From aac70c2f1749d0628af2c7a933165ae59e17a486 Mon Sep 17 00:00:00 2001 From: guillaume Date: Thu, 21 Oct 2021 15:57:52 +0200 Subject: [PATCH] Implement Trivy Config && Trivy CLI Signed-off-by: guillaume --- stdlib/trivy/trivy.cue | 129 ++++++++++++++++++++++++++++++++++++++--- 1 file changed, 121 insertions(+), 8 deletions(-) diff --git a/stdlib/trivy/trivy.cue b/stdlib/trivy/trivy.cue index abb04e50..19cebf18 100644 --- a/stdlib/trivy/trivy.cue +++ b/stdlib/trivy/trivy.cue @@ -1,7 +1,11 @@ package trivy import ( + "strconv" + + "alpha.dagger.io/aws" "alpha.dagger.io/dagger" + "alpha.dagger.io/os" ) // Set Trivy download source @@ -10,15 +14,124 @@ import ( // - Docker Hub // - Self Hosted -// Trivy configuration +// Trivy Configuration #Config: { - // Download source (AWS, GCP, Docker Hub, Self hosted) - source: string + // Docker Hub / Self hosted registry auth + basicAuth: { + // Username + username: dagger.#Input & {string} | *"" - // Trivy Image arguments - args: [arg=string]: string + // Password + password: dagger.#Input & {dagger.#Secret} | *"" - username: dagger.#Input & {*null | dagger.#Secret} - password: dagger.#Input & {*null | dagger.#Secret} - ssl: *true | bool + // No SSL connection + noSSL: *false | bool + } | *null + + // AWS ECR auth + awsAuth: aws.#Config | *null + + // GCR auth (credential.json as string) + gcpAuth: dagger.#Input & {string} | *null } + +// Re-usable CLI component +#CLI: { + config: #Config + + #up: [ + if config.awsAuth == null { + op.#Load & { + from: alpine.#Image & { + package: bash: "=~5.1" + package: curl: true + } + }, + } + if config.awsAuth != null { + op.#Load & { + from: aws.#CLI & { + "config": config + } + }, + } + op.#Exec & { + args: ["sh", "-c", + #""" + curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh && + chmod +x /usr/local/bin/trivy + """#, + ] + }, + // config.basicAuth case + if config.basicAuth != null && config.awsAuth == null && config.gcpAuth == null { + op.#Exec & { + args: ["/bin/bash", "-c", + #""" + # Rename + mv /usr/local/bin/trivy /usr/local/bin/trivy-dagger + + # Build root of executable script + echo '#!/bin/bash'$'\n' > /usr/local/bin/trivy + + # Construct env string from env vars + envs=() + [ -n "$TRIVY_USERNAME" ] && envs+=("TRIVY_USERNAME={$TRIVY_USERNAME}") + [ -n "$TRIVY_NON_SSL" ] && envs+=("TRIVY_NON_SSL=$TRIVY_NON_SSL") + + # Append secret to env string + [ -n "$(cat /password)" ] && envs+=("TRIVY_PASSWORD={$(cat /password)}") + + # Append full command + echo "${envs[@]}" '/usr/local/bin/trivy-dagger "$@"' >> /usr/local/bin/trivy + + # Make it executable + chmod +x /usr/local/bin/trivy + """#, + ] + env: TRIVY_USERNAME: config.basicAuth.username + env: TRIVY_NON_SSL: strconv.FormatBool(config.basicAuth.noSSL) + mount: "/password": secret: config.basicAuth.password + }, + } + // config.gcpAuth case + if config.basicAuth == null && config.awsAuth == null && config.gcpAuth != null { + op.#WriteFile & { + dest: "/credentials.json" + content: gcpAuth + }, + op.#Exec & { + args: ["/bin/bash", "-c", + #""" + # Rename + mv /usr/local/bin/trivy /usr/local/bin/trivy-dagger + + # Build root of executable script + echo '#!/bin/bash'$'\n' > /usr/local/bin/trivy + + # Append full command + echo "TRIVY_USERNAME=" "GOOGLE_APPLICATION_CREDENTIALS=/credentials.json" '/usr/local/bin/trivy-dagger "$@"' >> /usr/local/bin/trivy + + # Make it executable + chmod +x /usr/local/bin/trivy + """#, + ] + }, + } + ] +} + + +// #Image +// { +// // Image source (AWS, GCP, Docker Hub, Self hosted) +// source: string + +// // Trivy Image arguments +// args: [arg=string]: string + +// ctr: os.#Container & { +// command: #""" +// """# +// } +// }