Skip to content

Add ECR reporting to gitlab #8781

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
stephencshelton merged 10 commits into from
Jul 20, 2023
Merged

Add ECR reporting to gitlab #8781

Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
98d7438
Trying out the ECR scanning again
stephencshelton Jul 6, 2023
4d78517
Updating pipeline
stephencshelton Jul 14, 2023
6737dd0
More changes
stephencshelton Jul 14, 2023
5304816
changelog: Improvements, Scanning, Add ECR scans
stephencshelton Jul 14, 2023
bb480f4
Testing if it needs an earlier stage
stephencshelton Jul 18, 2023
076200a
Seeing if it's something in the file
stephencshelton Jul 18, 2023
54b0654
More testing
stephencshelton Jul 18, 2023
269defc
Checking if it's the rules
stephencshelton Jul 18, 2023
a46ee67
Updating rules for scanning step
stephencshelton Jul 18, 2023
a7da4c5
More testing
stephencshelton Jul 18, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
114 changes: 114 additions & 0 deletions .gitlab-ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,7 @@ stages:
- test
- after_test
- review
- scan

workflow:
rules:
Expand Down Expand Up @@ -95,6 +96,7 @@ build-idp-image:
needs: []
interruptible: true
rules:
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
- if: $CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH
- if: $CI_PIPELINE_SOURCE != "merge_request_event"
when: never
Expand Down Expand Up @@ -397,3 +399,115 @@ stop-review-app:
include:
- template: Jobs/SAST.gitlab-ci.yml
- template: Jobs/Dependency-Scanning.gitlab-ci.yml

# Export the automated ECR scan results into a format Gitlab can use
# Report schema https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/master/dist/container-scanning-report-format.json
ecr-scan:
stage: scan
interruptible: true
allow_failure: true
rules:
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
- if: $CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH
- if: $CI_PIPELINE_SOURCE != "merge_request_event"
when: never
tags:
- build-pool
needs:
- job: build-idp-image
image:
name: amazon/aws-cli
entrypoint: [""]
before_script:
- curl -LO https://github.com/jqlang/jq/releases/download/jq-1.6/jq-linux64
- chmod +x jq-linux64
- mv jq-linux64 /usr/local/bin/jq
script:
- >
while true; do
SCAN_STATUS=$(aws ecr describe-image-scan-findings --repository-name identity-idp/review --image-id imageTag=$CI_COMMIT_SHA --query 'imageScanStatus.status' --output text || true)
if [ "$SCAN_STATUS" == "ACTIVE" ]; then
break
elif [ "$SCAN_STATUS" == "FAILED" ]; then
echo "ECR scan failed"
exit 1
else
echo "Waiting for ECR scan to complete"
sleep 15
fi
done
- SCAN_FINDINGS=$(aws ecr describe-image-scan-findings --repository-name identity-idp/review --image-id imageTag=$CI_COMMIT_SHA)
- echo $SCAN_FINDINGS
- >
echo $SCAN_FINDINGS |
jq -r '
{
"version": "15.0.4",
"scan": {
"start_time": (.imageScanFindings.imageScanCompletedAt | sub("\\.[0-9]+"; "") | strptime("%Y-%m-%dT%H:%M:%S%z") | strftime("%Y-%m-%dT%H:%M:%S")),
"end_time": (.imageScanFindings.imageScanCompletedAt | sub("\\.[0-9]+"; "") | strptime("%Y-%m-%dT%H:%M:%S%z") | strftime("%Y-%m-%dT%H:%M:%S")),
"scanner": {
"id": "clair",
"name": "Amazon ECR Image Scan",
"version": "1.0.0",
"vendor": {
"name": "Amazon Web Services"
}
},
"analyzer": {
"id": "clair",
"name": "Amazon ECR Image Scan",
"version": "1.0.0",
"vendor": {
"name": "Amazon Web Services"
}
},
"status": "success",
"type": "container_scanning"
},
"vulnerabilities": [
.imageScanFindings.enhancedFindings[] |
{
"id": .packageVulnerabilityDetails.vulnerabilityId,
"name": .title,
"description": .description,
"severity": (if .severity == "HIGH" then "High"
elif .severity == "MEDIUM" then "Medium"
elif .severity == "LOW" then "Low"
elif .severity == "CRITICAL" then "Critical"
elif .severity == "INFORMATIONAL" then "Info"
elif .severity == "UNTRIAGED" then "Info"
else "Unknown" end),
"solution": .remediation.recommendation.text,
"identifiers": [
{
"type": "cve",
"name": .packageVulnerabilityDetails.vulnerabilityId,
"url": .packageVulnerabilityDetails.sourceUrl,
"value": .packageVulnerabilityDetails.vulnerabilityId
}
],
"links": [
{
"name": .packageVulnerabilityDetails.vulnerabilityId,
"url": .packageVulnerabilityDetails.sourceUrl
}
],
"location": {
"dependency": {
"package": {
"name": .packageVulnerabilityDetails.vulnerablePackages[0].name
},
"version": .packageVulnerabilityDetails.vulnerablePackages[0].version
},
"operating_system": .resources[0].details.awsEcrContainerImage.platform,
"image": .resources[0].id
}
}
]
}' > gl-container-scanning-report.json
artifacts:
paths:
- gl-container-scanning-report.json
reports:
container_scanning: gl-container-scanning-report.json