README
¶
s3caa
Vulnerability management tool.
WIP: this repo is in a midst of significant refactoring. Expect stable release around v0.1
Features
The s3caa CLI currently only supports Google Container Analysis import operations. Other operations will be added in the future.
Google Container Analysis (GCA)
Import data from vulnerability scanner reports into Container Analysis service using its REST API.
s3caa import --project $project \
--source $image \
--file report.json \
--format snyk
The $image variable in the above example is the fully qualified URI of the image including its digest (e.g.
us-docker.pkg.dev/project/repo/image@sha256:397d453...).
The currently supported scanners/formats include:
-
grype --add-cpes-if-none -s AllLayers -o json --file report.json $image -
snyk container test --app-vulns --json-file-output=report.json $image -
trivy image --format json --output report.json $image
To review the imported vulnerabilities:
gcloud artifacts docker images list $repo \
--show-occurrences \
--format=json \
--occurrence-filter='kind="VULNERABILITY" AND noteProjectId="$project" AND resource_url="$image" AND noteId="CVE-2005-2541"'
Installation
You can install s3caa CLI using one of the following ways:
See the release section for s3caa checksums and SBOMs.
Go
If you have Go 1.17 or newer, you can install latest s3caa using:
go install github.com/taechae/s3caa/cmd/s3caa@latest
Homebrew
On Mac or Linux, you can install s3caa with Homebrew:
brew tap taechae/s3caa
brew install s3caa
New release will be automatically picked up when you run brew upgrade
RHEL/CentOS
rpm -ivh https://github.com/taechae/s3caa/releases/download/v$VERSION/s3caa-$VERSION_Linux-amd64.rpm
Debian/Ubuntu
wget https://github.com/aquasecurity/s3caa/releases/download/v$VERSION/s3caa-$VERSION_Linux-amd64.deb
sudo dpkg -i s3caa-$VERSION_Linux-64bit.deb
Binary
You can also download the latest release version of s3caa for your operating system/architecture from here. Put the binary somewhere in your $PATH, and make sure it has that executable bit.
The official
s3caareleases include SBOMs
Prerequisites
Since you are interested in s3caa, you probably already have GCP account and project. If not, you learn about creating and managing projects here. The other prerequisites include:
APIs
s3caa also depends on a few GCP service APIs. To enable these, run:
gcloud services enable containeranalysis.googleapis.com
Roles
Make sure you have the following Identity and Access Management (IAM) roles in each project:
Learn how to grant multiple IAM roles to a user here
roles/containeranalysis.occurrences.editor
roles/containeranalysis.notes.editor
If you experience any issues, you can see the project level policy using following command:
gcloud projects get-iam-policy $PROJECT_ID --format=json > policy.json
Credentials
When running locally, s3caa will look for Google account credentials in one of the well-known locations. To ensure your Application Default Credentials (ADC) are used by the s3caa run this gcloud command and follow the prompts:
gcloud auth application-default login
More about ADC here
Disclaimer
This is my personal project and it does not represent my employer. While I do my best to ensure that everything works, I take no responsibility for issues caused by this code.
Directories