Skip to content

Commit

Permalink
Merge branch 'develop' into update/mount_point
Browse files Browse the repository at this point in the history
  • Loading branch information
Ryan Faircloth authored and GitHub committed Oct 7, 2019
2 parents 2d878fb + 6872955 commit 484f5e0
Show file tree
Hide file tree
Showing 2 changed files with 101 additions and 17 deletions.
50 changes: 33 additions & 17 deletions .circleci/config.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,8 @@
version: 2.1

orbs:
clair_scanner: ovotech/clair-scanner@1
snyk: snyk/snyk@0.0.8
clair-scanner: ovotech/clair-scanner@1.5.0

jobs:
build:
Expand Down Expand Up @@ -148,24 +149,35 @@ jobs:
when: always
- store_test_results:
path: test-results
test-scan_images:
test-scan-synk:
docker:
- image: 'circleci/buildpack-deps:stable'
environment:
IMAGE_NAME: rfaircloth/scs
executor: clair_scanner/default
steps:
- clair_scanner/scan:
image: $IMAGE_NAME:$CIRCLE_SHA1
whitelist: clair-whitelist.yml
- run:
command: |
mkdir -p /root/project/test-results
pip install -r requirements.txt
python clair_to_junit_parser.py "/clair-reports/$IMAGE_NAME:$CIRCLE_SHA1.json" --output test-results/results.xml
when: on_fail
- store_test_results:
path: test-results/results.xml
- store_artifacts:
path: /clair-reports
- checkout
- setup_remote_docker:
docker_layer_caching: true
- run: docker pull $IMAGE_NAME:$CIRCLE_SHA1
- snyk/scan:
docker-image-name: $IMAGE_NAME:$CIRCLE_SHA1

test-scan-clair:
docker:
- image: 'docker:stable'
environment:
IMAGE_NAME: rfaircloth/scs
steps:
- checkout
- setup_remote_docker:
docker_layer_caching: true
- run:
name: "Vulnerability scan"
command: |
- store_artifacts:
path: clair-reports


publish-common:
machine:
Expand Down Expand Up @@ -326,9 +338,13 @@ workflows:
- test-unit:
requires:
- build
- test-scan_images:
- test-scan-synk:
requires:
- build
#Clair scanner image is broken using synk for now
# - test-scan-clair:
# requires:
# - build
- publish-common:
requires:
- dgoss
Expand Down
68 changes: 68 additions & 0 deletions clair-scan.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
#!/usr/bin/env bash

set -e

REPORT_DIR=clair-reports
mkdir $REPORT_DIR || true

#DB=$(docker run -p 5432:5432 -d arminc/clair-db:latest)
docker run -p 5432:5432 -d --rm --name db arminc/clair-db:latest
#CLAIR=$(docker run -p 6060:6060 --link "$DB":postgres -d arminc/clair-local-scan:latest)'
sleep 30
docker run -p 6060:6060 --link db:postgres -d --rm --name clair arminc/clair-local-scan:latest
#CLAIR_SCANNER=$(docker run -v /var/run/docker.sock:/var/run/docker.sock --link clair:clair --name clairscanner --rm -d ovotech/clair-scanner@sha256:53fe8e8ac63af330d2dfc63498d23d8825d07f916f7d230271176de06d12acd6 tail -f /dev/null)

CLAIR_SCANNER=$(docker run --link clair:clair --name clairscanner --rm -d ovotech/clair-scanner@sha256:53fe8e8ac63af330d2dfc63498d23d8825d07f916f7d230271176de06d12acd6 tail -f /dev/null)

#clair_ip=$(docker exec -it "$CLAIR" hostname -i | grep -oE '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+')
#scanner_ip=$(docker exec -it "$CLAIR_SCANNER" hostname -i | grep -oE '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+')

docker cp "clair-whitelist.yml" "$CLAIR_SCANNER:/whitelist.yml"
WHITELIST="-w /whitelist.yml"

function scan() {
echo Scanning $1
local image=$1
# replace forward-slashes and colons with underscores
munged_image=$(echo "$image" | sed 's/\//_/g' | sed 's/:/_/g')
sanitised_image_filename="${munged_image}.json"
local ret=0
#--ip "$scanner_ip" \
#
local docker_cmd=(docker exec -it "$CLAIR_SCANNER" clair-scanner \
--clair=http://clair:6060 \
-t "high" \
--report "$REPORT_DIR/$sanitised_image_filename" \
--log "$REPORT_DIR/log.json" --whitelist=${WHITELIST:+"-x"}
--reportAll=true \
--exit-when-no-features=false \
"$image")

docker pull "$image"

"${docker_cmd[@]}" 2>&1 || ret=$?
if [ $ret -eq 0 ]; then
echo "No unapproved vulnerabilities"
elif [ $ret -eq 1 ]; then
echo "Unapproved vulnerabilities found"
EXIT_STATUS=1
elif [ $ret -eq 5 ]; then
echo "Image was not scanned, not supported."
EXIT_STATUS=1
else
echo "Unknown clair-scanner return code $ret."
EXIT_STATUS=1
fi

docker cp "$CLAIR_SCANNER:/$sanitised_image_filename" "$REPORT_DIR/$sanitised_image_filename" || true
}

EXIT_STATUS=0

scan "$IMAGE_NAME:$CIRCLE_SHA1"

docker kill clairscanner
docker kill clair
docker kill db

exit $EXIT_STATUS

0 comments on commit 484f5e0

Please sign in to comment.