mirror of
https://github.com/kairos-io/kairos-agent.git
synced 2025-10-20 10:38:34 +00:00
robot: Various enhancement to security scans (#1100)
* 🤖 Add --add-cpes-if-none to grype Signed-off-by: mudler <mudler@c3os.io> * 🤖 Remove dup Signed-off-by: mudler <mudler@c3os.io> * 🤖 Scan from base-image Signed-off-by: mudler <mudler@c3os.io> * 🤖 Move ARGs where are needed Signed-off-by: mudler <mudler@c3os.io> --------- Signed-off-by: mudler <mudler@c3os.io>
This commit is contained in:
Ettore Di Giacinto
committed by
Itxaka
Itxaka
parent
199f7fff43
commit
b2d6fc5d7e
74
Earthfile
74
Earthfile
@@ -36,7 +36,7 @@ ARG IMAGE_REPOSITORY_ORG=quay.io/kairos
|
||||
|
||||
|
||||
all:
|
||||
BUILD +docker
|
||||
BUILD +image
|
||||
BUILD +image-sbom
|
||||
BUILD +trivy-scan
|
||||
BUILD +grype-scan
|
||||
@@ -45,7 +45,7 @@ all:
|
||||
BUILD +ipxe-iso
|
||||
|
||||
all-arm:
|
||||
BUILD --platform=linux/arm64 +docker
|
||||
BUILD --platform=linux/arm64 +image
|
||||
BUILD +image-sbom
|
||||
BUILD +trivy-scan
|
||||
BUILD +grype-scan
|
||||
@@ -208,7 +208,8 @@ syft:
|
||||
SAVE ARTIFACT /syft syft
|
||||
|
||||
image-sbom:
|
||||
FROM +docker
|
||||
# Use base-image so it can read original os-release file
|
||||
FROM +base-image
|
||||
WORKDIR /build
|
||||
COPY +version/VERSION ./
|
||||
ARG VERSION=$(cat VERSION)
|
||||
@@ -295,7 +296,7 @@ framework-image:
|
||||
COPY (+framework/framework --VERSION=$VERSION --FLAVOR=$FLAVOR) /
|
||||
SAVE IMAGE --push $IMAGE_REPOSITORY_ORG/framework:${VERSION}_${FLAVOR}
|
||||
|
||||
docker:
|
||||
base-image:
|
||||
ARG FLAVOR
|
||||
ARG VARIANT
|
||||
IF [ "$BASE_IMAGE" = "" ]
|
||||
@@ -315,39 +316,15 @@ docker:
|
||||
ELSE
|
||||
ARG OS_VERSION=${KAIROS_VERSION}
|
||||
END
|
||||
|
||||
ARG OS_ID
|
||||
ARG OS_NAME=${OS_ID}-${VARIANT}-${FLAVOR}
|
||||
ARG OS_REPO=quay.io/kairos/${VARIANT}-${FLAVOR}
|
||||
ARG OS_LABEL=latest
|
||||
|
||||
# Includes overlay/files
|
||||
COPY (+framework/framework --FLAVOR=$FLAVOR --VERSION=$OS_VERSION) /
|
||||
|
||||
DO +OSRELEASE --HOME_URL=https://github.com/kairos-io/kairos --BUG_REPORT_URL=https://github.com/kairos-io/kairos/issues --GITHUB_REPO=kairos-io/kairos --VARIANT=${VARIANT} --FLAVOR=${FLAVOR} --OS_ID=${OS_ID} --OS_LABEL=${OS_LABEL} --OS_NAME=${OS_NAME} --OS_REPO=${OS_REPO} --OS_VERSION=${OS_VERSION}
|
||||
|
||||
RUN rm -rf /etc/machine-id && touch /etc/machine-id && chmod 444 /etc/machine-id
|
||||
|
||||
# Avoid to accidentally push keys generated by package managers
|
||||
RUN rm -rf /etc/ssh/ssh_host_*
|
||||
|
||||
# Copy flavor-specific overlay files
|
||||
IF [[ "$FLAVOR" =~ "alpine" ]]
|
||||
COPY overlay/files-alpine/ /
|
||||
END
|
||||
|
||||
IF [ "$FLAVOR" = "opensuse" ] || [ "$FLAVOR" = "opensuse-tumbleweed" ]
|
||||
COPY overlay/files-opensuse/ /
|
||||
ELSE IF [ "$FLAVOR" = "alpine-arm-rpi" ]
|
||||
COPY overlay/files-opensuse-arm-rpi/ /
|
||||
ELSE IF [ "$FLAVOR" = "opensuse-leap-arm-rpi" ] || [ "$FLAVOR" = "opensuse-tumbleweed-arm-rpi" ]
|
||||
COPY overlay/files-opensuse-arm-rpi/ /
|
||||
ELSE IF [ "$FLAVOR" = "fedora" ] || [ "$FLAVOR" = "rockylinux" ]
|
||||
COPY overlay/files-fedora/ /
|
||||
ELSE IF [ "$FLAVOR" = "debian" ] || [ "$FLAVOR" = "ubuntu" ] || [ "$FLAVOR" = "ubuntu-20-lts" ] || [ "$FLAVOR" = "ubuntu-22-lts" ]
|
||||
COPY overlay/files-ubuntu/ /
|
||||
END
|
||||
|
||||
# Enable services
|
||||
IF [ -f /sbin/openrc ]
|
||||
RUN mkdir -p /etc/runlevels/default && \
|
||||
@@ -416,10 +393,29 @@ docker:
|
||||
|
||||
RUN rm -rf /tmp/*
|
||||
|
||||
image:
|
||||
FROM +base-image
|
||||
ARG FLAVOR
|
||||
ARG VARIANT
|
||||
ARG KAIROS_VERSION
|
||||
IF [ "$KAIROS_VERSION" = "" ]
|
||||
COPY +version/VERSION ./
|
||||
ARG VERSION=$(cat VERSION)
|
||||
RUN echo "version ${VERSION}"
|
||||
ARG OS_VERSION=${VERSION}
|
||||
RUN rm VERSION
|
||||
ELSE
|
||||
ARG OS_VERSION=${KAIROS_VERSION}
|
||||
END
|
||||
ARG OS_ID
|
||||
ARG OS_NAME=${OS_ID}-${VARIANT}-${FLAVOR}
|
||||
ARG OS_REPO=quay.io/kairos/${VARIANT}-${FLAVOR}
|
||||
ARG OS_LABEL=latest
|
||||
DO +OSRELEASE --HOME_URL=https://github.com/kairos-io/kairos --BUG_REPORT_URL=https://github.com/kairos-io/kairos/issues --GITHUB_REPO=kairos-io/kairos --VARIANT=${VARIANT} --FLAVOR=${FLAVOR} --OS_ID=${OS_ID} --OS_LABEL=${OS_LABEL} --OS_NAME=${OS_NAME} --OS_REPO=${OS_REPO} --OS_VERSION=${OS_VERSION}
|
||||
SAVE IMAGE $IMAGE
|
||||
|
||||
docker-rootfs:
|
||||
FROM +docker
|
||||
image-rootfs:
|
||||
FROM +image
|
||||
SAVE ARTIFACT --keep-own /. rootfs
|
||||
|
||||
###
|
||||
@@ -434,7 +430,7 @@ iso:
|
||||
FROM $OSBUILDER_IMAGE
|
||||
WORKDIR /build
|
||||
COPY . ./
|
||||
COPY --keep-own +docker-rootfs/rootfs /build/image
|
||||
COPY --keep-own +image-rootfs/rootfs /build/image
|
||||
RUN /entrypoint.sh --name $ISO_NAME --debug build-iso --squash-no-compression --date=false dir:/build/image --overlay-iso /build/${overlay} --output /build/
|
||||
SAVE ARTIFACT /build/$ISO_NAME.iso kairos.iso AS LOCAL build/$ISO_NAME.iso
|
||||
SAVE ARTIFACT /build/$ISO_NAME.iso.sha256 kairos.iso.sha256 AS LOCAL build/$ISO_NAME.iso.sha256
|
||||
@@ -473,7 +469,7 @@ arm-image:
|
||||
ENV RECOVERY_SIZE="4200"
|
||||
ENV SIZE="15200"
|
||||
ENV DEFAULT_ACTIVE_SIZE="2000"
|
||||
COPY --platform=linux/arm64 +docker-rootfs/rootfs /build/image
|
||||
COPY --platform=linux/arm64 +image-rootfs/rootfs /build/image
|
||||
# With docker is required for loop devices
|
||||
WITH DOCKER --allow-privileged
|
||||
RUN /build-arm-image.sh --model $MODEL --directory "/build/image" /build/$IMAGE_NAME
|
||||
@@ -531,7 +527,8 @@ trivy:
|
||||
SAVE ARTIFACT /usr/local/bin/trivy /trivy
|
||||
|
||||
trivy-scan:
|
||||
FROM +docker
|
||||
# Use base-image so it can read original os-release file
|
||||
FROM +base-image
|
||||
COPY +trivy/trivy /trivy
|
||||
COPY +trivy/contrib /contrib
|
||||
COPY +version/VERSION ./
|
||||
@@ -551,15 +548,16 @@ grype:
|
||||
SAVE ARTIFACT /grype /grype
|
||||
|
||||
grype-scan:
|
||||
FROM +docker
|
||||
# Use base-image so it can read original os-release file
|
||||
FROM +base-image
|
||||
COPY +grype/grype /grype
|
||||
COPY +version/VERSION ./
|
||||
ARG VERSION=$(cat VERSION)
|
||||
ARG FLAVOR
|
||||
ARG VARIANT
|
||||
WORKDIR /build
|
||||
RUN /grype dir:/ --output sarif --file report.sarif
|
||||
RUN /grype dir:/ --output json --file report.json
|
||||
RUN /grype dir:/ --output sarif --add-cpes-if-none --file report.sarif
|
||||
RUN /grype dir:/ --output json --add-cpes-if-none --file report.json
|
||||
SAVE ARTIFACT /build/report.sarif report.sarif AS LOCAL build/${VARIANT}-${FLAVOR}-${VERSION}-grype.sarif
|
||||
SAVE ARTIFACT /build/report.json report.json AS LOCAL build/${VARIANT}-${FLAVOR}-${VERSION}-grype.json
|
||||
|
||||
@@ -574,7 +572,7 @@ linux-bench:
|
||||
# However, some checks are relevant as well at container level.
|
||||
# It is good enough for a quick assessment.
|
||||
linux-bench-scan:
|
||||
FROM +docker
|
||||
FROM +image
|
||||
GIT CLONE https://github.com/aquasecurity/linux-bench /build/linux-bench
|
||||
WORKDIR /build/linux-bench
|
||||
COPY +linux-bench/linux-bench /build/linux-bench/linux-bench
|
||||
@@ -825,7 +823,7 @@ temp-image:
|
||||
|
||||
ARG TTL_IMAGE = "ttl.sh/${NAME}:${EXPIRATION}"
|
||||
|
||||
FROM +docker
|
||||
FROM +image
|
||||
SAVE IMAGE --push $TTL_IMAGE
|
||||
|
||||
generate-schema:
|
||||
|
||||
Reference in New Issue
Block a user