Implement #Image

Signed-off-by: guillaume <guillaume.derouville@gmail.com>
2021-10-21 19:19:06 +02:00 · 2021-10-21 19:19:06 +02:00 · 701be92dad
commit 701be92dad
parent aac70c2f17
5 changed files with 103 additions and 31 deletions
--- a/stdlib/.dagger/env/trivy/.gitignore
+++ b/stdlib/.dagger/env/trivy/.gitignore
@ -0,0 +1,2 @@
+# dagger state
+state/**
--- a/stdlib/.dagger/env/trivy/values.yaml
+++ b/stdlib/.dagger/env/trivy/values.yaml
@ -0,0 +1,23 @@
+plan:
+    package: ./trivy/tests
+name: trivy
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1gxwmtwahzwdmrskhf90ppwlnze30lgpm056kuesrxzeuyclrwvpsupwtpk
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2QVVmbFlHazZaeDJ6Vk5l
+            dldPbmttNWhLb1hnVjZMMGRkdk9kR3ErMENZCkJBOGN5NDFZYzRHR0N6d1NIeDMx
+            QXV0RkJydWltL092YnFNY3FGcUlYTGsKLS0tIGcxV0tYOGRNTE51K0VCNHAwcEtn
+            bHZuNEZsYnNNaHdBOFBTYmJtNC9JRncKVcqn44INSaA5TGRl/566DMu7scX9UjtV
+            3FhUcSfLFJXviw/ll3dUONXOQJTe3p9SgFCHir2qnMmJqErDDvqj/Q==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2021-10-21T14:00:04Z"
+    mac: ENC[AES256_GCM,data:YTCRHj9jF0JBXEmC8ljCnEweQKCdMYry2GiPoveFBuwG3aSSTLhoPbrLNA+0FJ/AEaQNwNDv8KbZ6i9phcDCmTh6LVIVryxWy5Th8kFp9CSyYyyIBU64OO57hsXtIDvWW1IXtXqd8mngjv3v57/SIsRxo1amTOlSKbjAoY61Rw8=,iv:xcDXzNYOXbEfowEAzf+wVrb0vJFTr0aTCRS23Nj0OmE=,tag:qQjpB4xs014EaEswwrOWeQ==,type:str]
+    pgp: []
+    encrypted_suffix: secret
+    version: 3.7.1
--- a/stdlib/trivy/image.cue
+++ b/stdlib/trivy/image.cue
@ -0,0 +1,59 @@
+package trivy
+
+import (
+	"encoding/json"
+
+	"alpha.dagger.io/os"
+)
+
+// Scan an Image
+#Image: {
+	// Trivy configuration
+	config: #Config
+
+	// Image source (AWS, GCP, Docker Hub, Self hosted)
+	source: string
+
+	// Trivy Image arguments
+	args: [arg=string]: string
+	
+	// Enforce args best practices
+	args: {
+		"--exit-code": *"1" | string
+		"--severity": *"HIGH,CRITICAL" | string
+		"--format": *"table" | string
+		"--ignore-unfixed": *"true" | string
+	}
+
+	ctr: os.#Container & {
+		image: #CLI & {
+			"config": config
+		}
+		shell: {
+			path: "/bin/bash"
+			args: ["--noprofile", "--norc", "-eo", "pipefail", "-c"]
+		}
+		command: #"""
+			trivyArgs="$(
+				echo "$ARGS" |
+				jq -c '
+					to_entries |
+					map(.key + " " + (.value | tostring) + " ") |
+					add
+			')"
+
+			trivy image "$trivyArgs" "$SOURCE"
+			echo "$SOURCE" > /ref
+			"""#
+		env: ARGS:   json.Marshal(args)
+		env: SOURCE: source
+	}
+
+	// Export ref to create dependency (wait for the check to finish)
+	ref: {
+		os.#File & {
+			from: ctr
+			path: "/ref"
+		}
+	}.contents @dagger(output)
+}
--- a/stdlib/trivy/tests/trivy.cue
+++ b/stdlib/trivy/tests/trivy.cue
@ -0,0 +1,2 @@
+package trivy
+
--- a/stdlib/trivy/trivy.cue
+++ b/stdlib/trivy/trivy.cue
@ -3,9 +3,10 @@ package trivy
 import (
 	"strconv"

+	"alpha.dagger.io/alpine"
 	"alpha.dagger.io/aws"
 	"alpha.dagger.io/dagger"
-	"alpha.dagger.io/os"
+	"alpha.dagger.io/dagger/op"
 )

 // Set Trivy download source
@ -19,20 +20,20 @@ import (
 	// Docker Hub / Self hosted registry auth
 	basicAuth: {
 		// Username
-		username: dagger.#Input & {string} | *""
+		username: dagger.#Input & {string}

 		// Password
-		password: dagger.#Input & {dagger.#Secret} | *""
+		password: dagger.#Input & {dagger.#Secret}

 		// No SSL connection
-		noSSL:    *false | bool
+		noSSL: *false | bool
 	} | *null

 	// AWS ECR auth
 	awsAuth: aws.#Config | *null

 	// GCR auth (credential.json as string)
-	gcpAuth: dagger.#Input & {string} | *null
+	gcpAuth: dagger.#Input & {dagger.#Secret | *null}
 }

 // Re-usable CLI component
@ -46,15 +47,15 @@ import (
 					package: bash: "=~5.1"
 					package: curl: true
 				}
-			},
-		}
+			}
+		},
 		if config.awsAuth != null {
 			op.#Load & {
 				from: aws.#CLI & {
 					"config": config
 				}
-			},
-		}
+			}
+		},
 		op.#Exec & {
 			args: ["sh", "-c",
 				#"""
@ -90,16 +91,16 @@ import (
 						"""#,
 				]
 				env: TRIVY_USERNAME: config.basicAuth.username
-				env: TRIVY_NON_SSL: strconv.FormatBool(config.basicAuth.noSSL)
+				env: TRIVY_NON_SSL:  strconv.FormatBool(config.basicAuth.noSSL)
 				mount: "/password": secret: config.basicAuth.password
-			},
-		}
+			}
+		},
 		// config.gcpAuth case
 		if config.basicAuth == null && config.awsAuth == null && config.gcpAuth != null {
 			op.#WriteFile & {
 				dest:    "/credentials.json"
-				content: gcpAuth
-			},
+				content: config.gcpAuth
+			}
 			op.#Exec & {
 				args: ["/bin/bash", "-c",
 					#"""
@ -116,22 +117,7 @@ import (
 						chmod +x /usr/local/bin/trivy
 						"""#,
 				]
-			},
-		}
+			}
+		},
 	]
 }
-
-
-// #Image
-// {
-// 	// Image source (AWS, GCP, Docker Hub, Self hosted)
-// 	source: string
-
-// 	// Trivy Image arguments
-// 	args: [arg=string]: string
-
-// 	ctr: os.#Container & {
-// 		command: #"""
-// 		"""#
-// 	}
-// }