=1 + fi + + docker cp "$CLAIR_SCANNER:/$sanitised_image_filename" "$REPORT_DIR/$sanitised_image_filename" || true + } + + EXIT_STATUS=0 + + scan "$IMAGE_NAME:$CIRCLE_SHA1" + + exit $EXIT_STATUS + - store_artifacts: + path: clair-reports publish-common: