Implement #Image

Signed-off-by: guillaume <guillaume.derouville@gmail.com>
This commit is contained in:
guillaume 2021-10-21 19:19:06 +02:00
parent aac70c2f17
commit 701be92dad
5 changed files with 103 additions and 31 deletions

2
stdlib/.dagger/env/trivy/.gitignore vendored Normal file
View File

@ -0,0 +1,2 @@
# dagger state
state/**

23
stdlib/.dagger/env/trivy/values.yaml vendored Normal file
View File

@ -0,0 +1,23 @@
plan:
package: ./trivy/tests
name: trivy
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1gxwmtwahzwdmrskhf90ppwlnze30lgpm056kuesrxzeuyclrwvpsupwtpk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2QVVmbFlHazZaeDJ6Vk5l
dldPbmttNWhLb1hnVjZMMGRkdk9kR3ErMENZCkJBOGN5NDFZYzRHR0N6d1NIeDMx
QXV0RkJydWltL092YnFNY3FGcUlYTGsKLS0tIGcxV0tYOGRNTE51K0VCNHAwcEtn
bHZuNEZsYnNNaHdBOFBTYmJtNC9JRncKVcqn44INSaA5TGRl/566DMu7scX9UjtV
3FhUcSfLFJXviw/ll3dUONXOQJTe3p9SgFCHir2qnMmJqErDDvqj/Q==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2021-10-21T14:00:04Z"
mac: ENC[AES256_GCM,data:YTCRHj9jF0JBXEmC8ljCnEweQKCdMYry2GiPoveFBuwG3aSSTLhoPbrLNA+0FJ/AEaQNwNDv8KbZ6i9phcDCmTh6LVIVryxWy5Th8kFp9CSyYyyIBU64OO57hsXtIDvWW1IXtXqd8mngjv3v57/SIsRxo1amTOlSKbjAoY61Rw8=,iv:xcDXzNYOXbEfowEAzf+wVrb0vJFTr0aTCRS23Nj0OmE=,tag:qQjpB4xs014EaEswwrOWeQ==,type:str]
pgp: []
encrypted_suffix: secret
version: 3.7.1

59
stdlib/trivy/image.cue Normal file
View File

@ -0,0 +1,59 @@
package trivy
import (
"encoding/json"
"alpha.dagger.io/os"
)
// Scan an Image
#Image: {
// Trivy configuration
config: #Config
// Image source (AWS, GCP, Docker Hub, Self hosted)
source: string
// Trivy Image arguments
args: [arg=string]: string
// Enforce args best practices
args: {
"--exit-code": *"1" | string
"--severity": *"HIGH,CRITICAL" | string
"--format": *"table" | string
"--ignore-unfixed": *"true" | string
}
ctr: os.#Container & {
image: #CLI & {
"config": config
}
shell: {
path: "/bin/bash"
args: ["--noprofile", "--norc", "-eo", "pipefail", "-c"]
}
command: #"""
trivyArgs="$(
echo "$ARGS" |
jq -c '
to_entries |
map(.key + " " + (.value | tostring) + " ") |
add
')"
trivy image "$trivyArgs" "$SOURCE"
echo "$SOURCE" > /ref
"""#
env: ARGS: json.Marshal(args)
env: SOURCE: source
}
// Export ref to create dependency (wait for the check to finish)
ref: {
os.#File & {
from: ctr
path: "/ref"
}
}.contents @dagger(output)
}

View File

@ -0,0 +1,2 @@
package trivy

View File

@ -3,9 +3,10 @@ package trivy
import ( import (
"strconv" "strconv"
"alpha.dagger.io/alpine"
"alpha.dagger.io/aws" "alpha.dagger.io/aws"
"alpha.dagger.io/dagger" "alpha.dagger.io/dagger"
"alpha.dagger.io/os" "alpha.dagger.io/dagger/op"
) )
// Set Trivy download source // Set Trivy download source
@ -19,10 +20,10 @@ import (
// Docker Hub / Self hosted registry auth // Docker Hub / Self hosted registry auth
basicAuth: { basicAuth: {
// Username // Username
username: dagger.#Input & {string} | *"" username: dagger.#Input & {string}
// Password // Password
password: dagger.#Input & {dagger.#Secret} | *"" password: dagger.#Input & {dagger.#Secret}
// No SSL connection // No SSL connection
noSSL: *false | bool noSSL: *false | bool
@ -32,7 +33,7 @@ import (
awsAuth: aws.#Config | *null awsAuth: aws.#Config | *null
// GCR auth (credential.json as string) // GCR auth (credential.json as string)
gcpAuth: dagger.#Input & {string} | *null gcpAuth: dagger.#Input & {dagger.#Secret | *null}
} }
// Re-usable CLI component // Re-usable CLI component
@ -46,15 +47,15 @@ import (
package: bash: "=~5.1" package: bash: "=~5.1"
package: curl: true package: curl: true
} }
},
} }
},
if config.awsAuth != null { if config.awsAuth != null {
op.#Load & { op.#Load & {
from: aws.#CLI & { from: aws.#CLI & {
"config": config "config": config
} }
},
} }
},
op.#Exec & { op.#Exec & {
args: ["sh", "-c", args: ["sh", "-c",
#""" #"""
@ -92,14 +93,14 @@ import (
env: TRIVY_USERNAME: config.basicAuth.username env: TRIVY_USERNAME: config.basicAuth.username
env: TRIVY_NON_SSL: strconv.FormatBool(config.basicAuth.noSSL) env: TRIVY_NON_SSL: strconv.FormatBool(config.basicAuth.noSSL)
mount: "/password": secret: config.basicAuth.password mount: "/password": secret: config.basicAuth.password
},
} }
},
// config.gcpAuth case // config.gcpAuth case
if config.basicAuth == null && config.awsAuth == null && config.gcpAuth != null { if config.basicAuth == null && config.awsAuth == null && config.gcpAuth != null {
op.#WriteFile & { op.#WriteFile & {
dest: "/credentials.json" dest: "/credentials.json"
content: gcpAuth content: config.gcpAuth
}, }
op.#Exec & { op.#Exec & {
args: ["/bin/bash", "-c", args: ["/bin/bash", "-c",
#""" #"""
@ -116,22 +117,7 @@ import (
chmod +x /usr/local/bin/trivy chmod +x /usr/local/bin/trivy
"""#, """#,
] ]
},
} }
},
] ]
} }
// #Image
// {
// // Image source (AWS, GCP, Docker Hub, Self hosted)
// source: string
// // Trivy Image arguments
// args: [arg=string]: string
// ctr: os.#Container & {
// command: #"""
// """#
// }
// }