--- version: '3' vars: DOCKERHUB_PROFILE: megabytelabs TAGS: latest slim tasks: bandit: deps: - :install:python:dependencies desc: Check for Python code security issues log: error: '`bandit` reported some security issues that need to be fixed!' start: Running `bandit -r run.py` success: No security issues found with `bandit`! cmds: - | if [ -f run.py ]; then poetry run bandit -r run.py fi - | if [ -d src ]; then poetry run bandit -r src fi dockle: deps: - :install:software:dockle - :install:software:jq desc: Analyze and lint the Docker container using Dockle summary: | # Analyze and lint Docker containers with Dockle Dockle is a Docker image linter that reports security tips and conflicts with best practices. It does more than what Hadolint does, according to their GitHub page. Instead of linting the Dockerfile, it lints the actual image. **Example usage for scanning standard Docker repository (with `slim` build):** `task security:dockle` **Example usage for any image:** `task security:dockle -- namespace/image:tag` For more information, see [Dockle's GitHub page](https://github.com/goodwithtech/dockle). log: error: Dockle found some errors that need to be fixed! start: Scanning image(s) with Dockle success: Successfully completed scan with Dockle cmds: - | {{if .CLI_ARGS}} dockle {{.CLI_ARGS}} {{else}} DOCKER_IMAGE="$(jq -r '.slug' .variables.json)" for TAG in {{.TAGS}}; do dockle "{{.DOCKERHUB_PROFILE}}/${DOCKER_IMAGE}:${TAG}" done {{end}} gitleaks: deps: - :install:software:gitleaks desc: Scans repository (including git history) for possible leaked keys summary: | # Scan repository with Gitleaks Find accidentally committed passwords, private keys, and API keys by scanning the repository with Gitleaks. **Example of scanning current repository:** `task lint:gitleaks` **Example of scanning a public git repository:** `task lint:gitleaks -- https://github.com/ProfessorManhattan/Windows12` For more information, see the [Gitleaks GitHub page](https://github.com/zricethezav/gitleaks). log: error: Possible leak detected by `gitleaks` start: Scanning repository with `gitleaks` success: Successfully completed `gitleaks` repository scan for secrets cmds: - | {{if .CLI_ARGS}} gitleaks --repo-url '{{.CLI_ARGS}}' -v {{else}} gitleaks -p . -v {{end}} grype: deps: - :install:software:grype desc: Scan container images and file systems for security issues using Grype summary: | # Scan containers and file systems using Grype Grype is a container and file system security scanner. This task is simply an alias for the `grype` command that will first ensure it is installed before running the command. **Example usage:** `task grype -- ubuntu:latest --fail-on medium` log: error: Grype found some potential issues! start: Scanning with Grype success: Scan completed by Grype cmds: - grype {{.CLI_ARGS}} private-keys: deps: - :install:pipx:pre-commit-hooks desc: Scan for private keys summary: | # Scan for private keys This task will scan the project for private keys that might not belong where they are. You can pass this task a single file or let it loop through the project. If you loop through the project, common folders like 'node_modules/' and 'venv/' will be ignored. **Example scanning the whole project:** `task lint:private-keys` **Example scanning single file:** `task lint:private-keys -- filename.ext` log: error: Private keys were found - make sure you do not commit private keys! start: Scanning for private keys success: No private keys were found! cmds: - | PATH="$PATH:$HOME/.local/bin" {{if .CLI_ARGS}} {{.PYTHON_HANDLE}}detect-private-key {{.CLI_ARGS}} {{else}} find . -type d \( {{.IGNORE_FOLDERS}} \) -prune -o -type f -print0 | xargs -0 -r -n1 {{.PYTHON_HANDLE}}detect-private-key {{end}} snyk: deps: - :install:npm:snyk - :install:software:jq desc: Analyze the Docker container for security vulnerabilities with Snyk (requires login) summary: | # Analyze the Docker container with Snyk One of the services Snyk provides is the capability to identify Docker container vulnerabilities. These vulnerabilities can potentially be used by bad actors. Normally, care should be taken to fix the vulnerabilities Snyk reports whenever possible. To use Snyk, you must be authenticated with their service. Signing up is free and easy (albeit, there is a limit to the number of scans you can run for free). All you have to do is run `snyk auth` with the `snyk` NPM package installed. **Example usage for scanning standard Docker repository (with `slim` build and Dockerfile in root directory):** `task security:snyk` **Example usage for any image:** `task security:snyk -- namespace/image:tag` For more information, see [Snyk's website](https://snyk.io/what-is-snyk/). log: error: '`snyk` reported security errors!' start: Scanning {{if .CLI_ARGS}}`{{.CLI_ARGS}}`{{else}}all tags of the Dockerfile{{end}} with `snyk` success: Passed `snyk` security test cmds: - task: snyk:login - | {{if .CLI_ARGS}} snyk test --docker {{.CLI_ARGS}} {{else}} for TAG in {{.TAGS}}; do DOCKER_IMAGE="$(jq -r '.slug' .variables.json)" snyk test --docker {{.DOCKERHUB_PROFILE}}/${DOCKER_IMAGE}:${TAG} --file=Dockerfile done {{end}} snyk:login: env: SNYK_API_TOKEN: sh: snyk config get api log: error: Encountered error while logging in with `snyk auth` start: Logging in with `snyk auth` success: Successfully authenticated with `snyk auth` cmds: - snyk auth status: - '[ ! -z "$SNYK_API_TOKEN" ]' trivy: deps: - :install:software:jq - :install:software:trivy desc: Analyze the Docker container for security vulnerabilities with Trivy summary: | # Analyze the Docker container with Trivy Trivy is a simple and comprehensive vulnerability and misconfiguration scanner for containers and other artifacts. This task leverages Trivy's ability to report possible vulnerabilities in the Docker container. **Example usage for scanning both the 'latest' and 'slim' build in a standard Docker repository:** `task security:trivy` **Example usage for scanning any image:** `task security:trivy -- alpine:latest` For more information, see [Trivy's website](https://aquasecurity.github.io/trivy/). log: error: Trivy detected one or more significant vulnerabilities in the image(s) start: Analyzing Docker image with Trivy success: Trivy reported no major vulnerabilities cmds: - | {{if .CLI_ARGS}} trivy image {{.CLI_ARGS}} {{else}} DOCKER_IMAGE="$(jq -r '.slug' .variables.json)" for TAG in {{.TAGS}}; do trivy image {{.DOCKERHUB_PROFILE}}/${DOCKER_IMAGE}:${TAG} done {{end}}