mirror of
https://github.com/kubescape/kubescape.git
synced 2026-04-15 06:58:11 +00:00
5379b9b0a6
* phase-1 Signed-off-by: Daniel Grunberger <danielgrunberger@armosec.io> * factory Signed-off-by: Daniel Grunberger <danielgrunberger@armosec.io> * wip: feat(cli): add an image scanning command Add a CLI command that launches an image scan. Does not scan images yet. Signed-off-by: Vlad Klokun <vklokun@protonmail.ch> * wip: feat: add image scanning service Signed-off-by: Vlad Klokun <vklokun@protonmail.ch> * chore: include dependencies Signed-off-by: Vlad Klokun <vklokun@protonmail.ch> * wip: adjust image scanning service Signed-off-by: Vlad Klokun <vklokun@protonmail.ch> * wip: feat: use scanning service in CLI Signed-off-by: Vlad Klokun <vklokun@protonmail.ch> * use iface Signed-off-by: Daniel Grunberger <danielgrunberger@armosec.io> * touches Signed-off-by: Daniel Grunberger <danielgrunberger@armosec.io> * continue Signed-off-by: Daniel Grunberger <danielgrunberger@armosec.io> * add cmd Signed-off-by: Daniel Grunberger <danielgrunberger@armosec.io> * support single workload scan Signed-off-by: Amir Malka <amirm@armosec.io> * fix conflict Signed-off-by: Amir Malka <amirm@armosec.io> * identifiers * go mod * feat(imagescan): add an image scanning command This commit adds a CLI command and an associated package that scan images for vulnerabilities. Signed-off-by: Vlad Klokun <vklokun@protonmail.ch> feat(imagescan): fail on exceeding the severity threshold Signed-off-by: Vlad Klokun <vklokun@protonmail.ch> * chore(imagescan): include dependencies This commit adds the dependencies necessary for image scanning. Signed-off-by: Vlad Klokun <vklokun@protonmail.ch> * chore(imagescan): add dependencies to httphandler Signed-off-by: Vlad Klokun <vklokun@protonmail.ch> * added unit tests Signed-off-by: Amir Malka <amirm@armosec.io> * merge * more * integrate img scan * added unit tests Signed-off-by: Amir Malka <amirm@armosec.io> * more refactoring Signed-off-by: Amir Malka <amirm@armosec.io> * add scanned workload reference to opasessionobj Signed-off-by: Amir Malka <amirm@armosec.io> * fix GetWorkloadParentKind Signed-off-by: Amir Malka <amirm@armosec.io> * remove namespace argument from pullSingleResource, using field selector instead Signed-off-by: Amir Malka <amirm@armosec.io> * removed designators (unused) field from PolicyIdentifier, and designators argument from GetResources function Signed-off-by: Amir Malka <amirm@armosec.io> * changes * changes * fixes * changes * feat(imagescan): add an image scanning command This commit adds a CLI command and an associated package that scan images for vulnerabilities. Signed-off-by: Vlad Klokun <vklokun@protonmail.ch> feat(imagescan): fail on exceeding the severity threshold Signed-off-by: Vlad Klokun <vklokun@protonmail.ch> * chore(imagescan): include dependencies This commit adds the dependencies necessary for image scanning. Signed-off-by: Vlad Klokun <vklokun@protonmail.ch> * chore(imagescan): add dependencies to httphandler Signed-off-by: Vlad Klokun <vklokun@protonmail.ch> * chore(imagescan): create vuln db with dedicated function Remove commented out code, too. Signed-off-by: Vlad Klokun <vklokun@protonmail.ch> * docs(imagescan): provide package-level docs Signed-off-by: Vlad Klokun <vklokun@protonmail.ch> * finish merge * image scan tests * continue * fixes * refactor * rm duplicate * start fixes * update gh actions Signed-off-by: David Wertenteil <dwertent@armosec.io> * pr fixes * fix test * improvements --------- Signed-off-by: Daniel Grunberger <danielgrunberger@armosec.io> Signed-off-by: Vlad Klokun <vklokun@protonmail.ch> Signed-off-by: Amir Malka <amirm@armosec.io> Signed-off-by: David Wertenteil <dwertent@armosec.io> Co-authored-by: Daniel Grunberger <danielgrunberger@armosec.io> Co-authored-by: Vlad Klokun <vklokun@protonmail.ch> Co-authored-by: Amir Malka <amirm@armosec.io> Co-authored-by: David Wertenteil <dwertent@armosec.io>
108 lines
3.3 KiB
Go
108 lines
3.3 KiB
Go
package cautils
|
|
|
|
import (
|
|
"context"
|
|
"os"
|
|
"path/filepath"
|
|
"strings"
|
|
"testing"
|
|
|
|
"github.com/kubescape/opa-utils/objectsenvelopes/localworkload"
|
|
"github.com/stretchr/testify/assert"
|
|
)
|
|
|
|
func onlineBoutiquePath() string {
|
|
o, _ := os.Getwd()
|
|
return filepath.Join(filepath.Dir(o), "..", "examples", "online-boutique")
|
|
}
|
|
|
|
func helmChartPath() string {
|
|
o, _ := os.Getwd()
|
|
return filepath.Join(filepath.Dir(o), "..", "examples", "helm_chart")
|
|
}
|
|
|
|
func TestListFiles(t *testing.T) {
|
|
|
|
filesPath := onlineBoutiquePath()
|
|
|
|
files, errs := listFiles(filesPath)
|
|
assert.Equal(t, 0, len(errs))
|
|
assert.Equal(t, 12, len(files))
|
|
}
|
|
|
|
func TestLoadResourcesFromFiles(t *testing.T) {
|
|
workloads := LoadResourcesFromFiles(context.TODO(), onlineBoutiquePath(), "")
|
|
assert.Equal(t, 12, len(workloads))
|
|
|
|
for i, w := range workloads {
|
|
switch filepath.Base(i) {
|
|
case "adservice.yaml":
|
|
assert.Equal(t, 2, len(w))
|
|
assert.Equal(t, "apps/v1//Deployment/adservice", getRelativePath(w[0].GetID()))
|
|
assert.Equal(t, "/v1//Service/adservice", getRelativePath(w[1].GetID()))
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestLoadResourcesFromHelmCharts(t *testing.T) {
|
|
sourceToWorkloads, sourceToChartName := LoadResourcesFromHelmCharts(context.TODO(), helmChartPath())
|
|
assert.Equal(t, 6, len(sourceToWorkloads))
|
|
|
|
for file, workloads := range sourceToWorkloads {
|
|
assert.Equalf(t, 1, len(workloads), "expected 1 workload in file %s", file)
|
|
|
|
w := workloads[0]
|
|
assert.True(t, localworkload.IsTypeLocalWorkload(w.GetObject()), "Expected localworkload as object type")
|
|
assert.Equal(t, "kubescape", sourceToChartName[file].Name)
|
|
assert.Equal(t, helmChartPath(), sourceToChartName[file].Path)
|
|
|
|
switch filepath.Base(file) {
|
|
case "serviceaccount.yaml":
|
|
assert.Equal(t, "/v1//ServiceAccount/kubescape-discovery", getRelativePath(w.GetID()))
|
|
case "clusterrole.yaml":
|
|
assert.Equal(t, "rbac.authorization.k8s.io/v1//ClusterRole/-kubescape", getRelativePath(w.GetID()))
|
|
case "cronjob.yaml":
|
|
assert.Equal(t, "batch/v1//CronJob/-kubescape", getRelativePath(w.GetID()))
|
|
case "role.yaml":
|
|
assert.Equal(t, "rbac.authorization.k8s.io/v1//Role/-kubescape", getRelativePath(w.GetID()))
|
|
case "rolebinding.yaml":
|
|
assert.Equal(t, "rbac.authorization.k8s.io/v1//RoleBinding/-kubescape", getRelativePath(w.GetID()))
|
|
case "clusterrolebinding.yaml":
|
|
assert.Equal(t, "rbac.authorization.k8s.io/v1//ClusterRoleBinding/-kubescape", getRelativePath(w.GetID()))
|
|
default:
|
|
assert.Failf(t, "missing case for file: %s", filepath.Base(file))
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestLoadFiles(t *testing.T) {
|
|
files, _ := listFiles(onlineBoutiquePath())
|
|
_, err := loadFiles("", files)
|
|
assert.Equal(t, 0, len(err))
|
|
}
|
|
|
|
func TestListDirs(t *testing.T) {
|
|
dirs, _ := listDirs(filepath.Join(onlineBoutiquePath(), "adservice.yaml"))
|
|
assert.Equal(t, 0, len(dirs))
|
|
|
|
expectedDirs := []string{filepath.Join("examples", "helm_chart"), filepath.Join("examples", "helm_chart", "templates")}
|
|
dirs, _ = listDirs(helmChartPath())
|
|
assert.Equal(t, len(expectedDirs), len(dirs))
|
|
for i := range expectedDirs {
|
|
assert.Contains(t, dirs[i], expectedDirs[i])
|
|
}
|
|
}
|
|
|
|
func TestLoadFile(t *testing.T) {
|
|
files, _ := listFiles(filepath.Join(onlineBoutiquePath(), "adservice.yaml"))
|
|
assert.Equal(t, 1, len(files))
|
|
|
|
_, err := loadFile(files[0])
|
|
assert.NoError(t, err)
|
|
}
|
|
|
|
func getRelativePath(p string) string {
|
|
pp := strings.SplitAfter(p, "api=")
|
|
return pp[1]
|
|
}
|