securityscanutils

package
v1.13.0-beta3 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Aug 9, 2022 License: Apache-2.0 Imports: 4 Imported by: 0

README

Trivy Security Scanning

Trivy is a security scanning tool which we use to scan our images for vulnerabilities.

Scanning Images Locally

Scan a single image

You can run a trivy scan identical to CI on your own command line by installing trivy and running

trivy image --severity HIGH,CRITICAL quay.io/solo-io/<IMAGE>:<VERSION>

Scan a collection of images

Using our scanner, we can run scans against groups of images. To filter which version to scan, we can either use:

MIN_SCANNED_VERSION (scan all version greater than the provided tag)

IMAGE_REPO=quay.io/solo-io SCAN_DIR=_output/scans MIN_SCANNED_VERSION="v1.8.0" go run generate_docs.go run-security-scan -r gloo

VERSION_CONSTRAINT (scan all versions that match the constraint)

IMAGE_REPO=quay.io/solo-io SCAN_DIR=_output/scans VERSION_CONSTRAINT=">v1.8.0, <v1.9.0" go run generate_docs.go run-security-scan -r gloo

Scanning enterprise images

If you want to run the enterprise security scanning locally, make sure to have your GITHUB_TOKEN environment variable set and run the command with -r set to the enterprise repository:

IMAGE_REPO=quay.io/solo-io SCAN_DIR=_output/scans MIN_SCANNED_VERSION="v1.8.0" go run generate_docs.go run-security-scan -r glooe

Outputs

The outputs of a trivy scan are the following: _output/scans/gloo/markdown_results - a folder which has scans for each image of each version of gloo that was scanned. The scan results are in markdown format and are uploaded to a google cloud bucket, which we later pull from during docs generation (which happens on merges to master), to generate a human-readable markdown security scans document, which we display in our docs.

_output/scans/gloo/sarif_results - a folder which has .sarif files containing scan results for each image of each version of gloo that was scanned. These .sarif files are then uploaded to github, and the scan results can be seen on the security tab of the gloo repo.

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func BuildSecurityScanReportGloo added in v1.7.0

func BuildSecurityScanReportGloo(tags []string) error

func BuildSecurityScanReportGlooE added in v1.7.0

func BuildSecurityScanReportGlooE(tags []string) error

func EnterpriseImages added in v1.9.0

func EnterpriseImages(before17 bool) []string

List of images only included in gloo edge enterprise In 1.7, we replaced the grpcserver images with gloo-fed images. For images before 1.7, set before17 to true.

func GetSecurityScanReport

func GetSecurityScanReport(url string) (string, error)

func OpenSourceImages added in v1.9.0

func OpenSourceImages() []string

List of images included in gloo edge open source

Types

This section is empty.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL