Merge pull request #1067 from slumbering/universe-trivy

init trivy universe
2021-10-29 09:55:16 -07:00 · 2021-10-29 09:55:16 -07:00 · 48876c04e4
commit 48876c04e4
parent fa334f4a86 3fb03cd2d7
8 changed files with 404 additions and 0 deletions
--- a/docs/reference/README.md
+++ b/docs/reference/README.md
@ -36,3 +36,4 @@
 - [os](./os.md) - OS operations
 - [random](./random.md) - Random generation utilities
 - [terraform](./terraform.md) - Terraform operations
+- [trivy](./trivy.md) - -
--- a/docs/reference/trivy.md
+++ b/docs/reference/trivy.md
@ -0,0 +1,47 @@
+---
+sidebar_label: trivy
+---
+
+# alpha.dagger.io/trivy
+
+```cue
+import "alpha.dagger.io/trivy"
+```
+
+## trivy.#CLI
+
+Re-usable CLI component
+
+### trivy.#CLI Inputs
+
+_No input._
+
+### trivy.#CLI Outputs
+
+_No output._
+
+## trivy.#Config
+
+Trivy Configuration
+
+### trivy.#Config Inputs
+
+_No input._
+
+### trivy.#Config Outputs
+
+_No output._
+
+## trivy.#Image
+
+Scan an Image
+
+### trivy.#Image Inputs
+
+_No input._
+
+### trivy.#Image Outputs
+
+| Name             | Type              | Description          |
+| -------------    |:-------------:    |:-------------:       |
+|*ref*             | `string`          |Reference analyzed    |
--- a/stdlib/.dagger/env/trivy/.gitignore
+++ b/stdlib/.dagger/env/trivy/.gitignore
@ -0,0 +1,2 @@
+# dagger state
+state/**
--- a/stdlib/.dagger/env/trivy/values.yaml
+++ b/stdlib/.dagger/env/trivy/values.yaml
@ -0,0 +1,32 @@
+plan:
+    package: ./trivy/tests
+name: trivy
+inputs:
+    TestConfig.awsConfig.accessKey:
+        secret: ENC[AES256_GCM,data:49pmU12lmfa9Lxuw4SE/9+kBJOA=,iv:LHzgaSmsNrPQ2jrrSPfVwV+gUbaGAFg/ARifdGnMZwQ=,tag:gb6FLzaQAvUT0EGKMXBJ9A==,type:str]
+    TestConfig.awsConfig.secretKey:
+        secret: ENC[AES256_GCM,data:OMpMHVZMwM2a6YhecV0FwvBBxgUsZqu1Y1QXrCisQD3X0ab8vC5Kpw==,iv:HtyLQttG1M4NOC/jA/jvpNMG8N5is3LA2c0fGecrN5o=,tag:0ajZGtMwRXOCFOQRiqxm8A==,type:str]
+    TestConfig.gcpConfig.serviceKey:
+        secret: ENC[AES256_GCM,data:lwZNdc+jszBc1D7L8Hh7/iTecCayUg2bLhRIlK/0TU7weGigSUFmmCoRUGKRjaF2xwWSA9q/Racq3ko8OqjCEzeN6/Z5wYgANtAfZi6Wm3zALL3FMNH5aeLy6uOemfXaeaRFfajMkbSy2Iq2SyBGDcU6zmE8Sb3T+O1ty8HoF6ggJi7cuwIo/V6u38PxTgDrISfQ3+RB1DArhn0KvIakmY2oPx1EmugWAWWz9wUDFxGr4WghV0leai80c63S6JPc1AY7HFR5uJ3UwA6lpWuFxmD/ACXV4+JK5REkYsdASI541TlvUDQTAxKsCePKapqrrBbugzDtlYxoltAHKIXf4/FXxh+KrEpThCqVHBStQeZEeh17A/PgX0eX7zeSY3Y1rsYlZRKzdLAdsQUMko+Tfb7NHhVW/Lq9OaLL/ASAk19qIBCdkvefTqkCTMdA0EGvRpl0mMhxzsHN7C/CJ+Xunr5mB8vZOFKH8yxHgT7ha+Rz1K6brywBbrylwMdKQ19UDBPwmMxEXVp24k+PgwBwOkVEw+Zj+gvl77J4ac7bPJTT6lQs3j8WMz+fONS9okg6j+2iCeRg/omrSg4wCIWwIZLMYlnJKzURNPYIJt7dMTM6HCr6UHTUsfGvxZZeQPXigff1USWv69j42sD4IzN7VLLiidLnflSt2NJXRioYeHzX76I6m3FPN5xm6NiWfna3SzcmqmflymdLYJ5yAvzk6Mrpt/dQbSuNSJhSB60ffBTquAOZJFdhynFBprtEyu/V0l5oQndfjrwCp/dNE47EfhX6vgEAcF7Q5ZqCDg3xACUSjQw5dlJqt7TL8fwowsE1Z6aDM1mN///S4sGf3fiW24SuoaMti6DJ36tDUZkGiboDL5UfW4oCbX6Fg4RJSmgQX0j8I4qNrhSmgtrC/i1kvye/Yei7jqu1MmWGFqbG4QgpGK6mCn86g54gqoz3RnibIEHOSUt97q9kze4lUzsvPcLFo5fyU/3aC3RMX+iY7hQ+aZQE2vIdnYTY/a4IUN8r/k9ygr2l3bGsz9pCbuNpiTX8SlEdTxyhdq6HUnfGXBC8+7mS+woLasawjaakGR48ZOSOB5ZN3fAVfNZ6mQNcvTMlS2ntcut7AYhTrc/XqeYhwnrOkhDjBro55mD1G7I+GdSK5zUilXpKgrtLXb2yuY0mEd8qlrnyqzvY/uBFfgvHSSONIMbelUEmY+EoW0qCn8l5dkA+ze3xoYocEa4kvilN39Ag33uJI3MGpYJWIpZSlxttuJepKMVB4ypJdPujw6m2ry2dXwNszTMxg5kH6M7GhnfZxgxIZo6xsDM9XF3LMLPd6GT+nOaPPwDDoIIHuWIUGQlBFkaChQxJY5ZpgYWzkIZYSgxf+I8v/mvdUZgfQ2ymBtwBFoVppXkDVvsq9HxKd4NJMyWGCC4HjaqDo+N7L7ktlnTSxfNWfd1MKgVcDdCer/54qP3J8clKAtq+bWQY3VYNA9iM3EbQeWrLatXt0mpJ6sc30APPM4fUHfzkum2KTX4IRHJ/KYcnU0GMpql812ShfGsheh4JA6LPoNFPH5PEZRXvSLdOnmN6w7y09YeX+sHUYJ1EwOz9I6VGQmd3P+A9yBEIMFX6y1cCwthCo++wXfrPMSDAYvI0Sytmy1IaRdPvonuvmyw85NC3gLmP701/KJ65tUw1NkUrEPwTDnONjc27caAT3hHlTa+rzuQpovo526tSmfYnj7cU39r29IvEagwqRMOA+088FOqRzutsW737tVE4TVAV2g/pTgk/LRSDbG30pajoJi4oMfHfKDTtZZQ4QrpFVFK8jAzaiyOVd/faE+iuwtJoRy8yEI/1Hd3AEgmF375POWijh7U3JdaY57jUzpQiY3uMogCEdk6ZaU8zelq+j1g8R1JdeoCA+VmkwcceGrR0D9TQKHdUT2zuoR6y7A6hLJX6ifS3v/ZBj4sJaD3qlmUN0oELf1sgPQ7CuR2wKz1rfby7HdDFgFQ3F1EwGctS/1vxeubigCTItB43MJpHo1Ladx8PsRkgNcrFVq4WOP+kyFKu/gpfueaNCH+RY3j9EXhTKsi1HYIfJyUV47TMbqitjE5nWseaigEr9X9WXdxAccsRCjloWJ6QstcrEWBlVCqE6qiMTq6UMMgAwsggRbBBjYcG8BcI9aLULHpLPrTQ9jGEVpM6hHmeL2ggJblsXaTxai0Q6LOOcwKpOkt/ODSI1/3j3HyVN/s94a2tDy0fOB1sMHqrIB2gsW3K+PuYsPIqDcwz879MBkWErTeb9++RIP+bmBoGR8DM0o/4Ituopg+qfZIKSMtvQ2V7ueW8vWd/nefzi1RBNI8qNwMOZOfKJJD/HwjOqUu19RCHwq5z2oEab6QOxfXGZxWICESNO14PVGpwY0oR/USG3Xqfd5Q8Hr4pCn2L9Ca1aW52ubp+dtjvgsFBKcan/08zz7XVB7vk30xIhtNLCWCHzxCmpeuhSEwjDflh7l039FgKcK/8avk1oGLhuVmoOqLhLRN349rF62DkaFtRMiUIINu90I9zkU6E1Q4st3kkHYZ6+KSixstEI0LAntEwA71F7Lm/nmQ7eDBPaN/4xqH+WXIEbrTK1UKBlKjTBR/OV4oPv7ls2w/npqwGGPwPQvpOV/u4KwyZX99vxbSErgxzSNVxk+jf3rKLWW8+O9X+4uovX2hy6WSxcAXq+W1u/i6wlDG/dOhSeaU5nV3lLB95dzz9q6dioaVs2296sRhhzOzAutvrdvxYnpFftBOfdsMc5lwhogI2KiXPUtOjENdlEAAu+QNPcGfUfeNE7pY0SZv1qw4ErkI4loS4PGT5gHMqcms9RQozsnQ7Foq60HPBrUqiNpP0wqEZcVQdVlU8bZhNn6Qk/qfepOQWzTbl8MG+Q793cP1hIa8nv3CIEV9AQbM1BgjZ53Z03wSa+n/TaJhsGp/yn3X4GlCRk29Kt3emJwVA9gtncydpxY9DDN1kcWESJHP1mmX0Gyhzv4holAhYGhdCvH3YzW+JbEL7GBgOg/B/Wmavu2iZMaK7TTxIWRouY5tIZYtTJazQOSHBImHVfFM5AZYN,iv:1emUpXQvyJFMMb195ZRcHS/jzR1bC31t+j1nWhjNNzQ=,tag:PfgiV2TAgLOxj1qqz1yzgA==,type:str]
+    TestConfig.trivyBasicAuth.basicAuth.password:
+        secret: ENC[AES256_GCM,data:RiQ1Jc0tYbwydpMp,iv:c9YF6O4YEljEEspgSp9l/RCGrL6mX4mKRq0VS+G1wpY=,tag:K0JOxed4yh/Ypn8wZVr40w==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1gxwmtwahzwdmrskhf90ppwlnze30lgpm056kuesrxzeuyclrwvpsupwtpk
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2QVVmbFlHazZaeDJ6Vk5l
+            dldPbmttNWhLb1hnVjZMMGRkdk9kR3ErMENZCkJBOGN5NDFZYzRHR0N6d1NIeDMx
+            QXV0RkJydWltL092YnFNY3FGcUlYTGsKLS0tIGcxV0tYOGRNTE51K0VCNHAwcEtn
+            bHZuNEZsYnNNaHdBOFBTYmJtNC9JRncKVcqn44INSaA5TGRl/566DMu7scX9UjtV
+            3FhUcSfLFJXviw/ll3dUONXOQJTe3p9SgFCHir2qnMmJqErDDvqj/Q==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2021-10-27T22:36:22Z"
+    mac: ENC[AES256_GCM,data:DbTYfCl2OFTe0nqxd3b08ssF1hyKACzqGJOjNyKtCKOVXzlTh1QCynejLE+APehkHUkl/8GqEmjqlwYFNXfbUcWNcw4U0ZD9ZWzkFG/Nk8HuSQyAqhF2zF8DBPbhZhupjzXcRGmZcM8LJjJPJsAg3u018eGo6TWmjt6+1uettLw=,iv:vCAiBHHC017v7saIPpkJ+gL3ku4wHwFVszF4xmbwSRE=,tag:LdcZ1HpWx0Zfjfm1OQ+4Dw==,type:str]
+    pgp: []
+    encrypted_suffix: secret
+    version: 3.7.1
--- a/stdlib/trivy/image.cue
+++ b/stdlib/trivy/image.cue
@ -0,0 +1,63 @@
+package trivy
+
+import (
+	"encoding/json"
+
+	"alpha.dagger.io/os"
+)
+
+// Scan an Image
+#Image: {
+	// Trivy configuration
+	config: #Config
+
+	// Image source (AWS, GCP, Docker Hub, Self hosted)
+	source: string
+
+	// Trivy Image arguments
+	args: [arg=string]: string
+	// Enforce args best practices
+	args: {
+		"--severity":       *"HIGH,CRITICAL" | string
+		"--exit-code":      *"1" | string
+		"--ignore-unfixed": *"" | string
+		"--format":         *"table" | string
+	}
+
+	ctr: os.#Container & {
+		image: #CLI & {
+			"config": config
+		}
+		shell: {
+			path: "/bin/bash"
+			args: ["--noprofile", "--norc", "-eo", "pipefail", "-c"]
+		}
+		always: true
+		command: #"""
+			trivyArgs="$(
+				echo "$ARGS" |
+				jq -c '
+					to_entries |
+					map(.key + " " + (.value | tostring) + " ") |
+					add
+			')"
+
+			# Remove suffix and prefix quotes if present
+			trivyArgs="${trivyArgs#\"}"
+			trivyArgs="${trivyArgs%\"}"
+
+			trivy image $trivyArgs "$SOURCE"
+			echo -n "$SOURCE" > /ref
+			"""#
+		env: ARGS:   json.Marshal(args)
+		env: SOURCE: source
+	}
+
+	// Reference analyzed
+	ref: {
+		os.#File & {
+				from: ctr
+				path: "/ref"
+			}
+	}.contents @dagger(output)
+}
--- a/stdlib/trivy/tests/trivy.cue
+++ b/stdlib/trivy/tests/trivy.cue
@ -0,0 +1,127 @@
+package trivy
+
+import (
+	"alpha.dagger.io/aws"
+	"alpha.dagger.io/aws/ecr"
+	"alpha.dagger.io/dagger"
+	"alpha.dagger.io/dagger/op"
+	"alpha.dagger.io/gcp"
+	"alpha.dagger.io/gcp/gcr"
+	"alpha.dagger.io/random"
+)
+
+TestConfig: awsConfig: aws.#Config & {
+	region: "us-east-2"
+}
+
+TestConfig: gcpConfig: gcp.#Config & {
+	project: "dagger-ci"
+	region:  "us-west2-a"
+}
+
+TestConfig: {
+	trivyNoAuth: #Config
+
+	trivyBasicAuth: #Config & {
+		basicAuth: {
+			username: "guilaume1234"
+			password: dagger.#Input & {dagger.#Secret}
+		}
+	}
+
+	trivyAWSAuth: #Config & {
+		awsAuth: TestConfig.awsConfig
+	}
+
+	trivyGCPAuth: #Config & {
+		gcpAuth: TestConfig.gcpConfig
+	}
+}
+
+TestSuffix: random.#String & {
+	seed: ""
+}
+
+TestNoAuthClient: #Image & {
+	config: TestConfig.trivyNoAuth
+	source: "ubuntu:21.10"
+}
+
+TestBasicAuthClient: #Image & {
+	config: TestConfig.trivyBasicAuth
+	source: "docker.io/guilaume1234/guillaume:latest"
+}
+
+TestAWSClient: {
+	repository: "125635003186.dkr.ecr.\(TestConfig.awsConfig.region).amazonaws.com/dagger-ci"
+	tag:        "test-ecr-\(TestSuffix.out)"
+
+	creds: ecr.#Credentials & {
+		config: TestConfig.awsConfig
+	}
+
+	push: {
+		ref: "\(repository):\(tag)"
+
+		#up: [
+			op.#DockerBuild & {
+				dockerfile: """
+				FROM alpine
+				RUN echo \(TestSuffix.out) > /test
+				"""
+			},
+
+			op.#DockerLogin & {
+				target:   repository
+				username: creds.username
+				secret:   creds.secret
+			},
+
+			op.#PushContainer & {
+				"ref": ref
+			},
+		]
+	}
+
+	verify: #Image & {
+		config: TestConfig.trivyAWSAuth
+		source: push.ref
+	}
+}
+
+TestGCPClient: {
+	repository: "gcr.io/dagger-ci/test"
+	tag:        "test-gcr-\(TestSuffix.out)"
+
+	creds: gcr.#Credentials & {
+		config: TestConfig.gcpConfig
+	}
+
+	push: {
+		ref: "\(repository):\(tag)"
+
+		#up: [
+			op.#DockerBuild & {
+				dockerfile: """
+				FROM alpine
+				RUN echo \(TestSuffix.out) > /test
+				"""
+			},
+
+			op.#DockerLogin & {
+				target:   repository
+				username: creds.username
+				secret:   creds.secret
+			},
+
+			op.#PushContainer & {
+				"ref": ref
+			},
+		]
+	}
+
+	verify: #Image & {
+		config: TestConfig.trivyGCPAuth
+		source: push.ref
+	}
+}
--- a/stdlib/trivy/trivy.cue
+++ b/stdlib/trivy/trivy.cue
@ -0,0 +1,128 @@
+package trivy
+
+import (
+	"strconv"
+
+	"alpha.dagger.io/alpine"
+	"alpha.dagger.io/aws"
+	"alpha.dagger.io/dagger"
+	"alpha.dagger.io/dagger/op"
+	"alpha.dagger.io/gcp"
+)
+
+// Set Trivy download source
+// - AWS
+// - GCP
+// - Docker Hub
+// - Self Hosted
+
+// Trivy Configuration
+#Config: {
+	// Docker Hub / Self hosted registry auth
+	basicAuth: {
+		// Username
+		username: dagger.#Input & {string}
+
+		// Password
+		password: dagger.#Input & {dagger.#Secret}
+
+		// No SSL connection
+		noSSL: *false | bool
+	} | *null
+
+	// AWS ECR auth
+	awsAuth: aws.#Config | *null
+
+	// GCP auth 
+	gcpAuth: gcp.#Config | *null
+}
+
+// Re-usable CLI component
+#CLI: {
+	config: #Config
+
+	#up: [
+		if config.awsAuth == null && config.gcpAuth == null {
+			op.#Load & {
+				from: alpine.#Image & {
+					package: bash: "=~5.1"
+					package: curl: true
+					package: jq:   "=~1.6"
+				}
+			}
+		},
+		if config.awsAuth != null && config.gcpAuth == null {
+			op.#Load & {
+				from: aws.#CLI & {
+					"config": config.awsAuth
+				}
+			}
+		},
+		if config.awsAuth == null && config.gcpAuth != null {
+			op.#Load & {
+				from: gcp.#GCloud & {
+					"config": config.gcpAuth
+				}
+			}
+		},
+		op.#Exec & {
+			args: ["sh", "-c",
+				#"""
+					curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.18.3 &&
+					chmod +x /usr/local/bin/trivy
+					"""#,
+			]
+		},
+		// config.basicAuth case
+		if config.basicAuth != null && config.awsAuth == null && config.gcpAuth == null {
+			op.#Exec & {
+				args: ["/bin/bash", "-c",
+					#"""
+						# Rename
+						mv /usr/local/bin/trivy /usr/local/bin/trivy-dagger
+
+						# Build root of executable script
+						echo '#!/bin/bash'$'\n' > /usr/local/bin/trivy
+
+						# Construct env string from env vars
+						envs=()
+						[ -n "$TRIVY_USERNAME" ] && envs+=("TRIVY_USERNAME=$TRIVY_USERNAME")
+						[ -n "$TRIVY_NON_SSL" ] && envs+=("TRIVY_NON_SSL=$TRIVY_NON_SSL")
+
+						# Append secret to env string
+						[ -n "$(cat /password)" ] && envs+=("TRIVY_PASSWORD=$(cat /password)")
+
+						# Append full command
+						echo "${envs[@]}" '/usr/local/bin/trivy-dagger "$@"' >> /usr/local/bin/trivy
+
+						# Make it executable
+						chmod +x /usr/local/bin/trivy
+						"""#,
+				]
+				env: TRIVY_USERNAME: config.basicAuth.username
+				env: TRIVY_NON_SSL:  strconv.FormatBool(config.basicAuth.noSSL)
+				mount: "/password": secret: config.basicAuth.password
+			}
+		},
+		// config.gcpAuth case
+		if config.basicAuth == null && config.awsAuth == null && config.gcpAuth != null {
+			op.#Exec & {
+				args: ["/bin/bash", "-c",
+					#"""
+						# Rename
+						mv /usr/local/bin/trivy /usr/local/bin/trivy-dagger
+
+						# Build root of executable script
+						echo '#!/bin/bash'$'\n' > /usr/local/bin/trivy
+
+						# Append full command
+						echo "TRIVY_USERNAME=''" "GOOGLE_APPLICATION_CREDENTIALS=/service_key" '/usr/local/bin/trivy-dagger "$@"' >> /usr/local/bin/trivy
+
+						# Make it executable
+						chmod +x /usr/local/bin/trivy
+						"""#,
+				]
+			}
+		},
+	]
+}
--- a/stdlib/universe.bats
+++ b/stdlib/universe.bats
@ -273,3 +273,7 @@ setup() {
    skip "Azure CI infra not implemented yet - manually tested and working"
    #dagger -e azure-stapp up
 }
+
+@test "trivy" {
+  dagger -e trivy up
+}