install.fairie/.config/taskfiles/security/Taskfile.yml

221 lines
7.5 KiB
YAML
Raw Normal View History

2022-12-24 12:04:59 -08:00
---
version: '3'
vars:
DOCKERHUB_PROFILE: megabytelabs
TAGS: latest slim
tasks:
bandit:
deps:
- :install:python:dependencies
desc: Check for Python code security issues
log:
error: '`bandit` reported some security issues that need to be fixed!'
start: Running `bandit -r run.py`
success: No security issues found with `bandit`!
cmds:
- |
if [ -f run.py ]; then
poetry run bandit -r run.py
fi
- |
if [ -d src ]; then
poetry run bandit -r src
fi
dockle:
deps:
- :install:software:dockle
- :install:software:jq
desc: Analyze and lint the Docker container using Dockle
summary: |
# Analyze and lint Docker containers with Dockle
Dockle is a Docker image linter that reports security tips and conflicts with best practices. It does
more than what Hadolint does, according to their GitHub page. Instead of linting the Dockerfile, it
lints the actual image.
**Example usage for scanning standard Docker repository (with `slim` build):**
`task security:dockle`
**Example usage for any image:**
`task security:dockle -- namespace/image:tag`
For more information, see [Dockle's GitHub page](https://github.com/goodwithtech/dockle).
log:
error: Dockle found some errors that need to be fixed!
start: Scanning image(s) with Dockle
success: Successfully completed scan with Dockle
cmds:
- |
{{if .CLI_ARGS}}
dockle {{.CLI_ARGS}}
{{else}}
DOCKER_IMAGE="$(jq -r '.slug' .variables.json)"
for TAG in {{.TAGS}}; do
dockle "{{.DOCKERHUB_PROFILE}}/${DOCKER_IMAGE}:${TAG}"
done
{{end}}
gitleaks:
deps:
- :install:software:gitleaks
desc: Scans repository (including git history) for possible leaked keys
summary: |
# Scan repository with Gitleaks
Find accidentally committed passwords, private keys, and API keys by scanning the repository with
Gitleaks.
**Example of scanning current repository:**
`task lint:gitleaks`
**Example of scanning a public git repository:**
`task lint:gitleaks -- https://github.com/ProfessorManhattan/Windows12`
For more information, see the [Gitleaks GitHub page](https://github.com/zricethezav/gitleaks).
log:
error: Possible leak detected by `gitleaks`
start: Scanning repository with `gitleaks`
success: Successfully completed `gitleaks` repository scan for secrets
cmds:
- |
{{if .CLI_ARGS}}
gitleaks --repo-url '{{.CLI_ARGS}}' -v
{{else}}
gitleaks -p . -v
{{end}}
grype:
deps:
- :install:software:grype
desc: Scan container images and file systems for security issues using Grype
summary: |
# Scan containers and file systems using Grype
Grype is a container and file system security scanner. This task is simply an alias for
the `grype` command that will first ensure it is installed before running the command.
**Example usage:**
`task grype -- ubuntu:latest --fail-on medium`
log:
error: Grype found some potential issues!
start: Scanning with Grype
success: Scan completed by Grype
cmds:
- grype {{.CLI_ARGS}}
private-keys:
deps:
- :install:pipx:pre-commit-hooks
desc: Scan for private keys
summary: |
# Scan for private keys
This task will scan the project for private keys that might not belong where they are. You
can pass this task a single file or let it loop through the project. If you loop through
the project, common folders like 'node_modules/' and 'venv/' will be ignored.
**Example scanning the whole project:**
`task lint:private-keys`
**Example scanning single file:**
`task lint:private-keys -- filename.ext`
log:
error: Private keys were found - make sure you do not commit private keys!
start: Scanning for private keys
success: No private keys were found!
cmds:
- |
PATH="$PATH:$HOME/.local/bin"
{{if .CLI_ARGS}}
{{.PYTHON_HANDLE}}detect-private-key {{.CLI_ARGS}}
{{else}}
find . -type d \( {{.IGNORE_FOLDERS}} \) -prune -o -type f -print0 | xargs -0 -r -n1 {{.PYTHON_HANDLE}}detect-private-key
{{end}}
snyk:
deps:
- :install:npm:snyk
- :install:software:jq
desc: Analyze the Docker container for security vulnerabilities with Snyk (requires login)
summary: |
# Analyze the Docker container with Snyk
One of the services Snyk provides is the capability to identify Docker container vulnerabilities. These
vulnerabilities can potentially be used by bad actors. Normally, care should be taken to fix
the vulnerabilities Snyk reports whenever possible. To use Snyk, you must be authenticated with their
service. Signing up is free and easy (albeit, there is a limit to the number of scans you can run for free).
All you have to do is run `snyk auth` with the `snyk` NPM package installed.
**Example usage for scanning standard Docker repository (with `slim` build and Dockerfile in root directory):**
`task security:snyk`
**Example usage for any image:**
`task security:snyk -- namespace/image:tag`
For more information, see [Snyk's website](https://snyk.io/what-is-snyk/).
log:
error: '`snyk` reported security errors!'
start: Scanning {{if .CLI_ARGS}}`{{.CLI_ARGS}}`{{else}}all tags of the Dockerfile{{end}} with `snyk`
success: Passed `snyk` security test
cmds:
- task: snyk:login
- |
{{if .CLI_ARGS}}
snyk test --docker {{.CLI_ARGS}}
{{else}}
for TAG in {{.TAGS}}; do
DOCKER_IMAGE="$(jq -r '.slug' .variables.json)"
snyk test --docker {{.DOCKERHUB_PROFILE}}/${DOCKER_IMAGE}:${TAG} --file=Dockerfile
done
{{end}}
snyk:login:
env:
SNYK_API_TOKEN:
sh: snyk config get api
log:
error: Encountered error while logging in with `snyk auth`
start: Logging in with `snyk auth`
success: Successfully authenticated with `snyk auth`
cmds:
- snyk auth
status:
- '[ ! -z "$SNYK_API_TOKEN" ]'
trivy:
deps:
- :install:software:jq
- :install:software:trivy
desc: Analyze the Docker container for security vulnerabilities with Trivy
summary: |
# Analyze the Docker container with Trivy
Trivy is a simple and comprehensive vulnerability and misconfiguration scanner for containers
and other artifacts. This task leverages Trivy's ability to report possible vulnerabilities in
the Docker container.
**Example usage for scanning both the 'latest' and 'slim' build in a standard Docker repository:**
`task security:trivy`
**Example usage for scanning any image:**
`task security:trivy -- alpine:latest`
For more information, see [Trivy's website](https://aquasecurity.github.io/trivy/).
log:
error: Trivy detected one or more significant vulnerabilities in the image(s)
start: Analyzing Docker image with Trivy
success: Trivy reported no major vulnerabilities
cmds:
- |
{{if .CLI_ARGS}}
trivy image {{.CLI_ARGS}}
{{else}}
DOCKER_IMAGE="$(jq -r '.slug' .variables.json)"
for TAG in {{.TAGS}}; do
trivy image {{.DOCKERHUB_PROFILE}}/${DOCKER_IMAGE}:${TAG}
done
{{end}}