220 lines
7.5 KiB
YAML
220 lines
7.5 KiB
YAML
---
|
|
version: '3'
|
|
|
|
vars:
|
|
DOCKERHUB_PROFILE: megabytelabs
|
|
TAGS: latest slim
|
|
|
|
tasks:
|
|
bandit:
|
|
deps:
|
|
- :install:python:dependencies
|
|
desc: Check for Python code security issues
|
|
log:
|
|
error: '`bandit` reported some security issues that need to be fixed!'
|
|
start: Running `bandit -r run.py`
|
|
success: No security issues found with `bandit`!
|
|
cmds:
|
|
- |
|
|
if [ -f run.py ]; then
|
|
poetry run bandit -r run.py
|
|
fi
|
|
- |
|
|
if [ -d src ]; then
|
|
poetry run bandit -r src
|
|
fi
|
|
|
|
dockle:
|
|
deps:
|
|
- :install:software:dockle
|
|
- :install:software:jq
|
|
desc: Analyze and lint the Docker container using Dockle
|
|
summary: |
|
|
# Analyze and lint Docker containers with Dockle
|
|
|
|
Dockle is a Docker image linter that reports security tips and conflicts with best practices. It does
|
|
more than what Hadolint does, according to their GitHub page. Instead of linting the Dockerfile, it
|
|
lints the actual image.
|
|
|
|
**Example usage for scanning standard Docker repository (with `slim` build):**
|
|
`task security:dockle`
|
|
|
|
**Example usage for any image:**
|
|
`task security:dockle -- namespace/image:tag`
|
|
|
|
For more information, see [Dockle's GitHub page](https://github.com/goodwithtech/dockle).
|
|
log:
|
|
error: Dockle found some errors that need to be fixed!
|
|
start: Scanning image(s) with Dockle
|
|
success: Successfully completed scan with Dockle
|
|
cmds:
|
|
- |
|
|
{{if .CLI_ARGS}}
|
|
dockle {{.CLI_ARGS}}
|
|
{{else}}
|
|
DOCKER_IMAGE="$(jq -r '.slug' .variables.json)"
|
|
for TAG in {{.TAGS}}; do
|
|
dockle "{{.DOCKERHUB_PROFILE}}/${DOCKER_IMAGE}:${TAG}"
|
|
done
|
|
{{end}}
|
|
|
|
gitleaks:
|
|
deps:
|
|
- :install:software:gitleaks
|
|
desc: Scans repository (including git history) for possible leaked keys
|
|
summary: |
|
|
# Scan repository with Gitleaks
|
|
|
|
Find accidentally committed passwords, private keys, and API keys by scanning the repository with
|
|
Gitleaks.
|
|
|
|
**Example of scanning current repository:**
|
|
`task lint:gitleaks`
|
|
|
|
**Example of scanning a public git repository:**
|
|
`task lint:gitleaks -- https://github.com/ProfessorManhattan/Windows12`
|
|
|
|
For more information, see the [Gitleaks GitHub page](https://github.com/zricethezav/gitleaks).
|
|
log:
|
|
error: Possible leak detected by `gitleaks`
|
|
start: Scanning repository with `gitleaks`
|
|
success: Successfully completed `gitleaks` repository scan for secrets
|
|
cmds:
|
|
- |
|
|
{{if .CLI_ARGS}}
|
|
gitleaks --repo-url '{{.CLI_ARGS}}' -v
|
|
{{else}}
|
|
gitleaks -p . -v
|
|
{{end}}
|
|
|
|
grype:
|
|
deps:
|
|
- :install:software:grype
|
|
desc: Scan container images and file systems for security issues using Grype
|
|
summary: |
|
|
# Scan containers and file systems using Grype
|
|
|
|
Grype is a container and file system security scanner. This task is simply an alias for
|
|
the `grype` command that will first ensure it is installed before running the command.
|
|
|
|
**Example usage:**
|
|
`task grype -- ubuntu:latest --fail-on medium`
|
|
log:
|
|
error: Grype found some potential issues!
|
|
start: Scanning with Grype
|
|
success: Scan completed by Grype
|
|
cmds:
|
|
- grype {{.CLI_ARGS}}
|
|
|
|
private-keys:
|
|
deps:
|
|
- :install:pipx:pre-commit-hooks
|
|
desc: Scan for private keys
|
|
summary: |
|
|
# Scan for private keys
|
|
|
|
This task will scan the project for private keys that might not belong where they are. You
|
|
can pass this task a single file or let it loop through the project. If you loop through
|
|
the project, common folders like 'node_modules/' and 'venv/' will be ignored.
|
|
|
|
**Example scanning the whole project:**
|
|
`task lint:private-keys`
|
|
|
|
**Example scanning single file:**
|
|
`task lint:private-keys -- filename.ext`
|
|
log:
|
|
error: Private keys were found - make sure you do not commit private keys!
|
|
start: Scanning for private keys
|
|
success: No private keys were found!
|
|
cmds:
|
|
- |
|
|
PATH="$PATH:$HOME/.local/bin"
|
|
{{if .CLI_ARGS}}
|
|
{{.PYTHON_HANDLE}}detect-private-key {{.CLI_ARGS}}
|
|
{{else}}
|
|
find . -type d \( {{.IGNORE_FOLDERS}} \) -prune -o -type f -print0 | xargs -0 -r -n1 {{.PYTHON_HANDLE}}detect-private-key
|
|
{{end}}
|
|
|
|
snyk:
|
|
deps:
|
|
- :install:npm:snyk
|
|
- :install:software:jq
|
|
desc: Analyze the Docker container for security vulnerabilities with Snyk (requires login)
|
|
summary: |
|
|
# Analyze the Docker container with Snyk
|
|
|
|
One of the services Snyk provides is the capability to identify Docker container vulnerabilities. These
|
|
vulnerabilities can potentially be used by bad actors. Normally, care should be taken to fix
|
|
the vulnerabilities Snyk reports whenever possible. To use Snyk, you must be authenticated with their
|
|
service. Signing up is free and easy (albeit, there is a limit to the number of scans you can run for free).
|
|
All you have to do is run `snyk auth` with the `snyk` NPM package installed.
|
|
|
|
**Example usage for scanning standard Docker repository (with `slim` build and Dockerfile in root directory):**
|
|
`task security:snyk`
|
|
|
|
**Example usage for any image:**
|
|
`task security:snyk -- namespace/image:tag`
|
|
|
|
For more information, see [Snyk's website](https://snyk.io/what-is-snyk/).
|
|
log:
|
|
error: '`snyk` reported security errors!'
|
|
start: Scanning {{if .CLI_ARGS}}`{{.CLI_ARGS}}`{{else}}all tags of the Dockerfile{{end}} with `snyk`
|
|
success: Passed `snyk` security test
|
|
cmds:
|
|
- task: snyk:login
|
|
- |
|
|
{{if .CLI_ARGS}}
|
|
snyk test --docker {{.CLI_ARGS}}
|
|
{{else}}
|
|
for TAG in {{.TAGS}}; do
|
|
DOCKER_IMAGE="$(jq -r '.slug' .variables.json)"
|
|
snyk test --docker {{.DOCKERHUB_PROFILE}}/${DOCKER_IMAGE}:${TAG} --file=Dockerfile
|
|
done
|
|
{{end}}
|
|
|
|
snyk:login:
|
|
env:
|
|
SNYK_API_TOKEN:
|
|
sh: snyk config get api
|
|
log:
|
|
error: Encountered error while logging in with `snyk auth`
|
|
start: Logging in with `snyk auth`
|
|
success: Successfully authenticated with `snyk auth`
|
|
cmds:
|
|
- snyk auth
|
|
status:
|
|
- '[ ! -z "$SNYK_API_TOKEN" ]'
|
|
|
|
trivy:
|
|
deps:
|
|
- :install:software:jq
|
|
- :install:software:trivy
|
|
desc: Analyze the Docker container for security vulnerabilities with Trivy
|
|
summary: |
|
|
# Analyze the Docker container with Trivy
|
|
|
|
Trivy is a simple and comprehensive vulnerability and misconfiguration scanner for containers
|
|
and other artifacts. This task leverages Trivy's ability to report possible vulnerabilities in
|
|
the Docker container.
|
|
|
|
**Example usage for scanning both the 'latest' and 'slim' build in a standard Docker repository:**
|
|
`task security:trivy`
|
|
|
|
**Example usage for scanning any image:**
|
|
`task security:trivy -- alpine:latest`
|
|
|
|
For more information, see [Trivy's website](https://aquasecurity.github.io/trivy/).
|
|
log:
|
|
error: Trivy detected one or more significant vulnerabilities in the image(s)
|
|
start: Analyzing Docker image with Trivy
|
|
success: Trivy reported no major vulnerabilities
|
|
cmds:
|
|
- |
|
|
{{if .CLI_ARGS}}
|
|
trivy image {{.CLI_ARGS}}
|
|
{{else}}
|
|
DOCKER_IMAGE="$(jq -r '.slug' .variables.json)"
|
|
for TAG in {{.TAGS}}; do
|
|
trivy image {{.DOCKERHUB_PROFILE}}/${DOCKER_IMAGE}:${TAG}
|
|
done
|
|
{{end}}
|