README
¶
Trivy Security Scanning
Trivy is a security scanning tool which we use to scan our images for vulnerabilities. You can run a trivy scan identical to CI on your own command line by installing trivy and running
trivy image --severity HIGH,CRITICAL quay.io/solo-io/<IMAGE>:<VERSION>
Using securityscanutils
Using the utils here is as easy as using the CLI defined in the cli subdirectory. The snippet
below shows the output the said CLI's help command.
The GITHUB_TOKEN environment variable must be set for security scanning to work.
go-utils/securityscan % go run ./cli/main.go help
CLI for identifying CVEs in images
Usage:
cvectl [command]
Available Commands:
format-results Pull down security scan files from gcloud bucket and generate docs markdown file
help Help about any command
scan-repo Run Trivy scans against images for the repo specified and upload scan results to a google cloud bucket
scan-version Run Trivy scans against images for a single version
Flags:
-h, --help help for cvectl
-v, --verbose Enable verbose logging
Use "cvectl [command] --help" for more information about a command.
Documentation
¶
Index ¶
- Constants
- Variables
- func GetTemplateFile(trivyTemplate string) (string, error)
- func IsImageNotFoundErr(logs string) bool
- func NewLatestPatchRepositoryReleasePredicate(releases []*github.RepositoryRelease) *latestPatchRepositoryReleasePredicate
- func NewSecurityScanRepositoryReleasePredicate(constraint *semver.Constraints, enablePreRelease bool) *securityScanRepositoryReleasePredicate
- type CmdExecutor
- type SecurityScanOpts
- type SecurityScanRepo
- type SecurityScanner
- type TrivyScanner
Constants ¶
View Source
const ( GithubRepositoryOwner = "solo-io" QuayRepository = "quay.io/solo-io" OutputScanDirectory = "_output/scans" )
View Source
const MarkdownTrivyTemplate = `` /* 505-byte string literal not displayed */
Template for markdown docs
View Source
const VulnerabilityFoundStatusCode = 52
Status code returned by Trivy if a vulnerability is found
Variables ¶
View Source
var ImageNotFoundError = eris.Wrap(RecoverableErr, "❗IMAGE MISSING UNEXPECTEDLY❗")
View Source
var RecoverableErr = errors.New("Recoverable")
View Source
var UnrecoverableErr = errors.New("Unrecoverable")
Functions ¶
func GetTemplateFile ¶
Create tempoarary file that contains the trivy template Trivy CLI only accepts files as input for a template, so this is a workaround
func IsImageNotFoundErr ¶
func NewLatestPatchRepositoryReleasePredicate ¶ added in v0.21.27
func NewLatestPatchRepositoryReleasePredicate(releases []*github.RepositoryRelease) *latestPatchRepositoryReleasePredicate
func NewSecurityScanRepositoryReleasePredicate ¶ added in v0.21.27
func NewSecurityScanRepositoryReleasePredicate( constraint *semver.Constraints, enablePreRelease bool, ) *securityScanRepositoryReleasePredicate
Types ¶
type SecurityScanOpts ¶
type SecurityScanOpts struct {
// The following directory structure will be created in your output dir.
/*
OUTPUT_DIR/
├─ markdown_results/
│ ├─ repo1/
│ │ ├─ 1.4.12/
│ │ ├─ 1.5.0/
│ ├─ repo2/
│ │ ├─ 1.4.13/
│ │ ├─ 1.5.1/
├─ issue_results/
│ ├─ repo1/
│ │ ├─ 1.4.12.md
│ │ ├─ 1.5.0.md
│ ├─ repo2/
│ │ ├─ 1.4.13.md
│ │ ├─ 1.5.1.md
*/
OutputDir string
// Output the would-be github issue Markdown to local files
OutputResultLocally bool
// A mapping of version constraints to images scanned.
// If 1.6 had images "gloo", "discovery" and 1.7 introduced a new image "rate-limit",
// the map would look like:
/*
' >= 1.6': ["gloo", "discovery"]
' >= 1.7': ["gloo", "discovery", "rate-limit"]
*/
// where the patch number is explicitly not set so that these versions can match all
// 1.6.x-x releases
ImagesPerVersion map[string][]string
// VersionConstraint on releases to security scan
// any releases that do not pass this constraint will not be security scanned.
// If left empty, all versions will be scanned
VersionConstraint *semver.Constraints
// Required: image repo (quay.io, grc.io, gchr.io)
ImageRepo string
// Creates github issue if image vulnerabilities are found
CreateGithubIssuePerVersion bool
// Only create github issue if:
// 1. Image vulnerabilities are found
// 2. The version is the latest patch version (Major.Minor.Patch)
// If set to true, will override the behavior of CreateGithubIssuePerVersion
CreateGithubIssueForLatestPatchVersion bool
// Additional context to add to the top of the generated vulnerability report.
// Example: This could be used to provide debug instructions to developers.
AdditionalContext string
// Enable scanning of pre-release versions
EnablePreRelease bool
}
type SecurityScanRepo ¶
type SecurityScanRepo struct {
Repo string
Owner string
Opts *SecurityScanOpts
// contains filtered or unexported fields
}
func (*SecurityScanRepo) GetImagesToScan ¶
func (r *SecurityScanRepo) GetImagesToScan(versionToScan *semver.Version) ([]string, error)
func (*SecurityScanRepo) RunMarkdownScan ¶
func (r *SecurityScanRepo) RunMarkdownScan(ctx context.Context, release *github.RepositoryRelease, markdownTplFile string) error
type SecurityScanner ¶
type SecurityScanner struct {
Repos []*SecurityScanRepo
// contains filtered or unexported fields
}
func (*SecurityScanner) GenerateSecurityScans ¶
func (s *SecurityScanner) GenerateSecurityScans(ctx context.Context) error
GenerateSecurityScans generates .md files and writes them to the configured OutputDir for each repo
type TrivyScanner ¶ added in v0.22.0
type TrivyScanner struct {
// contains filtered or unexported fields
}
func NewTrivyScanner ¶ added in v0.22.0
func NewTrivyScanner(executeCommand CmdExecutor) *TrivyScanner
Source Files
¶
Directories
Click to show internal directories.
Click to hide internal directories.