mirror of
https://github.com/gitpod-io/gitpod.git
synced 2025-12-08 17:36:30 +00:00
d9bd22a607
* [lacework] Use 'installer mirror list' * [lacework] Continue in case of a failed image scan * [lacework] strip docker-io/library allows pulling images from Docker Hub
75 lines
2.4 KiB
Bash
Executable File
75 lines
2.4 KiB
Bash
Executable File
#!/bin/bash
|
|
set -euo pipefail
|
|
|
|
if [[ -z "$VERSION" ]]; then
|
|
echo "VERSION env var is required"
|
|
exit 1
|
|
fi
|
|
|
|
if [[ -z "$LW_ACCESS_TOKEN" ]]; then
|
|
echo "LW_ACCESS_TOKEN env var is required"
|
|
exit 1
|
|
fi
|
|
|
|
TMP=$(mktemp -d)
|
|
echo "workdir: $TMP"
|
|
|
|
HOME="/home/gitpod"
|
|
BIN="$HOME/bin"
|
|
mkdir -p "$BIN"
|
|
|
|
SCANNER="$BIN/lw-scanner"
|
|
if [ ! -f "$SCANNER" ]; then
|
|
curl -L https://github.com/lacework/lacework-vulnerability-scanner/releases/latest/download/lw-scanner-linux-amd64 -o "$SCANNER"
|
|
chmod +x "$SCANNER"
|
|
fi
|
|
|
|
OCI_TOOL="$BIN/oci-tool"
|
|
OCI_TOOL_VERSION="0.2.0"
|
|
if [ ! -f "$OCI_TOOL" ]; then
|
|
curl -fsSL https://github.com/csweichel/oci-tool/releases/download/v${OCI_TOOL_VERSION}/oci-tool_${OCI_TOOL_VERSION}_linux_amd64.tar.gz | tar xz -C "$(dirname "$OCI_TOOL")" && chmod +x "$OCI_TOOL"
|
|
fi
|
|
|
|
echo "=== Gathering list of _all_ images for $VERSION"
|
|
INSTALLER="$TMP/installer"
|
|
"$OCI_TOOL" fetch file -o "$INSTALLER" --platform=linux-amd64 "eu.gcr.io/gitpod-core-dev/build/installer:${VERSION}" app/installer
|
|
echo ""
|
|
chmod +x "$INSTALLER"
|
|
# Extract list of images
|
|
echo "apiVersion: v1" > "$TMP/config.yaml"
|
|
"$INSTALLER" mirror list --domain example.com --repository example.com -c "$TMP/config.yaml" | yq4 '.[] | .original' > "$TMP/images.txt"
|
|
# Remove empty lines
|
|
sed -i '/^\s*$/d' "$TMP/images.txt"
|
|
|
|
# shellcheck disable=SC2002
|
|
TOTAL_IMAGES=$(cat "$TMP/images.txt" | wc -l)
|
|
echo "=== Found $TOTAL_IMAGES images to scan"
|
|
|
|
# Scan all images, and push the result to Lacework
|
|
# There, we can see the results in the "Vulnerabilities" tab, by searching for the Gitpod version
|
|
# Note: Does not fail on CVEs!
|
|
COUNTER=0
|
|
FAILED=0
|
|
while IFS= read -r IMAGE_REF; do
|
|
((COUNTER=COUNTER+1))
|
|
|
|
# Removing `docker.io/` and `docker.io/library/` prefix because otherwise lacework cannot pull image in a GitHub workflow for some reason.
|
|
NAME=$(echo "$IMAGE_REF" | cut -d ":" -f 1 | sed -e "s|^docker.io/||" | sed -e "s|^library/||")
|
|
TAG=$(echo "$IMAGE_REF" | cut -d ":" -f 2)
|
|
echo "= Scanning $NAME : $TAG [$COUNTER / $TOTAL_IMAGES]"
|
|
"$SCANNER" image evaluate "$NAME" "$TAG" \
|
|
--account-name gitpod \
|
|
--access-token "$LW_ACCESS_TOKEN" \
|
|
--build-id "$VERSION" \
|
|
--ci-build=true \
|
|
--disable-library-package-scanning=false \
|
|
--save=true \
|
|
--tags version="$VERSION" > /dev/null || ((FAILED=FAILED+1))
|
|
echo ""
|
|
done < "$TMP/images.txt"
|
|
|
|
echo "number of failed image scans: $FAILED of $COUNTER"
|
|
if (( FAILED > 0 )); then
|
|
exit 1
|
|
fi
|