diff --git a/stdlib/.dagger/env/trivy/.gitignore b/stdlib/.dagger/env/trivy/.gitignore new file mode 100644 index 00000000..01ec19b0 --- /dev/null +++ b/stdlib/.dagger/env/trivy/.gitignore @@ -0,0 +1,2 @@ +# dagger state +state/** diff --git a/stdlib/.dagger/env/trivy/values.yaml b/stdlib/.dagger/env/trivy/values.yaml new file mode 100644 index 00000000..498f4ce0 --- /dev/null +++ b/stdlib/.dagger/env/trivy/values.yaml @@ -0,0 +1,23 @@ +plan: + package: ./trivy/tests +name: trivy +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1gxwmtwahzwdmrskhf90ppwlnze30lgpm056kuesrxzeuyclrwvpsupwtpk + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2QVVmbFlHazZaeDJ6Vk5l + dldPbmttNWhLb1hnVjZMMGRkdk9kR3ErMENZCkJBOGN5NDFZYzRHR0N6d1NIeDMx + QXV0RkJydWltL092YnFNY3FGcUlYTGsKLS0tIGcxV0tYOGRNTE51K0VCNHAwcEtn + bHZuNEZsYnNNaHdBOFBTYmJtNC9JRncKVcqn44INSaA5TGRl/566DMu7scX9UjtV + 3FhUcSfLFJXviw/ll3dUONXOQJTe3p9SgFCHir2qnMmJqErDDvqj/Q== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2021-10-21T14:00:04Z" + mac: ENC[AES256_GCM,data:YTCRHj9jF0JBXEmC8ljCnEweQKCdMYry2GiPoveFBuwG3aSSTLhoPbrLNA+0FJ/AEaQNwNDv8KbZ6i9phcDCmTh6LVIVryxWy5Th8kFp9CSyYyyIBU64OO57hsXtIDvWW1IXtXqd8mngjv3v57/SIsRxo1amTOlSKbjAoY61Rw8=,iv:xcDXzNYOXbEfowEAzf+wVrb0vJFTr0aTCRS23Nj0OmE=,tag:qQjpB4xs014EaEswwrOWeQ==,type:str] + pgp: [] + encrypted_suffix: secret + version: 3.7.1 diff --git a/stdlib/trivy/image.cue b/stdlib/trivy/image.cue new file mode 100644 index 00000000..6c0cfe00 --- /dev/null +++ b/stdlib/trivy/image.cue @@ -0,0 +1,59 @@ +package trivy + +import ( + "encoding/json" + + "alpha.dagger.io/os" +) + +// Scan an Image +#Image: { + // Trivy configuration + config: #Config + + // Image source (AWS, GCP, Docker Hub, Self hosted) + source: string + + // Trivy Image arguments + args: [arg=string]: string + + // Enforce args best practices + args: { + "--exit-code": *"1" | string + "--severity": *"HIGH,CRITICAL" | string + "--format": *"table" | string + "--ignore-unfixed": *"true" | string + } + + ctr: os.#Container & { + image: #CLI & { + "config": config + } + shell: { + path: "/bin/bash" + args: ["--noprofile", "--norc", "-eo", "pipefail", "-c"] + } + command: #""" + trivyArgs="$( + echo "$ARGS" | + jq -c ' + to_entries | + map(.key + " " + (.value | tostring) + " ") | + add + ')" + + trivy image "$trivyArgs" "$SOURCE" + echo "$SOURCE" > /ref + """# + env: ARGS: json.Marshal(args) + env: SOURCE: source + } + + // Export ref to create dependency (wait for the check to finish) + ref: { + os.#File & { + from: ctr + path: "/ref" + } + }.contents @dagger(output) +} diff --git a/stdlib/trivy/tests/trivy.cue b/stdlib/trivy/tests/trivy.cue new file mode 100644 index 00000000..0e51dfcb --- /dev/null +++ b/stdlib/trivy/tests/trivy.cue @@ -0,0 +1,2 @@ +package trivy + diff --git a/stdlib/trivy/trivy.cue b/stdlib/trivy/trivy.cue index 19cebf18..f669ebf2 100644 --- a/stdlib/trivy/trivy.cue +++ b/stdlib/trivy/trivy.cue @@ -3,9 +3,10 @@ package trivy import ( "strconv" + "alpha.dagger.io/alpine" "alpha.dagger.io/aws" "alpha.dagger.io/dagger" - "alpha.dagger.io/os" + "alpha.dagger.io/dagger/op" ) // Set Trivy download source @@ -19,20 +20,20 @@ import ( // Docker Hub / Self hosted registry auth basicAuth: { // Username - username: dagger.#Input & {string} | *"" + username: dagger.#Input & {string} // Password - password: dagger.#Input & {dagger.#Secret} | *"" + password: dagger.#Input & {dagger.#Secret} // No SSL connection - noSSL: *false | bool + noSSL: *false | bool } | *null // AWS ECR auth awsAuth: aws.#Config | *null // GCR auth (credential.json as string) - gcpAuth: dagger.#Input & {string} | *null + gcpAuth: dagger.#Input & {dagger.#Secret | *null} } // Re-usable CLI component @@ -46,15 +47,15 @@ import ( package: bash: "=~5.1" package: curl: true } - }, - } + } + }, if config.awsAuth != null { op.#Load & { from: aws.#CLI & { "config": config } - }, - } + } + }, op.#Exec & { args: ["sh", "-c", #""" @@ -90,16 +91,16 @@ import ( """#, ] env: TRIVY_USERNAME: config.basicAuth.username - env: TRIVY_NON_SSL: strconv.FormatBool(config.basicAuth.noSSL) + env: TRIVY_NON_SSL: strconv.FormatBool(config.basicAuth.noSSL) mount: "/password": secret: config.basicAuth.password - }, - } + } + }, // config.gcpAuth case if config.basicAuth == null && config.awsAuth == null && config.gcpAuth != null { op.#WriteFile & { dest: "/credentials.json" - content: gcpAuth - }, + content: config.gcpAuth + } op.#Exec & { args: ["/bin/bash", "-c", #""" @@ -116,22 +117,7 @@ import ( chmod +x /usr/local/bin/trivy """#, ] - }, - } + } + }, ] } - - -// #Image -// { -// // Image source (AWS, GCP, Docker Hub, Self hosted) -// source: string - -// // Trivy Image arguments -// args: [arg=string]: string - -// ctr: os.#Container & { -// command: #""" -// """# -// } -// }