From e5d9f9529bec6d2eb6e06fc149cca81a289477ee Mon Sep 17 00:00:00 2001 From: amir-codefresh <33693628+amir-codefresh@users.noreply.github.com> Date: Sun, 16 Dec 2018 15:23:07 +0200 Subject: [PATCH 1/3] Update README.md --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 07a0ea91..519a52d5 100644 --- a/README.md +++ b/README.md @@ -21,3 +21,4 @@ See each plugin readme for more info and usage instructions. | [Clair](plugins/clair/README.md) | Security scanning of Docker images using Clair | `security` | | [Import Docker Images](plugins/import-docker-images/README.md) | Import Docker images metadata into Codefresh| `docker` `codefresh`| | [Google KMS](plugins/google-kms/README.md) | Encryption/Decryption with Google KMS| `KMS` `codefresh`| +| [Azure Builder](plugins/azure-builder/README.md) | Build Docker image using Azure ACR| `KMS` `codefresh`| From 5fdc9f109d192b87d2b157f907e2774781b2a5fe Mon Sep 17 00:00:00 2001 From: amir-codefresh <33693628+amir-codefresh@users.noreply.github.com> Date: Sun, 16 Dec 2018 15:24:54 +0200 Subject: [PATCH 2/3] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 519a52d5..680d9001 100644 --- a/README.md +++ b/README.md @@ -21,4 +21,4 @@ See each plugin readme for more info and usage instructions. | [Clair](plugins/clair/README.md) | Security scanning of Docker images using Clair | `security` | | [Import Docker Images](plugins/import-docker-images/README.md) | Import Docker images metadata into Codefresh| `docker` `codefresh`| | [Google KMS](plugins/google-kms/README.md) | Encryption/Decryption with Google KMS| `KMS` `codefresh`| -| [Azure Builder](plugins/azure-builder/README.md) | Build Docker image using Azure ACR| `KMS` `codefresh`| +| [Azure Builder](plugins/azure-builder/README.md) | Build Docker image using Azure ACR| `Azure` `codefresh`| From 2978d9d6153872ef7e999ad3e542f8ea88535ebf Mon Sep 17 00:00:00 2001 From: amirgabay Date: Tue, 18 Dec 2018 15:44:39 +0200 Subject: [PATCH 3/3] remove dummy folders --- plugins/testplugin/README.MD | 42 ------------- plugins/testplugin/plugin.yaml | 33 ---------- plugins/testplugin1/README.MD | 42 ------------- plugins/testplugin1/plugin.yaml | 34 ----------- plugins/versioner/Dockerfile | 50 --------------- plugins/versioner/LICENSE.md | 7 --- plugins/versioner/README.md | 105 -------------------------------- plugins/versioner/codefresh.yml | 41 ------------- plugins/versioner/plugin.yaml | 32 ---------- 9 files changed, 386 deletions(-) delete mode 100644 plugins/testplugin/README.MD delete mode 100644 plugins/testplugin/plugin.yaml delete mode 100644 plugins/testplugin1/README.MD delete mode 100644 plugins/testplugin1/plugin.yaml delete mode 100644 plugins/versioner/Dockerfile delete mode 100644 plugins/versioner/LICENSE.md delete mode 100644 plugins/versioner/README.md delete mode 100644 plugins/versioner/codefresh.yml delete mode 100644 plugins/versioner/plugin.yaml diff --git a/plugins/testplugin/README.MD b/plugins/testplugin/README.MD deleted file mode 100644 index 27c33099..00000000 --- a/plugins/testplugin/README.MD +++ /dev/null @@ -1,42 +0,0 @@ -# GitHub Pull Request Codefresh Plugin - -Creates a new pull request in GitHub - -## Environment Variables - -- `GITHUB_TOKEN`: token for access to GitHub -- `GITHUB_REPO_OWNER`: name of repo owner -- `GITHUB_REPO_NAME`: name of repo -- `HEAD`: The name of the branch where your changes are implemented. For cross-repository pull requests in the same network, namespace head with a user like this: username:branch -- `BASE`: The name of the branch you want the changes pulled into. This should be an existing branch on the current repository. You cannot submit a pull request to one repository that requests a merge to a base of another repository. -- `TITLE`: The title of the pull request - -## Deployment with Codefresh -- Add encrypted environment variables for: - * GITHUB_TOKEN - -- Add "github-pr" step as descibed below - -```yaml -# codefresh.yml example with github pr step -version: '1.0' - -steps: - build-step: - type: build - image-name: repo/image:tag - - push to registry: - type: push - candidate: ${{build-step}} - tag: ${{CF_BRANCH}} - - github-pr: - image: codefresh/github-pr-plugin - environment: - - GITHUB_REPO_OWNER=${{CF_REPO_OWNER}} - - GITHUB_REPO_NAME=${{CF_REPO_NAME}} - - BASE=master - - HEAD=${{CF_BRANCH}} - - TITLE=Codefresh PR for ${{CF_BRANCH}} -``` diff --git a/plugins/testplugin/plugin.yaml b/plugins/testplugin/plugin.yaml deleted file mode 100644 index f3c970b9..00000000 --- a/plugins/testplugin/plugin.yaml +++ /dev/null @@ -1,33 +0,0 @@ -image: codefresh/github-pr-plugin -tag: master -version: 0.1.0 -description: Creates GitHub pull request -keywords: - - testplugin - -home: https://github.com/codefresh-io/github-pr-plugin -sources: - - https://github.com/codefresh-io/github-pr-plugin -maintainers: # (optional) - - name: Oleg Verhovsky - email: oleg@codefresh.io -icon: https://assets-cdn.github.com/images/modules/logos_page/GitHub-Mark.png -envs: - - name: GITHUB_TOKEN - type: required - description: Token for access to GitHub - - name: GITHUB_REPO_OWNER - type: required - description: Name of repo owner - - name: GITHUB_REPO_NAME - type: required - description: Name of repo - - name: HEAD - type: required - description: The name of the branch where your changes are implemented. For cross-repository pull requests in the same network, namespace head with a user like this - username:branch - - name: BASE - type: required - description: The name of the branch you want the changes pulled into. This should be an existing branch on the current repository. You cannot submit a pull request to one repository that requests a merge to a base of another repository. - - name: TITLE - type: required - description: The title of the pull request diff --git a/plugins/testplugin1/README.MD b/plugins/testplugin1/README.MD deleted file mode 100644 index 27c33099..00000000 --- a/plugins/testplugin1/README.MD +++ /dev/null @@ -1,42 +0,0 @@ -# GitHub Pull Request Codefresh Plugin - -Creates a new pull request in GitHub - -## Environment Variables - -- `GITHUB_TOKEN`: token for access to GitHub -- `GITHUB_REPO_OWNER`: name of repo owner -- `GITHUB_REPO_NAME`: name of repo -- `HEAD`: The name of the branch where your changes are implemented. For cross-repository pull requests in the same network, namespace head with a user like this: username:branch -- `BASE`: The name of the branch you want the changes pulled into. This should be an existing branch on the current repository. You cannot submit a pull request to one repository that requests a merge to a base of another repository. -- `TITLE`: The title of the pull request - -## Deployment with Codefresh -- Add encrypted environment variables for: - * GITHUB_TOKEN - -- Add "github-pr" step as descibed below - -```yaml -# codefresh.yml example with github pr step -version: '1.0' - -steps: - build-step: - type: build - image-name: repo/image:tag - - push to registry: - type: push - candidate: ${{build-step}} - tag: ${{CF_BRANCH}} - - github-pr: - image: codefresh/github-pr-plugin - environment: - - GITHUB_REPO_OWNER=${{CF_REPO_OWNER}} - - GITHUB_REPO_NAME=${{CF_REPO_NAME}} - - BASE=master - - HEAD=${{CF_BRANCH}} - - TITLE=Codefresh PR for ${{CF_BRANCH}} -``` diff --git a/plugins/testplugin1/plugin.yaml b/plugins/testplugin1/plugin.yaml deleted file mode 100644 index 2c5a092b..00000000 --- a/plugins/testplugin1/plugin.yaml +++ /dev/null @@ -1,34 +0,0 @@ -image: codefresh/github-pr-plugin -tag: master -version: 0.1.0 -description: test plugin1! -keywords: - - testplugin1 - - -home: https://github.com/codefresh-io/github-pr-plugin -sources: - - https://github.com/codefresh-io/github-pr-plugin -maintainers: # (optional) - - name: Oleg Verhovsky - email: oleg@codefresh.io -icon: https://assets-cdn.github.com/images/modules/logos_page/GitHub-Mark.png -envs: - - name: GITHUB_TOKEN - type: required - description: Token for access to GitHub - - name: GITHUB_REPO_OWNER - type: required - description: Name of repo owner - - name: GITHUB_REPO_NAME - type: required - description: Name of repo - - name: HEAD - type: required - description: The name of the branch where your changes are implemented. For cross-repository pull requests in the same network, namespace head with a user like this - username:branch - - name: BASE - type: required - description: The name of the branch you want the changes pulled into. This should be an existing branch on the current repository. You cannot submit a pull request to one repository that requests a merge to a base of another repository. - - name: TITLE - type: required - description: The title of the pull request diff --git a/plugins/versioner/Dockerfile b/plugins/versioner/Dockerfile deleted file mode 100644 index 9f511082..00000000 --- a/plugins/versioner/Dockerfile +++ /dev/null @@ -1,50 +0,0 @@ -FROM ubuntu:xenial - -ENV LANG C.UTF-8 - -RUN { \ - echo '#!/bin/sh'; \ - echo 'set -e'; \ - echo; \ - echo 'dirname "$(dirname "$(readlink -f "$(which javac || which java)")")"'; \ - } > /usr/local/bin/docker-java-home && \ - chmod +x /usr/local/bin/docker-java-home - -RUN apt-get update && apt-get install -y --no-install-recommends \ - bzip2 \ - unzip \ - xz-utils \ - apt-transport-https \ - ca-certificates \ - curl \ - software-properties-common \ - python3-openssl && \ - curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - && \ - add-apt-repository \ - "deb [arch=amd64] https://download.docker.com/linux/ubuntu \ - $(lsb_release -cs) \ - stable" && \ - apt-get update && apt-get install -y --no-install-recommends \ - docker-ce=17.09.0~ce-0~ubuntu && \ - apt-get install -y \ - openjdk-8-jre \ - ; \ - rm -rf /var/lib/apt/lists/*; \ - \ - [ "$JAVA_HOME" = "$(docker-java-home)" ]; \ - \ - update-alternatives --get-selections | awk -v home="$JAVA_HOME" 'index($3, home) == 1 { $2 = "manual"; print | "update-alternatives --set-selections" }'; \ - update-alternatives --query java | grep -q 'Status: manual' && \ - mkdir /packages && \ - curl -o /packages/twistcli https://cdn.twistlock.com/support/twistcli && \ - curl -o /packages/nexus-iq-cli-1.38.0-02.jar https://download.sonatype.com/clm/scanner/nexus-iq-cli-1.38.0-02.jar - -COPY scripts /scripts - -RUN chmod +x -R /packages -RUN chmod +x -R /scripts - -WORKDIR /scripts - -ENTRYPOINT ["/usr/bin/python3"] -CMD [""] diff --git a/plugins/versioner/LICENSE.md b/plugins/versioner/LICENSE.md deleted file mode 100644 index d39b0063..00000000 --- a/plugins/versioner/LICENSE.md +++ /dev/null @@ -1,7 +0,0 @@ -© 2017 Steelcase Inc. - -Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. \ No newline at end of file diff --git a/plugins/versioner/README.md b/plugins/versioner/README.md deleted file mode 100644 index 150dcd3c..00000000 --- a/plugins/versioner/README.md +++ /dev/null @@ -1,105 +0,0 @@ -# Security Scanning Tools [![Codefresh build status]( https://g.codefresh.io/api/badges/build?repoOwner=SC-TechDev&repoName=docker-security-scanner&branch=master&pipelineName=docker-security-scanner&accountName=sctechdevservice&type=cf-1)]( https://g.codefresh.io/repositories/SC-TechDev/docker-security-scanner/builds?filter=trigger:build;branch:master;service:59e62c5410e3d100019e7f3d~docker-security-scanner) - -Docker image which invokes security script using TwistCLI (Nexus coming soon) - -### Prerequisites: - -Codefresh Subscription (Dedicated Infrastructure) - https://codefresh.io/ - -Twistlock Subscription - https://www.twistlock.com/ - -### Documentation: - -Twistlock CLI: https://twistlock.desk.com/customer/en/portal/articles/2875595-twistcli?b_id=16619 - -Nexus IQ CLI: TBD - -## Script Library - -### twistlock.py - -Executes TwistCLI to scan Docker image given. - -### options - -To use an ENVIRONMENT VARIABLE you need to add the variables to your Codefresh Pipeline and also to your codefresh.yaml. - - -Example `codefresh.yml` build is below with required ENVIRONMENT VARIABLES in place. - - -| ENVIRONMENT VARIABLE | SCRIPT ARGUMENT | DEFAULT | TYPE | REQUIRED | DESCRIPTION | -|----------------------------|--------------------------------------|----------|---------|----------|---------------------------------------------------------------------------------------------------------------------------------| -| CF_METADATA | [ -c, --cf_metadata ] | null | boolean | No | In combination with TL_UPLOAD stores Twistlock Report URL in TL_REPORT_URL var for Codefresh metadata annotation | -| TL_CONSOLE_HOSTNAME | [ -C, --tl_console_hostname ] | null | string | Yes | hostname/ip | -| TL_CONSOLE_PORT | [ -P, --tl_console_port ] | null | string | Yes | port | -| TL_CONSOLE_USERNAME | [ -U, --tl_console_username ] | null | string | Yes | username | -| TL_CONSOLE_PASSWORD | [ -X, --tl_console_password ] | null | string | Yes | password | -| TL_ONLY | [ -Z, --tl_only ] | null | boolean | Yes | Twistlock Console Only (Required for now Nexus TBD) | -| TL_TLS_ENABLED | [ -T, --tl_tls_enabled ] | null | boolean | No | enable TLS | -| TL_HASH | [ -H, --tl_hash ] | [ sha1 ] | string | No | [ md5, sha1, sha256 ] hashing algorithm | -| TL_UPLOAD | [ -R, --tl_upload ] | null | boolean | No | ( ignores all options below if set and only returns report url ) uploads report to Twistlock to be used later via Twistlock API | -| TL_DETAILS | [ -D, --tl_details ] | null | boolean | No | prints an itemized list of each vulnerability found by the scanner | -| TL_ONLY_FIXED | [ -O, --tl_only_fixed ] | null | boolean | No | reports just the vulnerabilites that have fixes available | -| TL_COMPLIANCE_THRESHOLD | [ -M, --tl_compliance_threshold ] | null | string | No | [ low, medium, high ] sets the the minimal severity compliance issue that returns a fail exit code | -| TL_VULNERABILITY_THRESHOLD | [ -V, --tl_vulnerability_threshold ] | null | string | No | [ low, medium, high, critical ] sets the minimal severity vulnerability that returns a fail exit code | - -### codefresh.yml - -Codefresh Build Step to execute Twistlock scan. -All `${{var}}` variables must be put into Codefresh Build Parameters -codefresh.yml -```console - buildimage: - type: build - title: Build Runtime Image - dockerfile: Dockerfile - image_name: # Image you're building/scanning [repository/image] - tag: latest-cf-build-candidate - - nexus_iq_scan_build_stage: - type: composition - composition: - version: '2' - services: - imagebuild: - image: ${{buildimage}} - command: sh -c "exit 0" - labels: - build.image.id: ${{CF_BUILD_ID}} - composition_candidates: - scan_service: - image: sctechdev/docker-security-scanner - environment: - - TL_CONSOLE_HOSTNAME=${{TL_CONSOLE_HOSTNAME}} - - TL_CONSOLE_PORT=${{TL_CONSOLE_PORT}} - - TL_CONSOLE_USERNAME=${{TL_CONSOLE_USERNAME}} - - TL_CONSOLE_PASSWORD=${{TL_CONSOLE_PASSWORD}} - - TL_ONLY=${{TL_ONLY}} - command: twistlock.py -i "$$(docker inspect $$(docker inspect $$(docker ps -aqf label=build.image.id=${{CF_BUILD_ID}}) -f {{.Config.Image}}) -f {{.Id}} | sed 's/sha256://g')" - depends_on: - - imagebuild - volumes: - - /var/run/docker.sock:/var/run/docker.sock - - /var/lib/docker:/var/lib/docker - # Everything below this line is Optional for CF_METADATA - - '${{CF_VOLUME_NAME}}:/codefresh/volume' - add_flow_volume_to_composition: true - - export: - title: "Exporting variables..." - image: alpine - commands: - - echo "Exporting variables..." - - set_metadata: - title: "Setting metadata on image..." - image: alpine - commands: - - echo "Setting metadata on image..." - on_finish: - metadata: - set: - - '${{build_step.imageId}}': - - TwistlockSecurityReport: ${{TL_REPORT_URL}} -``` \ No newline at end of file diff --git a/plugins/versioner/codefresh.yml b/plugins/versioner/codefresh.yml deleted file mode 100644 index 31881bcb..00000000 --- a/plugins/versioner/codefresh.yml +++ /dev/null @@ -1,41 +0,0 @@ -version: '1.0' - -steps: - - buildimage: - type: build - description: image build step - dockerfile: Dockerfile - image_name: sctechdev/docker-security-scanner - tag: latest-cf-build-candidate - - push_image: - type: push - candidate: ${{buildimage}} - tag: latest - when: - branch: - only: - - master - push_image1: - type: push - candidate: ${{buildimage}} - tag: ${{CF_BRANCH_TAG_NORMALIZED}}-${{CF_SHORT_REVISION}} - - push_image_nexus_latest: - title: Push to Nexus Repo (latest) - type: push - candidate: ${{buildimage}} - tag: latest - registry: sonatype-docker-internal - when: - branch: - only: - - master - - push_image_neuxs_gitbranch_gitsha: - title: Push to Nexus Repo (gitbranch + gitsha) - type: push - candidate: ${{buildimage}} - tag: ${{CF_BRANCH_TAG_NORMALIZED}}-${{CF_SHORT_REVISION}} - registry: sonatype-docker-internal diff --git a/plugins/versioner/plugin.yaml b/plugins/versioner/plugin.yaml deleted file mode 100644 index 21796cb6..00000000 --- a/plugins/versioner/plugin.yaml +++ /dev/null @@ -1,32 +0,0 @@ -image: docker.io/codefresh/versioner -tag: latest -version: 1.0 -description: Execute Twistlock image scan as build step -keywords: - - versioner 1.0 -home: https://hub.docker.com/r/sctechdev/docker-security-scanner/ -sources: - - https://github.com/codefresh-io/cf-plugin-versioner.git -maintainers: - - name: Dustin Van Buskirk - email: dev@vanbuskirk.me - - name: Varun Tagore - email: rondevops@gmail.com -#icon: A URL to an SVG or PNG image to be used as an icon (optional) -envs: - - - name: CURRENT_VERSION_SOURCE # from_file , from_tag, - type : required - description : action - - name: MAJOR - type: optional - - name: MINOR - type: optional - description: Boolean; combination with TL_UPLOAD stores Twistlock Report URL in TL_REPORT_URL var for Codefresh metadata annotation - - name: PATCH - type: optional - description: Boolean; combination with TL_UPLOAD stores Twistlock Report URL in TL_REPORT_URL var for Codefresh metadata annotation - - name: BUILD_NUM - type: optional - description: Boolean; combination with TL_UPLOAD stores Twistlock Report URL in TL_REPORT_URL var for Codefresh metadata annotation - \ No newline at end of file