mirror of
https://github.com/kubescape/kubescape.git
synced 2026-04-15 06:58:11 +00:00
5379b9b0a6
* phase-1 Signed-off-by: Daniel Grunberger <danielgrunberger@armosec.io> * factory Signed-off-by: Daniel Grunberger <danielgrunberger@armosec.io> * wip: feat(cli): add an image scanning command Add a CLI command that launches an image scan. Does not scan images yet. Signed-off-by: Vlad Klokun <vklokun@protonmail.ch> * wip: feat: add image scanning service Signed-off-by: Vlad Klokun <vklokun@protonmail.ch> * chore: include dependencies Signed-off-by: Vlad Klokun <vklokun@protonmail.ch> * wip: adjust image scanning service Signed-off-by: Vlad Klokun <vklokun@protonmail.ch> * wip: feat: use scanning service in CLI Signed-off-by: Vlad Klokun <vklokun@protonmail.ch> * use iface Signed-off-by: Daniel Grunberger <danielgrunberger@armosec.io> * touches Signed-off-by: Daniel Grunberger <danielgrunberger@armosec.io> * continue Signed-off-by: Daniel Grunberger <danielgrunberger@armosec.io> * add cmd Signed-off-by: Daniel Grunberger <danielgrunberger@armosec.io> * support single workload scan Signed-off-by: Amir Malka <amirm@armosec.io> * fix conflict Signed-off-by: Amir Malka <amirm@armosec.io> * identifiers * go mod * feat(imagescan): add an image scanning command This commit adds a CLI command and an associated package that scan images for vulnerabilities. Signed-off-by: Vlad Klokun <vklokun@protonmail.ch> feat(imagescan): fail on exceeding the severity threshold Signed-off-by: Vlad Klokun <vklokun@protonmail.ch> * chore(imagescan): include dependencies This commit adds the dependencies necessary for image scanning. Signed-off-by: Vlad Klokun <vklokun@protonmail.ch> * chore(imagescan): add dependencies to httphandler Signed-off-by: Vlad Klokun <vklokun@protonmail.ch> * added unit tests Signed-off-by: Amir Malka <amirm@armosec.io> * merge * more * integrate img scan * added unit tests Signed-off-by: Amir Malka <amirm@armosec.io> * more refactoring Signed-off-by: Amir Malka <amirm@armosec.io> * add scanned workload reference to opasessionobj Signed-off-by: Amir Malka <amirm@armosec.io> * fix GetWorkloadParentKind Signed-off-by: Amir Malka <amirm@armosec.io> * remove namespace argument from pullSingleResource, using field selector instead Signed-off-by: Amir Malka <amirm@armosec.io> * removed designators (unused) field from PolicyIdentifier, and designators argument from GetResources function Signed-off-by: Amir Malka <amirm@armosec.io> * changes * changes * fixes * changes * feat(imagescan): add an image scanning command This commit adds a CLI command and an associated package that scan images for vulnerabilities. Signed-off-by: Vlad Klokun <vklokun@protonmail.ch> feat(imagescan): fail on exceeding the severity threshold Signed-off-by: Vlad Klokun <vklokun@protonmail.ch> * chore(imagescan): include dependencies This commit adds the dependencies necessary for image scanning. Signed-off-by: Vlad Klokun <vklokun@protonmail.ch> * chore(imagescan): add dependencies to httphandler Signed-off-by: Vlad Klokun <vklokun@protonmail.ch> * chore(imagescan): create vuln db with dedicated function Remove commented out code, too. Signed-off-by: Vlad Klokun <vklokun@protonmail.ch> * docs(imagescan): provide package-level docs Signed-off-by: Vlad Klokun <vklokun@protonmail.ch> * finish merge * image scan tests * continue * fixes * refactor * rm duplicate * start fixes * update gh actions Signed-off-by: David Wertenteil <dwertent@armosec.io> * pr fixes * fix test * improvements --------- Signed-off-by: Daniel Grunberger <danielgrunberger@armosec.io> Signed-off-by: Vlad Klokun <vklokun@protonmail.ch> Signed-off-by: Amir Malka <amirm@armosec.io> Signed-off-by: David Wertenteil <dwertent@armosec.io> Co-authored-by: Daniel Grunberger <danielgrunberger@armosec.io> Co-authored-by: Vlad Klokun <vklokun@protonmail.ch> Co-authored-by: Amir Malka <amirm@armosec.io> Co-authored-by: David Wertenteil <dwertent@armosec.io>
122 lines
3.5 KiB
Go
122 lines
3.5 KiB
Go
package scan
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
"fmt"
|
|
"strings"
|
|
|
|
"github.com/kubescape/kubescape/v2/core/cautils"
|
|
"github.com/kubescape/kubescape/v2/core/meta"
|
|
v1 "github.com/kubescape/opa-utils/httpserver/apis/v1"
|
|
"github.com/kubescape/opa-utils/objectsenvelopes"
|
|
|
|
"github.com/spf13/cobra"
|
|
)
|
|
|
|
var (
|
|
workloadExample = fmt.Sprintf(`
|
|
# Scan an workload
|
|
%[1]s scan workload <kind>/<name>
|
|
|
|
# Scan an workload in a specific namespace
|
|
%[1]s scan workload <kind>/<name> --namespace <namespace>
|
|
|
|
# Scan an workload from a file path
|
|
%[1]s scan workload <kind>/<name> --file-path <file path>
|
|
|
|
# Scan an workload from a helm-chart template
|
|
%[1]s scan workload <kind>/<name> --chart-path <chart path> --file-path <file path>
|
|
|
|
|
|
`, cautils.ExecName())
|
|
|
|
ErrInvalidWorkloadIdentifier = errors.New("invalid workload identifier")
|
|
)
|
|
|
|
var namespace string
|
|
|
|
// controlCmd represents the control command
|
|
func getWorkloadCmd(ks meta.IKubescape, scanInfo *cautils.ScanInfo) *cobra.Command {
|
|
workloadCmd := &cobra.Command{
|
|
Use: "workload <kind>/<name> [`<glob pattern>`/`-`] [flags]",
|
|
Short: fmt.Sprint("The workload you wish to scan"),
|
|
Example: workloadExample,
|
|
Args: func(cmd *cobra.Command, args []string) error {
|
|
if len(args) != 1 {
|
|
return fmt.Errorf("usage: <kind>/<name> [`<glob pattern>`/`-`] [flags]")
|
|
}
|
|
|
|
if scanInfo.ChartPath != "" && scanInfo.FilePath == "" {
|
|
return fmt.Errorf("usage: --chart-path <chart path> --file-path <file path>")
|
|
}
|
|
|
|
return validateWorkloadIdentifier(args[0])
|
|
},
|
|
RunE: func(cmd *cobra.Command, args []string) error {
|
|
|
|
kind, name, err := parseWorkloadIdentifierString(args[0])
|
|
if err != nil {
|
|
return fmt.Errorf("invalid input: %s", err.Error())
|
|
}
|
|
|
|
setWorkloadScanInfo(scanInfo, kind, name)
|
|
|
|
// todo: add api version if provided
|
|
ctx := context.TODO()
|
|
results, err := ks.Scan(ctx, scanInfo)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
if err = results.HandleResults(ctx); err != nil {
|
|
return err
|
|
}
|
|
|
|
return nil
|
|
},
|
|
}
|
|
workloadCmd.PersistentFlags().StringVarP(&namespace, "namespace", "n", "", "Namespace of the workload. Default will be empty.")
|
|
workloadCmd.PersistentFlags().StringVar(&scanInfo.FilePath, "file-path", "", "Path to the workload file.")
|
|
workloadCmd.PersistentFlags().StringVar(&scanInfo.ChartPath, "chart-path", "", "Path to the helm chart the workload is part of. Must be used with --file-path.")
|
|
|
|
return workloadCmd
|
|
}
|
|
|
|
func setWorkloadScanInfo(scanInfo *cautils.ScanInfo, kind string, name string) {
|
|
scanInfo.SetScanType(cautils.ScanTypeWorkload)
|
|
scanInfo.ScanImages = true
|
|
|
|
scanInfo.ScanObject = &objectsenvelopes.ScanObject{}
|
|
scanInfo.ScanObject.SetNamespace(namespace)
|
|
scanInfo.ScanObject.SetKind(kind)
|
|
scanInfo.ScanObject.SetName(name)
|
|
|
|
scanInfo.SetPolicyIdentifiers([]string{"workloadscan"}, v1.KindFramework)
|
|
|
|
if scanInfo.FilePath != "" {
|
|
scanInfo.InputPatterns = []string{scanInfo.FilePath}
|
|
}
|
|
}
|
|
|
|
func validateWorkloadIdentifier(workloadIdentifier string) error {
|
|
// workloadIdentifier is in the form of kind/name
|
|
x := strings.Split(workloadIdentifier, "/")
|
|
if len(x) != 2 || x[0] == "" || x[1] == "" {
|
|
return ErrInvalidWorkloadIdentifier
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func parseWorkloadIdentifierString(workloadIdentifier string) (kind, name string, err error) {
|
|
// workloadIdentifier is in the form of namespace/kind/name
|
|
// example: default/Deployment/nginx-deployment
|
|
x := strings.Split(workloadIdentifier, "/")
|
|
if len(x) != 2 {
|
|
return "", "", ErrInvalidWorkloadIdentifier
|
|
}
|
|
|
|
return x[0], x[1], nil
|
|
}
|