diff --git a/.circleci/config.yml b/.circleci/config.yml index 564cb0c..fb30dd4 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -9,7 +9,8 @@ version: 2.1 orbs: - clair_scanner: ovotech/clair-scanner@1 + snyk: snyk/snyk@0.0.8 + clair-scanner: ovotech/clair-scanner@1.5.0 jobs: build: @@ -148,24 +149,35 @@ jobs: when: always - store_test_results: path: test-results - test-scan_images: + test-scan-synk: + docker: + - image: 'circleci/buildpack-deps:stable' environment: IMAGE_NAME: rfaircloth/scs - executor: clair_scanner/default steps: - - clair_scanner/scan: - image: $IMAGE_NAME:$CIRCLE_SHA1 - whitelist: clair-whitelist.yml - - run: - command: | - mkdir -p /root/project/test-results - pip install -r requirements.txt - python clair_to_junit_parser.py "/clair-reports/$IMAGE_NAME:$CIRCLE_SHA1.json" --output test-results/results.xml - when: on_fail - - store_test_results: - path: test-results/results.xml - - store_artifacts: - path: /clair-reports + - checkout + - setup_remote_docker: + docker_layer_caching: true + - run: docker pull $IMAGE_NAME:$CIRCLE_SHA1 + - snyk/scan: + docker-image-name: $IMAGE_NAME:$CIRCLE_SHA1 + + test-scan-clair: + docker: + - image: 'docker:stable' + environment: + IMAGE_NAME: rfaircloth/scs + steps: + - checkout + - setup_remote_docker: + docker_layer_caching: true + - run: + name: "Vulnerability scan" + command: | + + - store_artifacts: + path: clair-reports + publish-common: machine: @@ -326,9 +338,13 @@ workflows: - test-unit: requires: - build - - test-scan_images: + - test-scan-synk: requires: - build +#Clair scanner image is broken using synk for now +# - test-scan-clair: +# requires: +# - build - publish-common: requires: - dgoss diff --git a/clair-scan.sh b/clair-scan.sh new file mode 100755 index 0000000..e890ce3 --- /dev/null +++ b/clair-scan.sh @@ -0,0 +1,68 @@ +#!/usr/bin/env bash + + set -e + + REPORT_DIR=clair-reports + mkdir $REPORT_DIR || true + + #DB=$(docker run -p 5432:5432 -d arminc/clair-db:latest) + docker run -p 5432:5432 -d --rm --name db arminc/clair-db:latest + #CLAIR=$(docker run -p 6060:6060 --link "$DB":postgres -d arminc/clair-local-scan:latest)' + sleep 30 + docker run -p 6060:6060 --link db:postgres -d --rm --name clair arminc/clair-local-scan:latest + #CLAIR_SCANNER=$(docker run -v /var/run/docker.sock:/var/run/docker.sock --link clair:clair --name clairscanner --rm -d ovotech/clair-scanner@sha256:53fe8e8ac63af330d2dfc63498d23d8825d07f916f7d230271176de06d12acd6 tail -f /dev/null) + + CLAIR_SCANNER=$(docker run --link clair:clair --name clairscanner --rm -d ovotech/clair-scanner@sha256:53fe8e8ac63af330d2dfc63498d23d8825d07f916f7d230271176de06d12acd6 tail -f /dev/null) + + #clair_ip=$(docker exec -it "$CLAIR" hostname -i | grep -oE '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+') + #scanner_ip=$(docker exec -it "$CLAIR_SCANNER" hostname -i | grep -oE '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+') + + docker cp "clair-whitelist.yml" "$CLAIR_SCANNER:/whitelist.yml" + WHITELIST="-w /whitelist.yml" + + function scan() { + echo Scanning $1 + local image=$1 + # replace forward-slashes and colons with underscores + munged_image=$(echo "$image" | sed 's/\//_/g' | sed 's/:/_/g') + sanitised_image_filename="${munged_image}.json" + local ret=0 + #--ip "$scanner_ip" \ + # + local docker_cmd=(docker exec -it "$CLAIR_SCANNER" clair-scanner \ + --clair=http://clair:6060 \ + -t "high" \ + --report "$REPORT_DIR/$sanitised_image_filename" \ + --log "$REPORT_DIR/log.json" --whitelist=${WHITELIST:+"-x"} + --reportAll=true \ + --exit-when-no-features=false \ + "$image") + + docker pull "$image" + + "${docker_cmd[@]}" 2>&1 || ret=$? + if [ $ret -eq 0 ]; then + echo "No unapproved vulnerabilities" + elif [ $ret -eq 1 ]; then + echo "Unapproved vulnerabilities found" + EXIT_STATUS=1 + elif [ $ret -eq 5 ]; then + echo "Image was not scanned, not supported." + EXIT_STATUS=1 + else + echo "Unknown clair-scanner return code $ret." + EXIT_STATUS=1 + fi + + docker cp "$CLAIR_SCANNER:/$sanitised_image_filename" "$REPORT_DIR/$sanitised_image_filename" || true + } + + EXIT_STATUS=0 + + scan "$IMAGE_NAME:$CIRCLE_SHA1" + + docker kill clairscanner + docker kill clair + docker kill db + + exit $EXIT_STATUS \ No newline at end of file