mirror of
https://github.com/kairos-io/kairos-agent.git
synced 2025-10-20 18:41:34 +00:00
robot: Various enhancement to security scans (#1100)
* 🤖 Add --add-cpes-if-none to grype Signed-off-by: mudler <mudler@c3os.io> * 🤖 Remove dup Signed-off-by: mudler <mudler@c3os.io> * 🤖 Scan from base-image Signed-off-by: mudler <mudler@c3os.io> * 🤖 Move ARGs where are needed Signed-off-by: mudler <mudler@c3os.io> --------- Signed-off-by: mudler <mudler@c3os.io>
This commit is contained in:
Ettore Di Giacinto
committed by
Itxaka
Itxaka
parent
199f7fff43
commit
b2d6fc5d7e
74
Earthfile
74
Earthfile
@@ -36,7 +36,7 @@ ARG IMAGE_REPOSITORY_ORG=quay.io/kairos
|
|||||||
|
|
||||||
|
|
||||||
all:
|
all:
|
||||||
BUILD +docker
|
BUILD +image
|
||||||
BUILD +image-sbom
|
BUILD +image-sbom
|
||||||
BUILD +trivy-scan
|
BUILD +trivy-scan
|
||||||
BUILD +grype-scan
|
BUILD +grype-scan
|
||||||
@@ -45,7 +45,7 @@ all:
|
|||||||
BUILD +ipxe-iso
|
BUILD +ipxe-iso
|
||||||
|
|
||||||
all-arm:
|
all-arm:
|
||||||
BUILD --platform=linux/arm64 +docker
|
BUILD --platform=linux/arm64 +image
|
||||||
BUILD +image-sbom
|
BUILD +image-sbom
|
||||||
BUILD +trivy-scan
|
BUILD +trivy-scan
|
||||||
BUILD +grype-scan
|
BUILD +grype-scan
|
||||||
@@ -208,7 +208,8 @@ syft:
|
|||||||
SAVE ARTIFACT /syft syft
|
SAVE ARTIFACT /syft syft
|
||||||
|
|
||||||
image-sbom:
|
image-sbom:
|
||||||
FROM +docker
|
# Use base-image so it can read original os-release file
|
||||||
|
FROM +base-image
|
||||||
WORKDIR /build
|
WORKDIR /build
|
||||||
COPY +version/VERSION ./
|
COPY +version/VERSION ./
|
||||||
ARG VERSION=$(cat VERSION)
|
ARG VERSION=$(cat VERSION)
|
||||||
@@ -295,7 +296,7 @@ framework-image:
|
|||||||
COPY (+framework/framework --VERSION=$VERSION --FLAVOR=$FLAVOR) /
|
COPY (+framework/framework --VERSION=$VERSION --FLAVOR=$FLAVOR) /
|
||||||
SAVE IMAGE --push $IMAGE_REPOSITORY_ORG/framework:${VERSION}_${FLAVOR}
|
SAVE IMAGE --push $IMAGE_REPOSITORY_ORG/framework:${VERSION}_${FLAVOR}
|
||||||
|
|
||||||
docker:
|
base-image:
|
||||||
ARG FLAVOR
|
ARG FLAVOR
|
||||||
ARG VARIANT
|
ARG VARIANT
|
||||||
IF [ "$BASE_IMAGE" = "" ]
|
IF [ "$BASE_IMAGE" = "" ]
|
||||||
@@ -315,39 +316,15 @@ docker:
|
|||||||
ELSE
|
ELSE
|
||||||
ARG OS_VERSION=${KAIROS_VERSION}
|
ARG OS_VERSION=${KAIROS_VERSION}
|
||||||
END
|
END
|
||||||
|
|
||||||
ARG OS_ID
|
|
||||||
ARG OS_NAME=${OS_ID}-${VARIANT}-${FLAVOR}
|
|
||||||
ARG OS_REPO=quay.io/kairos/${VARIANT}-${FLAVOR}
|
|
||||||
ARG OS_LABEL=latest
|
|
||||||
|
|
||||||
# Includes overlay/files
|
# Includes overlay/files
|
||||||
COPY (+framework/framework --FLAVOR=$FLAVOR --VERSION=$OS_VERSION) /
|
COPY (+framework/framework --FLAVOR=$FLAVOR --VERSION=$OS_VERSION) /
|
||||||
|
|
||||||
DO +OSRELEASE --HOME_URL=https://github.com/kairos-io/kairos --BUG_REPORT_URL=https://github.com/kairos-io/kairos/issues --GITHUB_REPO=kairos-io/kairos --VARIANT=${VARIANT} --FLAVOR=${FLAVOR} --OS_ID=${OS_ID} --OS_LABEL=${OS_LABEL} --OS_NAME=${OS_NAME} --OS_REPO=${OS_REPO} --OS_VERSION=${OS_VERSION}
|
|
||||||
|
|
||||||
RUN rm -rf /etc/machine-id && touch /etc/machine-id && chmod 444 /etc/machine-id
|
RUN rm -rf /etc/machine-id && touch /etc/machine-id && chmod 444 /etc/machine-id
|
||||||
|
|
||||||
# Avoid to accidentally push keys generated by package managers
|
# Avoid to accidentally push keys generated by package managers
|
||||||
RUN rm -rf /etc/ssh/ssh_host_*
|
RUN rm -rf /etc/ssh/ssh_host_*
|
||||||
|
|
||||||
# Copy flavor-specific overlay files
|
|
||||||
IF [[ "$FLAVOR" =~ "alpine" ]]
|
|
||||||
COPY overlay/files-alpine/ /
|
|
||||||
END
|
|
||||||
|
|
||||||
IF [ "$FLAVOR" = "opensuse" ] || [ "$FLAVOR" = "opensuse-tumbleweed" ]
|
|
||||||
COPY overlay/files-opensuse/ /
|
|
||||||
ELSE IF [ "$FLAVOR" = "alpine-arm-rpi" ]
|
|
||||||
COPY overlay/files-opensuse-arm-rpi/ /
|
|
||||||
ELSE IF [ "$FLAVOR" = "opensuse-leap-arm-rpi" ] || [ "$FLAVOR" = "opensuse-tumbleweed-arm-rpi" ]
|
|
||||||
COPY overlay/files-opensuse-arm-rpi/ /
|
|
||||||
ELSE IF [ "$FLAVOR" = "fedora" ] || [ "$FLAVOR" = "rockylinux" ]
|
|
||||||
COPY overlay/files-fedora/ /
|
|
||||||
ELSE IF [ "$FLAVOR" = "debian" ] || [ "$FLAVOR" = "ubuntu" ] || [ "$FLAVOR" = "ubuntu-20-lts" ] || [ "$FLAVOR" = "ubuntu-22-lts" ]
|
|
||||||
COPY overlay/files-ubuntu/ /
|
|
||||||
END
|
|
||||||
|
|
||||||
# Enable services
|
# Enable services
|
||||||
IF [ -f /sbin/openrc ]
|
IF [ -f /sbin/openrc ]
|
||||||
RUN mkdir -p /etc/runlevels/default && \
|
RUN mkdir -p /etc/runlevels/default && \
|
||||||
@@ -416,10 +393,29 @@ docker:
|
|||||||
|
|
||||||
RUN rm -rf /tmp/*
|
RUN rm -rf /tmp/*
|
||||||
|
|
||||||
|
image:
|
||||||
|
FROM +base-image
|
||||||
|
ARG FLAVOR
|
||||||
|
ARG VARIANT
|
||||||
|
ARG KAIROS_VERSION
|
||||||
|
IF [ "$KAIROS_VERSION" = "" ]
|
||||||
|
COPY +version/VERSION ./
|
||||||
|
ARG VERSION=$(cat VERSION)
|
||||||
|
RUN echo "version ${VERSION}"
|
||||||
|
ARG OS_VERSION=${VERSION}
|
||||||
|
RUN rm VERSION
|
||||||
|
ELSE
|
||||||
|
ARG OS_VERSION=${KAIROS_VERSION}
|
||||||
|
END
|
||||||
|
ARG OS_ID
|
||||||
|
ARG OS_NAME=${OS_ID}-${VARIANT}-${FLAVOR}
|
||||||
|
ARG OS_REPO=quay.io/kairos/${VARIANT}-${FLAVOR}
|
||||||
|
ARG OS_LABEL=latest
|
||||||
|
DO +OSRELEASE --HOME_URL=https://github.com/kairos-io/kairos --BUG_REPORT_URL=https://github.com/kairos-io/kairos/issues --GITHUB_REPO=kairos-io/kairos --VARIANT=${VARIANT} --FLAVOR=${FLAVOR} --OS_ID=${OS_ID} --OS_LABEL=${OS_LABEL} --OS_NAME=${OS_NAME} --OS_REPO=${OS_REPO} --OS_VERSION=${OS_VERSION}
|
||||||
SAVE IMAGE $IMAGE
|
SAVE IMAGE $IMAGE
|
||||||
|
|
||||||
docker-rootfs:
|
image-rootfs:
|
||||||
FROM +docker
|
FROM +image
|
||||||
SAVE ARTIFACT --keep-own /. rootfs
|
SAVE ARTIFACT --keep-own /. rootfs
|
||||||
|
|
||||||
###
|
###
|
||||||
@@ -434,7 +430,7 @@ iso:
|
|||||||
FROM $OSBUILDER_IMAGE
|
FROM $OSBUILDER_IMAGE
|
||||||
WORKDIR /build
|
WORKDIR /build
|
||||||
COPY . ./
|
COPY . ./
|
||||||
COPY --keep-own +docker-rootfs/rootfs /build/image
|
COPY --keep-own +image-rootfs/rootfs /build/image
|
||||||
RUN /entrypoint.sh --name $ISO_NAME --debug build-iso --squash-no-compression --date=false dir:/build/image --overlay-iso /build/${overlay} --output /build/
|
RUN /entrypoint.sh --name $ISO_NAME --debug build-iso --squash-no-compression --date=false dir:/build/image --overlay-iso /build/${overlay} --output /build/
|
||||||
SAVE ARTIFACT /build/$ISO_NAME.iso kairos.iso AS LOCAL build/$ISO_NAME.iso
|
SAVE ARTIFACT /build/$ISO_NAME.iso kairos.iso AS LOCAL build/$ISO_NAME.iso
|
||||||
SAVE ARTIFACT /build/$ISO_NAME.iso.sha256 kairos.iso.sha256 AS LOCAL build/$ISO_NAME.iso.sha256
|
SAVE ARTIFACT /build/$ISO_NAME.iso.sha256 kairos.iso.sha256 AS LOCAL build/$ISO_NAME.iso.sha256
|
||||||
@@ -473,7 +469,7 @@ arm-image:
|
|||||||
ENV RECOVERY_SIZE="4200"
|
ENV RECOVERY_SIZE="4200"
|
||||||
ENV SIZE="15200"
|
ENV SIZE="15200"
|
||||||
ENV DEFAULT_ACTIVE_SIZE="2000"
|
ENV DEFAULT_ACTIVE_SIZE="2000"
|
||||||
COPY --platform=linux/arm64 +docker-rootfs/rootfs /build/image
|
COPY --platform=linux/arm64 +image-rootfs/rootfs /build/image
|
||||||
# With docker is required for loop devices
|
# With docker is required for loop devices
|
||||||
WITH DOCKER --allow-privileged
|
WITH DOCKER --allow-privileged
|
||||||
RUN /build-arm-image.sh --model $MODEL --directory "/build/image" /build/$IMAGE_NAME
|
RUN /build-arm-image.sh --model $MODEL --directory "/build/image" /build/$IMAGE_NAME
|
||||||
@@ -531,7 +527,8 @@ trivy:
|
|||||||
SAVE ARTIFACT /usr/local/bin/trivy /trivy
|
SAVE ARTIFACT /usr/local/bin/trivy /trivy
|
||||||
|
|
||||||
trivy-scan:
|
trivy-scan:
|
||||||
FROM +docker
|
# Use base-image so it can read original os-release file
|
||||||
|
FROM +base-image
|
||||||
COPY +trivy/trivy /trivy
|
COPY +trivy/trivy /trivy
|
||||||
COPY +trivy/contrib /contrib
|
COPY +trivy/contrib /contrib
|
||||||
COPY +version/VERSION ./
|
COPY +version/VERSION ./
|
||||||
@@ -551,15 +548,16 @@ grype:
|
|||||||
SAVE ARTIFACT /grype /grype
|
SAVE ARTIFACT /grype /grype
|
||||||
|
|
||||||
grype-scan:
|
grype-scan:
|
||||||
FROM +docker
|
# Use base-image so it can read original os-release file
|
||||||
|
FROM +base-image
|
||||||
COPY +grype/grype /grype
|
COPY +grype/grype /grype
|
||||||
COPY +version/VERSION ./
|
COPY +version/VERSION ./
|
||||||
ARG VERSION=$(cat VERSION)
|
ARG VERSION=$(cat VERSION)
|
||||||
ARG FLAVOR
|
ARG FLAVOR
|
||||||
ARG VARIANT
|
ARG VARIANT
|
||||||
WORKDIR /build
|
WORKDIR /build
|
||||||
RUN /grype dir:/ --output sarif --file report.sarif
|
RUN /grype dir:/ --output sarif --add-cpes-if-none --file report.sarif
|
||||||
RUN /grype dir:/ --output json --file report.json
|
RUN /grype dir:/ --output json --add-cpes-if-none --file report.json
|
||||||
SAVE ARTIFACT /build/report.sarif report.sarif AS LOCAL build/${VARIANT}-${FLAVOR}-${VERSION}-grype.sarif
|
SAVE ARTIFACT /build/report.sarif report.sarif AS LOCAL build/${VARIANT}-${FLAVOR}-${VERSION}-grype.sarif
|
||||||
SAVE ARTIFACT /build/report.json report.json AS LOCAL build/${VARIANT}-${FLAVOR}-${VERSION}-grype.json
|
SAVE ARTIFACT /build/report.json report.json AS LOCAL build/${VARIANT}-${FLAVOR}-${VERSION}-grype.json
|
||||||
|
|
||||||
@@ -574,7 +572,7 @@ linux-bench:
|
|||||||
# However, some checks are relevant as well at container level.
|
# However, some checks are relevant as well at container level.
|
||||||
# It is good enough for a quick assessment.
|
# It is good enough for a quick assessment.
|
||||||
linux-bench-scan:
|
linux-bench-scan:
|
||||||
FROM +docker
|
FROM +image
|
||||||
GIT CLONE https://github.com/aquasecurity/linux-bench /build/linux-bench
|
GIT CLONE https://github.com/aquasecurity/linux-bench /build/linux-bench
|
||||||
WORKDIR /build/linux-bench
|
WORKDIR /build/linux-bench
|
||||||
COPY +linux-bench/linux-bench /build/linux-bench/linux-bench
|
COPY +linux-bench/linux-bench /build/linux-bench/linux-bench
|
||||||
@@ -825,7 +823,7 @@ temp-image:
|
|||||||
|
|
||||||
ARG TTL_IMAGE = "ttl.sh/${NAME}:${EXPIRATION}"
|
ARG TTL_IMAGE = "ttl.sh/${NAME}:${EXPIRATION}"
|
||||||
|
|
||||||
FROM +docker
|
FROM +image
|
||||||
SAVE IMAGE --push $TTL_IMAGE
|
SAVE IMAGE --push $TTL_IMAGE
|
||||||
|
|
||||||
generate-schema:
|
generate-schema:
|
||||||
|
|||||||
Reference in New Issue
Block a user