Use upstream appsec image for container scan

062a43d4 · Hordur Freyr Yngvason · 69ff651c · 062a43d4 · 69ff651c · 69ff651c
Unverified Commit 062a43d4 authored 2 years ago by Hordur Freyr Yngvason
--- a/.gitlab/.gitlab-ci.yml
+++ b/.gitlab/.gitlab-ci.yml
@@ -259,19 +259,18 @@ container_scanning:
 # enable container scanning with https://gitlab.com/gitlab-com/gl-security/appsec/container-scanners
 appsec_container_scanning:
  stage: scan
-  image: ruby:3
+  image: registry.gitlab.com/gitlab-com/gl-security/appsec/container-scanners:latest
  environment:
    name: appsec_container_scanning
    action: prepare
-  before_script:
-    - cd .gitlab/ci
-    - bundle install
+  variables:
+    IMAGES:
  script:
-    - ./appsec-container-scan "$CI_REGISTRY_IMAGE/agentk:latest,$CI_REGISTRY_IMAGE/agentk:latest-race,$CI_REGISTRY_IMAGE/agentk-fips:stable" > gl-container-scanning-report.json
+    - /run/appsec-container-scan "$CI_REGISTRY_IMAGE/agentk:latest,$CI_REGISTRY_IMAGE/agentk:latest-race,$CI_REGISTRY_IMAGE/agentk-fips:stable" > gl-container-scanning-report.json
  artifacts:
    reports:
      container_scanning: .gitlab/ci/gl-container-scanning-report.json
  rules:
    # Skip on forks, because external contributors can't run this pipeline
-    - if: $PIPELINE_TRIGGER_TOKEN
+    - if: $CONTAINER_SCAN_PIPELINE_TRIGGER_TOKEN
      allow_failure: true
--- a/.gitlab/ci/.gitignore
+++ b/.gitlab/ci/.gitignore
-.bundle
--- a/.gitlab/ci/Gemfile
+++ b/.gitlab/ci/Gemfile
-# frozen_string_literal: true
-
-source 'https://rubygems.org'
- 
-gem 'gitlab'
-gem 'json'
--- a/.gitlab/ci/Gemfile.lock
+++ b/.gitlab/ci/Gemfile.lock
-GEM
-  remote: https://rubygems.org/
-  specs:
-    gitlab (4.18.0)
-      httparty (~> 0.18)
-      terminal-table (>= 1.5.1)
-    httparty (0.20.0)
-      mime-types (~> 3.0)
-      multi_xml (>= 0.5.2)
-    json (2.6.1)
-    mime-types (3.4.1)
-      mime-types-data (~> 3.2015)
-    mime-types-data (3.2022.0105)
-    multi_xml (0.6.0)
-    terminal-table (3.0.2)
-      unicode-display_width (>= 1.1.1, < 3)
-    unicode-display_width (2.1.0)
-
-PLATFORMS
-  x86_64-darwin-21
-
-DEPENDENCIES
-  gitlab
-  json
-
-BUNDLED WITH
-   2.2.32
--- a/.gitlab/ci/appsec-container-scan
+++ b/.gitlab/ci/appsec-container-scan
-#!/usr/bin/env ruby
-
-# frozen_string_literal: true
-
-require 'gitlab'
-require 'json'
-
-TRIGGER_TOKEN = ENV['PIPELINE_TRIGGER_TOKEN']
-COMPLETED_STATUSES = %w[success failed canceled skipped].freeze
-PROJECT_ID = 'gitlab-com/gl-security/appsec/container-scanners'
-
-Gitlab.endpoint = 'https://gitlab.com/api/v4'
-Gitlab.private_token = ENV['CONTAINER_SCAN_PROJECT_API_TOKEN']
-
-def trigger_appsec_pipeline(image)
-  STDERR.puts "Triggering pipeline for image '#{image}'"
-  Gitlab.run_trigger(PROJECT_ID, TRIGGER_TOKEN, 'master', { IMAGES: image }).tap do |pipeline|
-    STDERR.puts "Triggered pipeline #{pipeline.web_url}"
-  end
-end
-
-def wait_for_appsec_pipeline(pipeline, timeout: 600, sleep_time: 30)
-  result = nil
-  STDERR.print "Waiting for pipeline."
-  loop do
-    STDERR.print '.'
-    result = Gitlab.pipeline(PROJECT_ID, pipeline.id)
-    break if COMPLETED_STATUSES.include?(result.status)
-
-    sleep sleep_time
-    timeout -= sleep_time
-    raise "Timed out waiting for pipeline #{result.web_url}" if timeout <= 0
-  end
-  STDERR.puts " Done!\nPipeline status '#{result.status}'."
-  result
-end
-
-def merge_appsec_container_scanning_artifacts(pipeline, job_names)
-  STDERR.puts "Retrieving pipeline jobs"
-  jobs = Gitlab.pipeline_jobs(PROJECT_ID, pipeline.id)
-
-  version = nil
-  remediations = []
-  vulnerabilities = []
-
-  jobs.each do |job|
-    next unless job_names.include?(job.name)
-
-    STDERR.puts "Downloading report artifact for job '#{job.name}' (ID #{job.id})"
-    file = Gitlab.download_job_artifact_file(PROJECT_ID, job.id, 'gl-container-scanning-report.json')
-    data = JSON.parse(file.read, symbolize_names: true)
-
-    version ||= data[:version]
-    remediations.concat(data[:remediations])
-    vulnerabilities.concat(data[:vulnerabilities])
-  end
-
-  { version: version, remediations: remediations, vulnerabilities: vulnerabilities }
-end
-
-def main(image)
-  raise 'An image name argument is required' unless image
-
-  triggered_pipeline = trigger_appsec_pipeline(image)
-  completed_pipeline = wait_for_appsec_pipeline(triggered_pipeline)
-
-  unless completed_pipeline.status == 'success'
-    raise "Upstream pipeline did not succeed, see #{completed_pipeline.web_url}"
-  end
-
-  merged = merge_appsec_container_scanning_artifacts(completed_pipeline, %w[transform:t2g transform:a2g])
-
-  puts JSON.dump(merged)
-end
-
-main(*ARGV)