README
¶
Trivy Security Scanning
Trivy is a security scanning tool which we use to scan our images for vulnerabilities. You can run a trivy scan identical to CI on your own command line by installing trivy and running
trivy image --severity HIGH,CRITICAL quay.io/solo-io/<IMAGE>:<VERSION>
Using securityscanutils
The following code snippet shows how to import and use the SecurityScanner to scan a repositories' releases. Multiple
repositories can be specified for scanning.
The GITHUB_TOKEN environment variable must be set for security scanning to work.
package main
import (
"context"
"log"
"github.com/Masterminds/semver/v3"
. "github.com/solo-io/go-utils/securityscanutils"
)
func main() {
// This is a constraint on which releases from the repository are scanned.
// Any releases that don't pass this constraint will not be scanned. Passed into the `VersionConstraint` option.
constraint, _ := semver.NewConstraint(">= v1.7.0")
scanner := SecurityScanner{
Repos: []*SecurityScanRepo{
{
Repo: "gloo",
Owner: "solo-io",
Opts: &SecurityScanOpts{
OutputDir: "_output/scans",
// Different release versions may have different images to scan.
// In this example, we introduced the "discovery" image in 1.7.0, and
// specify the constraint as such.
// Each version should only match only ONE constraint, else an error will be thrown.
// Read https://github.com/Masterminds/semver#checking-version-constraints for more about how to use
// semver constraints
ImagesPerVersion: map[string][]string{
"1.7.x": {"gloo", "gloo-envoy-wrapper"},
">=v1.7.0 <= v1.8.0": {"gloo", "gloo-envoy-wrapper", "discovery"},
},
// If VersionConstraint is not specified, all releases from the repo will be scanned, including
// pre-releases, which is not recommended.
VersionConstraint: constraint,
ImageRepo: "quay.io/solo-io",
// Setting this to true will upload any generated sarif files to the github repository
// endpoint, e.g. https://github.com/solo-io/gloo/security/code-scanning
// read more here: https://docs.github.com/en/rest/reference/code-scanning
UploadCodeScanToGithub: true,
},
},
},
}
err := scanner.GenerateSecurityScans(context.Background())
if err != nil {
log.Fatalf(err.Error())
}
}
Documentation
¶
Index ¶
- Constants
- func GetTemplateFile(trivyTemplate string) (string, error)
- func IsImageNotFoundErr(logs string) bool
- func RunTrivyScan(image, version, templateFile, output string) (bool, error)
- type SarifMetadata
- type SecurityScanOpts
- type SecurityScanRepo
- func (r *SecurityScanRepo) GetImagesToScan(versionToScan *semver.Version) ([]string, error)
- func (r *SecurityScanRepo) RunGithubSarifScan(versionToScan *semver.Version, sarifTplFile string) error
- func (r *SecurityScanRepo) RunMarkdownScan(versionToScan *semver.Version, markdownTplFile string) error
- func (r *SecurityScanRepo) UploadSecurityScanToGithub(fileName, versionTag string) error
- type SecurityScanner
Constants ¶
View Source
const MarkdownTrivyTemplate = `` /* 464-byte string literal not displayed */
Template for markdown docs
View Source
const SarifTrivyTemplate = `` /* 3578-byte string literal not displayed */
Template for Sarif files to be uploaded to Github, which displays results on the 'Security' tab. Taken from https://github.com/aquasecurity/trivy/blob/main/contrib/sarif.tpl
Variables ¶
This section is empty.
Functions ¶
func GetTemplateFile ¶
Create tempoarary file that contains the trivy template Trivy CLI only accepts files as input for a template, so this is a workaround
func IsImageNotFoundErr ¶
func RunTrivyScan ¶
Runs trivy scan command returns if trivy scan ran successfully and error if there was one
Types ¶
type SarifMetadata ¶
type SecurityScanOpts ¶
type SecurityScanOpts struct {
// The following directory structure will be created in your output dir.
/*
OUTPUT_DIR/
├─ markdown_results/
│ ├─ repo1/
│ │ ├─ 1.4.12/
│ │ ├─ 1.5.0/
│ ├─ repo2/
│ │ ├─ 1.4.13/
│ │ ├─ 1.5.1/
├─ sarif_results/
│ ├─ repo1/
│ │ ├─ 1.4.12/
│ │ ├─ 1.5.0/
│ ├─ repo2/
│ │ ├─ 1.4.13/
│ │ ├─ 1.5.1/
*/
OutputDir string
// A mapping of version constraints to images scanned.
// If 1.6 had images "gloo", "discovery" and 1.7 introduced a new image "rate-limit",
// the map would look like:
/*
' >= 1.6': ["gloo", "discovery"]
' >= 1.7': ["gloo", "discovery", "rate-limit"]
*/
// where the patch number is explicitly not set so that these versions can match all
// 1.6.x-x releases
ImagesPerVersion map[string][]string
// VersionConstraint on releases to security scan
// any releases that do not pass this constraint will not be security scanned.
// If left empty, all versions will be scanned
VersionConstraint *semver.Constraints
// Required: image repo (quay.io, grc.io, gchr.io)
ImageRepo string
// Uploads Sarif file to github security code-scanning results
// e.g. https://github.com/solo-io/gloo/security/code-scanning
UploadCodeScanToGithub bool
}
type SecurityScanRepo ¶
type SecurityScanRepo struct {
Repo string
Owner string
Opts *SecurityScanOpts
}
func (*SecurityScanRepo) GetImagesToScan ¶
func (r *SecurityScanRepo) GetImagesToScan(versionToScan *semver.Version) ([]string, error)
func (*SecurityScanRepo) RunGithubSarifScan ¶
func (r *SecurityScanRepo) RunGithubSarifScan(versionToScan *semver.Version, sarifTplFile string) error
func (*SecurityScanRepo) RunMarkdownScan ¶
func (r *SecurityScanRepo) RunMarkdownScan(versionToScan *semver.Version, markdownTplFile string) error
func (*SecurityScanRepo) UploadSecurityScanToGithub ¶
func (r *SecurityScanRepo) UploadSecurityScanToGithub(fileName, versionTag string) error
type SecurityScanner ¶
type SecurityScanner struct {
Repos []*SecurityScanRepo
}
func (*SecurityScanner) GenerateSecurityScans ¶
func (s *SecurityScanner) GenerateSecurityScans(ctx context.Context) error
Main method to call on SecurityScanner which generates .md and .sarif files in OutputDir as defined above per repo. If UploadCodeScanToGithub is true, sarif files will be uploaded to the repository's code-scanning endpoint.
Source Files
Click to show internal directories.
Click to hide internal directories.