From 541d1a7032f1da14ba61b814625c9bebdb207d31 Mon Sep 17 00:00:00 2001 From: jffarge Date: Tue, 19 Oct 2021 17:34:05 +0200 Subject: [PATCH 1/4] init trivy universe Signed-off-by: jffarge --- docs/reference/README.md | 1 + docs/reference/trivy.md | 24 +++++++++++++++++++++ stdlib/.dagger/env/http/state/computed.json | 9 ++++++++ stdlib/trivy/trivy.cue | 24 +++++++++++++++++++++ 4 files changed, 58 insertions(+) create mode 100644 docs/reference/trivy.md create mode 100644 stdlib/.dagger/env/http/state/computed.json create mode 100644 stdlib/trivy/trivy.cue diff --git a/docs/reference/README.md b/docs/reference/README.md index 4a97ba0e..94b6003e 100644 --- a/docs/reference/README.md +++ b/docs/reference/README.md @@ -36,3 +36,4 @@ - [os](./os.md) - OS operations - [random](./random.md) - Random generation utilities - [terraform](./terraform.md) - Terraform operations +- [trivy](./trivy.md) - - diff --git a/docs/reference/trivy.md b/docs/reference/trivy.md new file mode 100644 index 00000000..a4470b24 --- /dev/null +++ b/docs/reference/trivy.md @@ -0,0 +1,24 @@ +--- +sidebar_label: trivy +--- + +# alpha.dagger.io/trivy + +```cue +import "alpha.dagger.io/trivy" +``` + +## trivy.#Config + +Trivy configuration + +### trivy.#Config Inputs + +| Name | Type | Description | +| ------------- |:-------------: |:-------------: | +|*username* | `dagger.#Secret` |- | +|*password* | `dagger.#Secret` |- | + +### trivy.#Config Outputs + +_No output._ diff --git a/stdlib/.dagger/env/http/state/computed.json b/stdlib/.dagger/env/http/state/computed.json new file mode 100644 index 00000000..03ed92ec --- /dev/null +++ b/stdlib/.dagger/env/http/state/computed.json @@ -0,0 +1,9 @@ +{ + "TestRequest": { + "req": { + "response": { + "body": "{\n \"current_user_url\": \"https://api.github.com/user\",\n \"current_user_authorizations_html_url\": \"https://github.com/settings/connections/applications{/client_id}\",\n \"authorizations_url\": \"https://api.github.com/authorizations\",\n \"code_search_url\": \"https://api.github.com/search/code?q={query}{\u0026page,per_page,sort,order}\",\n \"commit_search_url\": \"https://api.github.com/search/commits?q={query}{\u0026page,per_page,sort,order}\",\n \"emails_url\": \"https://api.github.com/user/emails\",\n \"emojis_url\": \"https://api.github.com/emojis\",\n \"events_url\": \"https://api.github.com/events\",\n \"feeds_url\": \"https://api.github.com/feeds\",\n \"followers_url\": \"https://api.github.com/user/followers\",\n \"following_url\": \"https://api.github.com/user/following{/target}\",\n \"gists_url\": \"https://api.github.com/gists{/gist_id}\",\n \"hub_url\": \"https://api.github.com/hub\",\n \"issue_search_url\": \"https://api.github.com/search/issues?q={query}{\u0026page,per_page,sort,order}\",\n \"issues_url\": \"https://api.github.com/issues\",\n \"keys_url\": \"https://api.github.com/user/keys\",\n \"label_search_url\": \"https://api.github.com/search/labels?q={query}\u0026repository_id={repository_id}{\u0026page,per_page}\",\n \"notifications_url\": \"https://api.github.com/notifications\",\n \"organization_url\": \"https://api.github.com/orgs/{org}\",\n \"organization_repositories_url\": \"https://api.github.com/orgs/{org}/repos{?type,page,per_page,sort}\",\n \"organization_teams_url\": \"https://api.github.com/orgs/{org}/teams\",\n \"public_gists_url\": \"https://api.github.com/gists/public\",\n \"rate_limit_url\": \"https://api.github.com/rate_limit\",\n \"repository_url\": \"https://api.github.com/repos/{owner}/{repo}\",\n \"repository_search_url\": \"https://api.github.com/search/repositories?q={query}{\u0026page,per_page,sort,order}\",\n \"current_user_repositories_url\": \"https://api.github.com/user/repos{?type,page,per_page,sort}\",\n \"starred_url\": \"https://api.github.com/user/starred{/owner}{/repo}\",\n \"starred_gists_url\": \"https://api.github.com/gists/starred\",\n \"topic_search_url\": \"https://api.github.com/search/topics?q={query}{\u0026page,per_page}\",\n \"user_url\": \"https://api.github.com/users/{user}\",\n \"user_organizations_url\": \"https://api.github.com/user/orgs\",\n \"user_repositories_url\": \"https://api.github.com/users/{user}/repos{?type,page,per_page,sort}\",\n \"user_search_url\": \"https://api.github.com/search/users?q={query}{\u0026page,per_page,sort,order}\"\n}\n" + } + } + } +} diff --git a/stdlib/trivy/trivy.cue b/stdlib/trivy/trivy.cue new file mode 100644 index 00000000..abb04e50 --- /dev/null +++ b/stdlib/trivy/trivy.cue @@ -0,0 +1,24 @@ +package trivy + +import ( + "alpha.dagger.io/dagger" +) + +// Set Trivy download source +// - AWS +// - GCP +// - Docker Hub +// - Self Hosted + +// Trivy configuration +#Config: { + // Download source (AWS, GCP, Docker Hub, Self hosted) + source: string + + // Trivy Image arguments + args: [arg=string]: string + + username: dagger.#Input & {*null | dagger.#Secret} + password: dagger.#Input & {*null | dagger.#Secret} + ssl: *true | bool +} From aac70c2f1749d0628af2c7a933165ae59e17a486 Mon Sep 17 00:00:00 2001 From: guillaume Date: Thu, 21 Oct 2021 15:57:52 +0200 Subject: [PATCH 2/4] Implement Trivy Config && Trivy CLI Signed-off-by: guillaume --- stdlib/trivy/trivy.cue | 129 ++++++++++++++++++++++++++++++++++++++--- 1 file changed, 121 insertions(+), 8 deletions(-) diff --git a/stdlib/trivy/trivy.cue b/stdlib/trivy/trivy.cue index abb04e50..19cebf18 100644 --- a/stdlib/trivy/trivy.cue +++ b/stdlib/trivy/trivy.cue @@ -1,7 +1,11 @@ package trivy import ( + "strconv" + + "alpha.dagger.io/aws" "alpha.dagger.io/dagger" + "alpha.dagger.io/os" ) // Set Trivy download source @@ -10,15 +14,124 @@ import ( // - Docker Hub // - Self Hosted -// Trivy configuration +// Trivy Configuration #Config: { - // Download source (AWS, GCP, Docker Hub, Self hosted) - source: string + // Docker Hub / Self hosted registry auth + basicAuth: { + // Username + username: dagger.#Input & {string} | *"" - // Trivy Image arguments - args: [arg=string]: string + // Password + password: dagger.#Input & {dagger.#Secret} | *"" - username: dagger.#Input & {*null | dagger.#Secret} - password: dagger.#Input & {*null | dagger.#Secret} - ssl: *true | bool + // No SSL connection + noSSL: *false | bool + } | *null + + // AWS ECR auth + awsAuth: aws.#Config | *null + + // GCR auth (credential.json as string) + gcpAuth: dagger.#Input & {string} | *null } + +// Re-usable CLI component +#CLI: { + config: #Config + + #up: [ + if config.awsAuth == null { + op.#Load & { + from: alpine.#Image & { + package: bash: "=~5.1" + package: curl: true + } + }, + } + if config.awsAuth != null { + op.#Load & { + from: aws.#CLI & { + "config": config + } + }, + } + op.#Exec & { + args: ["sh", "-c", + #""" + curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh && + chmod +x /usr/local/bin/trivy + """#, + ] + }, + // config.basicAuth case + if config.basicAuth != null && config.awsAuth == null && config.gcpAuth == null { + op.#Exec & { + args: ["/bin/bash", "-c", + #""" + # Rename + mv /usr/local/bin/trivy /usr/local/bin/trivy-dagger + + # Build root of executable script + echo '#!/bin/bash'$'\n' > /usr/local/bin/trivy + + # Construct env string from env vars + envs=() + [ -n "$TRIVY_USERNAME" ] && envs+=("TRIVY_USERNAME={$TRIVY_USERNAME}") + [ -n "$TRIVY_NON_SSL" ] && envs+=("TRIVY_NON_SSL=$TRIVY_NON_SSL") + + # Append secret to env string + [ -n "$(cat /password)" ] && envs+=("TRIVY_PASSWORD={$(cat /password)}") + + # Append full command + echo "${envs[@]}" '/usr/local/bin/trivy-dagger "$@"' >> /usr/local/bin/trivy + + # Make it executable + chmod +x /usr/local/bin/trivy + """#, + ] + env: TRIVY_USERNAME: config.basicAuth.username + env: TRIVY_NON_SSL: strconv.FormatBool(config.basicAuth.noSSL) + mount: "/password": secret: config.basicAuth.password + }, + } + // config.gcpAuth case + if config.basicAuth == null && config.awsAuth == null && config.gcpAuth != null { + op.#WriteFile & { + dest: "/credentials.json" + content: gcpAuth + }, + op.#Exec & { + args: ["/bin/bash", "-c", + #""" + # Rename + mv /usr/local/bin/trivy /usr/local/bin/trivy-dagger + + # Build root of executable script + echo '#!/bin/bash'$'\n' > /usr/local/bin/trivy + + # Append full command + echo "TRIVY_USERNAME=" "GOOGLE_APPLICATION_CREDENTIALS=/credentials.json" '/usr/local/bin/trivy-dagger "$@"' >> /usr/local/bin/trivy + + # Make it executable + chmod +x /usr/local/bin/trivy + """#, + ] + }, + } + ] +} + + +// #Image +// { +// // Image source (AWS, GCP, Docker Hub, Self hosted) +// source: string + +// // Trivy Image arguments +// args: [arg=string]: string + +// ctr: os.#Container & { +// command: #""" +// """# +// } +// } From 701be92dad7bd65f332b8d18d0c9da95d20a3197 Mon Sep 17 00:00:00 2001 From: guillaume Date: Thu, 21 Oct 2021 19:19:06 +0200 Subject: [PATCH 3/4] Implement #Image Signed-off-by: guillaume --- stdlib/.dagger/env/trivy/.gitignore | 2 + stdlib/.dagger/env/trivy/values.yaml | 23 +++++++++++ stdlib/trivy/image.cue | 59 ++++++++++++++++++++++++++++ stdlib/trivy/tests/trivy.cue | 2 + stdlib/trivy/trivy.cue | 48 ++++++++-------------- 5 files changed, 103 insertions(+), 31 deletions(-) create mode 100644 stdlib/.dagger/env/trivy/.gitignore create mode 100644 stdlib/.dagger/env/trivy/values.yaml create mode 100644 stdlib/trivy/image.cue create mode 100644 stdlib/trivy/tests/trivy.cue diff --git a/stdlib/.dagger/env/trivy/.gitignore b/stdlib/.dagger/env/trivy/.gitignore new file mode 100644 index 00000000..01ec19b0 --- /dev/null +++ b/stdlib/.dagger/env/trivy/.gitignore @@ -0,0 +1,2 @@ +# dagger state +state/** diff --git a/stdlib/.dagger/env/trivy/values.yaml b/stdlib/.dagger/env/trivy/values.yaml new file mode 100644 index 00000000..498f4ce0 --- /dev/null +++ b/stdlib/.dagger/env/trivy/values.yaml @@ -0,0 +1,23 @@ +plan: + package: ./trivy/tests +name: trivy +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1gxwmtwahzwdmrskhf90ppwlnze30lgpm056kuesrxzeuyclrwvpsupwtpk + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2QVVmbFlHazZaeDJ6Vk5l + dldPbmttNWhLb1hnVjZMMGRkdk9kR3ErMENZCkJBOGN5NDFZYzRHR0N6d1NIeDMx + QXV0RkJydWltL092YnFNY3FGcUlYTGsKLS0tIGcxV0tYOGRNTE51K0VCNHAwcEtn + bHZuNEZsYnNNaHdBOFBTYmJtNC9JRncKVcqn44INSaA5TGRl/566DMu7scX9UjtV + 3FhUcSfLFJXviw/ll3dUONXOQJTe3p9SgFCHir2qnMmJqErDDvqj/Q== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2021-10-21T14:00:04Z" + mac: ENC[AES256_GCM,data:YTCRHj9jF0JBXEmC8ljCnEweQKCdMYry2GiPoveFBuwG3aSSTLhoPbrLNA+0FJ/AEaQNwNDv8KbZ6i9phcDCmTh6LVIVryxWy5Th8kFp9CSyYyyIBU64OO57hsXtIDvWW1IXtXqd8mngjv3v57/SIsRxo1amTOlSKbjAoY61Rw8=,iv:xcDXzNYOXbEfowEAzf+wVrb0vJFTr0aTCRS23Nj0OmE=,tag:qQjpB4xs014EaEswwrOWeQ==,type:str] + pgp: [] + encrypted_suffix: secret + version: 3.7.1 diff --git a/stdlib/trivy/image.cue b/stdlib/trivy/image.cue new file mode 100644 index 00000000..6c0cfe00 --- /dev/null +++ b/stdlib/trivy/image.cue @@ -0,0 +1,59 @@ +package trivy + +import ( + "encoding/json" + + "alpha.dagger.io/os" +) + +// Scan an Image +#Image: { + // Trivy configuration + config: #Config + + // Image source (AWS, GCP, Docker Hub, Self hosted) + source: string + + // Trivy Image arguments + args: [arg=string]: string + + // Enforce args best practices + args: { + "--exit-code": *"1" | string + "--severity": *"HIGH,CRITICAL" | string + "--format": *"table" | string + "--ignore-unfixed": *"true" | string + } + + ctr: os.#Container & { + image: #CLI & { + "config": config + } + shell: { + path: "/bin/bash" + args: ["--noprofile", "--norc", "-eo", "pipefail", "-c"] + } + command: #""" + trivyArgs="$( + echo "$ARGS" | + jq -c ' + to_entries | + map(.key + " " + (.value | tostring) + " ") | + add + ')" + + trivy image "$trivyArgs" "$SOURCE" + echo "$SOURCE" > /ref + """# + env: ARGS: json.Marshal(args) + env: SOURCE: source + } + + // Export ref to create dependency (wait for the check to finish) + ref: { + os.#File & { + from: ctr + path: "/ref" + } + }.contents @dagger(output) +} diff --git a/stdlib/trivy/tests/trivy.cue b/stdlib/trivy/tests/trivy.cue new file mode 100644 index 00000000..0e51dfcb --- /dev/null +++ b/stdlib/trivy/tests/trivy.cue @@ -0,0 +1,2 @@ +package trivy + diff --git a/stdlib/trivy/trivy.cue b/stdlib/trivy/trivy.cue index 19cebf18..f669ebf2 100644 --- a/stdlib/trivy/trivy.cue +++ b/stdlib/trivy/trivy.cue @@ -3,9 +3,10 @@ package trivy import ( "strconv" + "alpha.dagger.io/alpine" "alpha.dagger.io/aws" "alpha.dagger.io/dagger" - "alpha.dagger.io/os" + "alpha.dagger.io/dagger/op" ) // Set Trivy download source @@ -19,20 +20,20 @@ import ( // Docker Hub / Self hosted registry auth basicAuth: { // Username - username: dagger.#Input & {string} | *"" + username: dagger.#Input & {string} // Password - password: dagger.#Input & {dagger.#Secret} | *"" + password: dagger.#Input & {dagger.#Secret} // No SSL connection - noSSL: *false | bool + noSSL: *false | bool } | *null // AWS ECR auth awsAuth: aws.#Config | *null // GCR auth (credential.json as string) - gcpAuth: dagger.#Input & {string} | *null + gcpAuth: dagger.#Input & {dagger.#Secret | *null} } // Re-usable CLI component @@ -46,15 +47,15 @@ import ( package: bash: "=~5.1" package: curl: true } - }, - } + } + }, if config.awsAuth != null { op.#Load & { from: aws.#CLI & { "config": config } - }, - } + } + }, op.#Exec & { args: ["sh", "-c", #""" @@ -90,16 +91,16 @@ import ( """#, ] env: TRIVY_USERNAME: config.basicAuth.username - env: TRIVY_NON_SSL: strconv.FormatBool(config.basicAuth.noSSL) + env: TRIVY_NON_SSL: strconv.FormatBool(config.basicAuth.noSSL) mount: "/password": secret: config.basicAuth.password - }, - } + } + }, // config.gcpAuth case if config.basicAuth == null && config.awsAuth == null && config.gcpAuth != null { op.#WriteFile & { dest: "/credentials.json" - content: gcpAuth - }, + content: config.gcpAuth + } op.#Exec & { args: ["/bin/bash", "-c", #""" @@ -116,22 +117,7 @@ import ( chmod +x /usr/local/bin/trivy """#, ] - }, - } + } + }, ] } - - -// #Image -// { -// // Image source (AWS, GCP, Docker Hub, Self hosted) -// source: string - -// // Trivy Image arguments -// args: [arg=string]: string - -// ctr: os.#Container & { -// command: #""" -// """# -// } -// } From 3fb03cd2d71e69fdbd78e64ae086f2b4a76c91d5 Mon Sep 17 00:00:00 2001 From: guillaume Date: Thu, 28 Oct 2021 01:37:52 +0200 Subject: [PATCH 4/4] Fix packages + Implement working tests Signed-off-by: guillaume --- docs/reference/trivy.md | 33 +++++- stdlib/.dagger/env/http/state/computed.json | 9 -- stdlib/.dagger/env/trivy/values.yaml | 13 +- stdlib/trivy/image.cue | 26 ++-- stdlib/trivy/tests/trivy.cue | 125 ++++++++++++++++++++ stdlib/trivy/trivy.cue | 31 +++-- stdlib/universe.bats | 4 + 7 files changed, 201 insertions(+), 40 deletions(-) delete mode 100644 stdlib/.dagger/env/http/state/computed.json diff --git a/docs/reference/trivy.md b/docs/reference/trivy.md index a4470b24..446f2b66 100644 --- a/docs/reference/trivy.md +++ b/docs/reference/trivy.md @@ -8,17 +8,40 @@ sidebar_label: trivy import "alpha.dagger.io/trivy" ``` +## trivy.#CLI + +Re-usable CLI component + +### trivy.#CLI Inputs + +_No input._ + +### trivy.#CLI Outputs + +_No output._ + ## trivy.#Config -Trivy configuration +Trivy Configuration ### trivy.#Config Inputs -| Name | Type | Description | -| ------------- |:-------------: |:-------------: | -|*username* | `dagger.#Secret` |- | -|*password* | `dagger.#Secret` |- | +_No input._ ### trivy.#Config Outputs _No output._ + +## trivy.#Image + +Scan an Image + +### trivy.#Image Inputs + +_No input._ + +### trivy.#Image Outputs + +| Name | Type | Description | +| ------------- |:-------------: |:-------------: | +|*ref* | `string` |Reference analyzed | diff --git a/stdlib/.dagger/env/http/state/computed.json b/stdlib/.dagger/env/http/state/computed.json deleted file mode 100644 index 03ed92ec..00000000 --- a/stdlib/.dagger/env/http/state/computed.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "TestRequest": { - "req": { - "response": { - "body": "{\n \"current_user_url\": \"https://api.github.com/user\",\n \"current_user_authorizations_html_url\": \"https://github.com/settings/connections/applications{/client_id}\",\n \"authorizations_url\": \"https://api.github.com/authorizations\",\n \"code_search_url\": \"https://api.github.com/search/code?q={query}{\u0026page,per_page,sort,order}\",\n \"commit_search_url\": \"https://api.github.com/search/commits?q={query}{\u0026page,per_page,sort,order}\",\n \"emails_url\": \"https://api.github.com/user/emails\",\n \"emojis_url\": \"https://api.github.com/emojis\",\n \"events_url\": \"https://api.github.com/events\",\n \"feeds_url\": \"https://api.github.com/feeds\",\n \"followers_url\": \"https://api.github.com/user/followers\",\n \"following_url\": \"https://api.github.com/user/following{/target}\",\n \"gists_url\": \"https://api.github.com/gists{/gist_id}\",\n \"hub_url\": \"https://api.github.com/hub\",\n \"issue_search_url\": \"https://api.github.com/search/issues?q={query}{\u0026page,per_page,sort,order}\",\n \"issues_url\": \"https://api.github.com/issues\",\n \"keys_url\": \"https://api.github.com/user/keys\",\n \"label_search_url\": \"https://api.github.com/search/labels?q={query}\u0026repository_id={repository_id}{\u0026page,per_page}\",\n \"notifications_url\": \"https://api.github.com/notifications\",\n \"organization_url\": \"https://api.github.com/orgs/{org}\",\n \"organization_repositories_url\": \"https://api.github.com/orgs/{org}/repos{?type,page,per_page,sort}\",\n \"organization_teams_url\": \"https://api.github.com/orgs/{org}/teams\",\n \"public_gists_url\": \"https://api.github.com/gists/public\",\n \"rate_limit_url\": \"https://api.github.com/rate_limit\",\n \"repository_url\": \"https://api.github.com/repos/{owner}/{repo}\",\n \"repository_search_url\": \"https://api.github.com/search/repositories?q={query}{\u0026page,per_page,sort,order}\",\n \"current_user_repositories_url\": \"https://api.github.com/user/repos{?type,page,per_page,sort}\",\n \"starred_url\": \"https://api.github.com/user/starred{/owner}{/repo}\",\n \"starred_gists_url\": \"https://api.github.com/gists/starred\",\n \"topic_search_url\": \"https://api.github.com/search/topics?q={query}{\u0026page,per_page}\",\n \"user_url\": \"https://api.github.com/users/{user}\",\n \"user_organizations_url\": \"https://api.github.com/user/orgs\",\n \"user_repositories_url\": \"https://api.github.com/users/{user}/repos{?type,page,per_page,sort}\",\n \"user_search_url\": \"https://api.github.com/search/users?q={query}{\u0026page,per_page,sort,order}\"\n}\n" - } - } - } -} diff --git a/stdlib/.dagger/env/trivy/values.yaml b/stdlib/.dagger/env/trivy/values.yaml index 498f4ce0..9e986560 100644 --- a/stdlib/.dagger/env/trivy/values.yaml +++ b/stdlib/.dagger/env/trivy/values.yaml @@ -1,6 +1,15 @@ plan: package: ./trivy/tests name: trivy +inputs: + TestConfig.awsConfig.accessKey: + secret: ENC[AES256_GCM,data:49pmU12lmfa9Lxuw4SE/9+kBJOA=,iv:LHzgaSmsNrPQ2jrrSPfVwV+gUbaGAFg/ARifdGnMZwQ=,tag:gb6FLzaQAvUT0EGKMXBJ9A==,type:str] + TestConfig.awsConfig.secretKey: + secret: ENC[AES256_GCM,data:OMpMHVZMwM2a6YhecV0FwvBBxgUsZqu1Y1QXrCisQD3X0ab8vC5Kpw==,iv:HtyLQttG1M4NOC/jA/jvpNMG8N5is3LA2c0fGecrN5o=,tag:0ajZGtMwRXOCFOQRiqxm8A==,type:str] + TestConfig.gcpConfig.serviceKey: + secret: ENC[AES256_GCM,data:lwZNdc+jszBc1D7L8Hh7/iTecCayUg2bLhRIlK/0TU7weGigSUFmmCoRUGKRjaF2xwWSA9q/Racq3ko8OqjCEzeN6/Z5wYgANtAfZi6Wm3zALL3FMNH5aeLy6uOemfXaeaRFfajMkbSy2Iq2SyBGDcU6zmE8Sb3T+O1ty8HoF6ggJi7cuwIo/V6u38PxTgDrISfQ3+RB1DArhn0KvIakmY2oPx1EmugWAWWz9wUDFxGr4WghV0leai80c63S6JPc1AY7HFR5uJ3UwA6lpWuFxmD/ACXV4+JK5REkYsdASI541TlvUDQTAxKsCePKapqrrBbugzDtlYxoltAHKIXf4/FXxh+KrEpThCqVHBStQeZEeh17A/PgX0eX7zeSY3Y1rsYlZRKzdLAdsQUMko+Tfb7NHhVW/Lq9OaLL/ASAk19qIBCdkvefTqkCTMdA0EGvRpl0mMhxzsHN7C/CJ+Xunr5mB8vZOFKH8yxHgT7ha+Rz1K6brywBbrylwMdKQ19UDBPwmMxEXVp24k+PgwBwOkVEw+Zj+gvl77J4ac7bPJTT6lQs3j8WMz+fONS9okg6j+2iCeRg/omrSg4wCIWwIZLMYlnJKzURNPYIJt7dMTM6HCr6UHTUsfGvxZZeQPXigff1USWv69j42sD4IzN7VLLiidLnflSt2NJXRioYeHzX76I6m3FPN5xm6NiWfna3SzcmqmflymdLYJ5yAvzk6Mrpt/dQbSuNSJhSB60ffBTquAOZJFdhynFBprtEyu/V0l5oQndfjrwCp/dNE47EfhX6vgEAcF7Q5ZqCDg3xACUSjQw5dlJqt7TL8fwowsE1Z6aDM1mN///S4sGf3fiW24SuoaMti6DJ36tDUZkGiboDL5UfW4oCbX6Fg4RJSmgQX0j8I4qNrhSmgtrC/i1kvye/Yei7jqu1MmWGFqbG4QgpGK6mCn86g54gqoz3RnibIEHOSUt97q9kze4lUzsvPcLFo5fyU/3aC3RMX+iY7hQ+aZQE2vIdnYTY/a4IUN8r/k9ygr2l3bGsz9pCbuNpiTX8SlEdTxyhdq6HUnfGXBC8+7mS+woLasawjaakGR48ZOSOB5ZN3fAVfNZ6mQNcvTMlS2ntcut7AYhTrc/XqeYhwnrOkhDjBro55mD1G7I+GdSK5zUilXpKgrtLXb2yuY0mEd8qlrnyqzvY/uBFfgvHSSONIMbelUEmY+EoW0qCn8l5dkA+ze3xoYocEa4kvilN39Ag33uJI3MGpYJWIpZSlxttuJepKMVB4ypJdPujw6m2ry2dXwNszTMxg5kH6M7GhnfZxgxIZo6xsDM9XF3LMLPd6GT+nOaPPwDDoIIHuWIUGQlBFkaChQxJY5ZpgYWzkIZYSgxf+I8v/mvdUZgfQ2ymBtwBFoVppXkDVvsq9HxKd4NJMyWGCC4HjaqDo+N7L7ktlnTSxfNWfd1MKgVcDdCer/54qP3J8clKAtq+bWQY3VYNA9iM3EbQeWrLatXt0mpJ6sc30APPM4fUHfzkum2KTX4IRHJ/KYcnU0GMpql812ShfGsheh4JA6LPoNFPH5PEZRXvSLdOnmN6w7y09YeX+sHUYJ1EwOz9I6VGQmd3P+A9yBEIMFX6y1cCwthCo++wXfrPMSDAYvI0Sytmy1IaRdPvonuvmyw85NC3gLmP701/KJ65tUw1NkUrEPwTDnONjc27caAT3hHlTa+rzuQpovo526tSmfYnj7cU39r29IvEagwqRMOA+088FOqRzutsW737tVE4TVAV2g/pTgk/LRSDbG30pajoJi4oMfHfKDTtZZQ4QrpFVFK8jAzaiyOVd/faE+iuwtJoRy8yEI/1Hd3AEgmF375POWijh7U3JdaY57jUzpQiY3uMogCEdk6ZaU8zelq+j1g8R1JdeoCA+VmkwcceGrR0D9TQKHdUT2zuoR6y7A6hLJX6ifS3v/ZBj4sJaD3qlmUN0oELf1sgPQ7CuR2wKz1rfby7HdDFgFQ3F1EwGctS/1vxeubigCTItB43MJpHo1Ladx8PsRkgNcrFVq4WOP+kyFKu/gpfueaNCH+RY3j9EXhTKsi1HYIfJyUV47TMbqitjE5nWseaigEr9X9WXdxAccsRCjloWJ6QstcrEWBlVCqE6qiMTq6UMMgAwsggRbBBjYcG8BcI9aLULHpLPrTQ9jGEVpM6hHmeL2ggJblsXaTxai0Q6LOOcwKpOkt/ODSI1/3j3HyVN/s94a2tDy0fOB1sMHqrIB2gsW3K+PuYsPIqDcwz879MBkWErTeb9++RIP+bmBoGR8DM0o/4Ituopg+qfZIKSMtvQ2V7ueW8vWd/nefzi1RBNI8qNwMOZOfKJJD/HwjOqUu19RCHwq5z2oEab6QOxfXGZxWICESNO14PVGpwY0oR/USG3Xqfd5Q8Hr4pCn2L9Ca1aW52ubp+dtjvgsFBKcan/08zz7XVB7vk30xIhtNLCWCHzxCmpeuhSEwjDflh7l039FgKcK/8avk1oGLhuVmoOqLhLRN349rF62DkaFtRMiUIINu90I9zkU6E1Q4st3kkHYZ6+KSixstEI0LAntEwA71F7Lm/nmQ7eDBPaN/4xqH+WXIEbrTK1UKBlKjTBR/OV4oPv7ls2w/npqwGGPwPQvpOV/u4KwyZX99vxbSErgxzSNVxk+jf3rKLWW8+O9X+4uovX2hy6WSxcAXq+W1u/i6wlDG/dOhSeaU5nV3lLB95dzz9q6dioaVs2296sRhhzOzAutvrdvxYnpFftBOfdsMc5lwhogI2KiXPUtOjENdlEAAu+QNPcGfUfeNE7pY0SZv1qw4ErkI4loS4PGT5gHMqcms9RQozsnQ7Foq60HPBrUqiNpP0wqEZcVQdVlU8bZhNn6Qk/qfepOQWzTbl8MG+Q793cP1hIa8nv3CIEV9AQbM1BgjZ53Z03wSa+n/TaJhsGp/yn3X4GlCRk29Kt3emJwVA9gtncydpxY9DDN1kcWESJHP1mmX0Gyhzv4holAhYGhdCvH3YzW+JbEL7GBgOg/B/Wmavu2iZMaK7TTxIWRouY5tIZYtTJazQOSHBImHVfFM5AZYN,iv:1emUpXQvyJFMMb195ZRcHS/jzR1bC31t+j1nWhjNNzQ=,tag:PfgiV2TAgLOxj1qqz1yzgA==,type:str] + TestConfig.trivyBasicAuth.basicAuth.password: + secret: ENC[AES256_GCM,data:RiQ1Jc0tYbwydpMp,iv:c9YF6O4YEljEEspgSp9l/RCGrL6mX4mKRq0VS+G1wpY=,tag:K0JOxed4yh/Ypn8wZVr40w==,type:str] sops: kms: [] gcp_kms: [] @@ -16,8 +25,8 @@ sops: bHZuNEZsYnNNaHdBOFBTYmJtNC9JRncKVcqn44INSaA5TGRl/566DMu7scX9UjtV 3FhUcSfLFJXviw/ll3dUONXOQJTe3p9SgFCHir2qnMmJqErDDvqj/Q== -----END AGE ENCRYPTED FILE----- - lastmodified: "2021-10-21T14:00:04Z" - mac: ENC[AES256_GCM,data:YTCRHj9jF0JBXEmC8ljCnEweQKCdMYry2GiPoveFBuwG3aSSTLhoPbrLNA+0FJ/AEaQNwNDv8KbZ6i9phcDCmTh6LVIVryxWy5Th8kFp9CSyYyyIBU64OO57hsXtIDvWW1IXtXqd8mngjv3v57/SIsRxo1amTOlSKbjAoY61Rw8=,iv:xcDXzNYOXbEfowEAzf+wVrb0vJFTr0aTCRS23Nj0OmE=,tag:qQjpB4xs014EaEswwrOWeQ==,type:str] + lastmodified: "2021-10-27T22:36:22Z" + mac: ENC[AES256_GCM,data:DbTYfCl2OFTe0nqxd3b08ssF1hyKACzqGJOjNyKtCKOVXzlTh1QCynejLE+APehkHUkl/8GqEmjqlwYFNXfbUcWNcw4U0ZD9ZWzkFG/Nk8HuSQyAqhF2zF8DBPbhZhupjzXcRGmZcM8LJjJPJsAg3u018eGo6TWmjt6+1uettLw=,iv:vCAiBHHC017v7saIPpkJ+gL3ku4wHwFVszF4xmbwSRE=,tag:LdcZ1HpWx0Zfjfm1OQ+4Dw==,type:str] pgp: [] encrypted_suffix: secret version: 3.7.1 diff --git a/stdlib/trivy/image.cue b/stdlib/trivy/image.cue index 6c0cfe00..e67adf6f 100644 --- a/stdlib/trivy/image.cue +++ b/stdlib/trivy/image.cue @@ -16,13 +16,12 @@ import ( // Trivy Image arguments args: [arg=string]: string - // Enforce args best practices args: { - "--exit-code": *"1" | string - "--severity": *"HIGH,CRITICAL" | string - "--format": *"table" | string - "--ignore-unfixed": *"true" | string + "--severity": *"HIGH,CRITICAL" | string + "--exit-code": *"1" | string + "--ignore-unfixed": *"" | string + "--format": *"table" | string } ctr: os.#Container & { @@ -33,6 +32,7 @@ import ( path: "/bin/bash" args: ["--noprofile", "--norc", "-eo", "pipefail", "-c"] } + always: true command: #""" trivyArgs="$( echo "$ARGS" | @@ -42,18 +42,22 @@ import ( add ')" - trivy image "$trivyArgs" "$SOURCE" - echo "$SOURCE" > /ref + # Remove suffix and prefix quotes if present + trivyArgs="${trivyArgs#\"}" + trivyArgs="${trivyArgs%\"}" + + trivy image $trivyArgs "$SOURCE" + echo -n "$SOURCE" > /ref """# env: ARGS: json.Marshal(args) env: SOURCE: source } - // Export ref to create dependency (wait for the check to finish) + // Reference analyzed ref: { os.#File & { - from: ctr - path: "/ref" - } + from: ctr + path: "/ref" + } }.contents @dagger(output) } diff --git a/stdlib/trivy/tests/trivy.cue b/stdlib/trivy/tests/trivy.cue index 0e51dfcb..d449c9d4 100644 --- a/stdlib/trivy/tests/trivy.cue +++ b/stdlib/trivy/tests/trivy.cue @@ -1,2 +1,127 @@ package trivy +import ( + "alpha.dagger.io/aws" + "alpha.dagger.io/aws/ecr" + "alpha.dagger.io/dagger" + "alpha.dagger.io/dagger/op" + "alpha.dagger.io/gcp" + "alpha.dagger.io/gcp/gcr" + "alpha.dagger.io/random" +) + +TestConfig: awsConfig: aws.#Config & { + region: "us-east-2" +} + +TestConfig: gcpConfig: gcp.#Config & { + project: "dagger-ci" + region: "us-west2-a" +} + +TestConfig: { + trivyNoAuth: #Config + + trivyBasicAuth: #Config & { + basicAuth: { + username: "guilaume1234" + password: dagger.#Input & {dagger.#Secret} + } + } + + trivyAWSAuth: #Config & { + awsAuth: TestConfig.awsConfig + } + + trivyGCPAuth: #Config & { + gcpAuth: TestConfig.gcpConfig + } +} + +TestSuffix: random.#String & { + seed: "" +} + +TestNoAuthClient: #Image & { + config: TestConfig.trivyNoAuth + source: "ubuntu:21.10" +} + +TestBasicAuthClient: #Image & { + config: TestConfig.trivyBasicAuth + source: "docker.io/guilaume1234/guillaume:latest" +} + +TestAWSClient: { + repository: "125635003186.dkr.ecr.\(TestConfig.awsConfig.region).amazonaws.com/dagger-ci" + tag: "test-ecr-\(TestSuffix.out)" + + creds: ecr.#Credentials & { + config: TestConfig.awsConfig + } + + push: { + ref: "\(repository):\(tag)" + + #up: [ + op.#DockerBuild & { + dockerfile: """ + FROM alpine + RUN echo \(TestSuffix.out) > /test + """ + }, + + op.#DockerLogin & { + target: repository + username: creds.username + secret: creds.secret + }, + + op.#PushContainer & { + "ref": ref + }, + ] + } + + verify: #Image & { + config: TestConfig.trivyAWSAuth + source: push.ref + } +} + +TestGCPClient: { + repository: "gcr.io/dagger-ci/test" + tag: "test-gcr-\(TestSuffix.out)" + + creds: gcr.#Credentials & { + config: TestConfig.gcpConfig + } + + push: { + ref: "\(repository):\(tag)" + + #up: [ + op.#DockerBuild & { + dockerfile: """ + FROM alpine + RUN echo \(TestSuffix.out) > /test + """ + }, + + op.#DockerLogin & { + target: repository + username: creds.username + secret: creds.secret + }, + + op.#PushContainer & { + "ref": ref + }, + ] + } + + verify: #Image & { + config: TestConfig.trivyGCPAuth + source: push.ref + } +} diff --git a/stdlib/trivy/trivy.cue b/stdlib/trivy/trivy.cue index f669ebf2..f200dc73 100644 --- a/stdlib/trivy/trivy.cue +++ b/stdlib/trivy/trivy.cue @@ -7,6 +7,7 @@ import ( "alpha.dagger.io/aws" "alpha.dagger.io/dagger" "alpha.dagger.io/dagger/op" + "alpha.dagger.io/gcp" ) // Set Trivy download source @@ -32,8 +33,8 @@ import ( // AWS ECR auth awsAuth: aws.#Config | *null - // GCR auth (credential.json as string) - gcpAuth: dagger.#Input & {dagger.#Secret | *null} + // GCP auth + gcpAuth: gcp.#Config | *null } // Re-usable CLI component @@ -41,25 +42,33 @@ import ( config: #Config #up: [ - if config.awsAuth == null { + if config.awsAuth == null && config.gcpAuth == null { op.#Load & { from: alpine.#Image & { package: bash: "=~5.1" package: curl: true + package: jq: "=~1.6" } } }, - if config.awsAuth != null { + if config.awsAuth != null && config.gcpAuth == null { op.#Load & { from: aws.#CLI & { - "config": config + "config": config.awsAuth + } + } + }, + if config.awsAuth == null && config.gcpAuth != null { + op.#Load & { + from: gcp.#GCloud & { + "config": config.gcpAuth } } }, op.#Exec & { args: ["sh", "-c", #""" - curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh && + curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.18.3 && chmod +x /usr/local/bin/trivy """#, ] @@ -77,11 +86,11 @@ import ( # Construct env string from env vars envs=() - [ -n "$TRIVY_USERNAME" ] && envs+=("TRIVY_USERNAME={$TRIVY_USERNAME}") + [ -n "$TRIVY_USERNAME" ] && envs+=("TRIVY_USERNAME=$TRIVY_USERNAME") [ -n "$TRIVY_NON_SSL" ] && envs+=("TRIVY_NON_SSL=$TRIVY_NON_SSL") # Append secret to env string - [ -n "$(cat /password)" ] && envs+=("TRIVY_PASSWORD={$(cat /password)}") + [ -n "$(cat /password)" ] && envs+=("TRIVY_PASSWORD=$(cat /password)") # Append full command echo "${envs[@]}" '/usr/local/bin/trivy-dagger "$@"' >> /usr/local/bin/trivy @@ -97,10 +106,6 @@ import ( }, // config.gcpAuth case if config.basicAuth == null && config.awsAuth == null && config.gcpAuth != null { - op.#WriteFile & { - dest: "/credentials.json" - content: config.gcpAuth - } op.#Exec & { args: ["/bin/bash", "-c", #""" @@ -111,7 +116,7 @@ import ( echo '#!/bin/bash'$'\n' > /usr/local/bin/trivy # Append full command - echo "TRIVY_USERNAME=" "GOOGLE_APPLICATION_CREDENTIALS=/credentials.json" '/usr/local/bin/trivy-dagger "$@"' >> /usr/local/bin/trivy + echo "TRIVY_USERNAME=''" "GOOGLE_APPLICATION_CREDENTIALS=/service_key" '/usr/local/bin/trivy-dagger "$@"' >> /usr/local/bin/trivy # Make it executable chmod +x /usr/local/bin/trivy diff --git a/stdlib/universe.bats b/stdlib/universe.bats index 4a42172b..361b82ad 100644 --- a/stdlib/universe.bats +++ b/stdlib/universe.bats @@ -273,3 +273,7 @@ setup() { skip "Azure CI infra not implemented yet - manually tested and working" #dagger -e azure-stapp up } + +@test "trivy" { + dagger -e trivy up +} \ No newline at end of file