Skip to content

Commit

Permalink
Add Snyk docker container scanning (#2258)
Browse files Browse the repository at this point in the history
* wip: adding snyk docker container scanning

* feat: upgrade to 15.2 alpine

* fix: github args

* fix: remove fossa

* fix: comments

* fix: comments

* fix: comments

* fix: use node 14.15.x LTS
  • Loading branch information
s0l0ist authored Dec 11, 2020
1 parent 784fac6 commit 45ac3cb
Show file tree
Hide file tree
Showing 6 changed files with 84 additions and 26 deletions.
15 changes: 0 additions & 15 deletions .circleci/config.yml
Original file line number Diff line number Diff line change
Expand Up @@ -209,17 +209,6 @@ jobs:
name: Check bundle size
command: npm run bundlesize

# Upload dependency metadata to FOSSA, analyze offline
fossa_upload:
executor: panther-buildpack
resource_class: small
steps:
- checkout
- run: |
curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install.sh | bash
- run:
command: fossa # generate config file, run dependency analysis, and upload metadata to FOSSA

workflows:
version: 2
pipeline:
Expand All @@ -241,7 +230,3 @@ workflows:
- bundlesize:
requires:
- setup
- fossa_upload:
filters:
branches:
only: master
17 changes: 16 additions & 1 deletion .github/workflows/code-analysis.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,20 @@
name: 'Code Analysis'
# Panther is a Cloud-Native SIEM for the Modern Security Team.
# Copyright (C) 2020 Panther Labs Inc
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <https://www.gnu.org/licenses/>.

name: 'Code Analysis'
on:
pull_request:
branches:
Expand Down
63 changes: 63 additions & 0 deletions .github/workflows/docker-analysis.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
# Panther is a Cloud-Native SIEM for the Modern Security Team.
# Copyright (C) 2020 Panther Labs Inc
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <https://www.gnu.org/licenses/>.

name: 'Docker Analysis'
on:
pull_request:
branches:
- master
schedule:
# Run every Sunday at 3pm
# https://docs.github.com/en/free-pro-team@latest/actions/reference/events-that-trigger-workflows#schedule
- cron: '0 15 * * 0'

jobs:
docker_analysis:
name: Scan the web docker container for vulnerabilities
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v2
with:
# We must fetch at least the immediate parents so that if this is
# a pull request then we can checkout the head.
fetch-depth: 2

# If this run was triggered by a pull request event (and not a scheduled run), then checkout
# the head of the pull request instead of the merge commit.
- run: git checkout HEAD^2
if: ${{ github.event_name == 'pull_request' }}

- name: Run Snyk to check Docker images for vulnerabilities
# Snyk can be used to break the build when it detects vulnerabilities.
# In this case we want it to fail CI
continue-on-error: false
uses: snyk/actions/docker@master
env:
# In order to use the Snyk Action you will need to have a Snyk API token.
# More details in https://github.com/snyk/actions#getting-your-snyk-token
# or you can signup for free at https://snyk.io/login
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: node:14.15-alpine
args: '--file=deployments/Dockerfile --severity-threshold=high'
# The default parameters do not work when testing locally with 'act' (brew install act). Therefore, we inline theme here which mimics
# how they would be interpreted if the above inputs worked.
# args: 'snyk test --file=deployments/Dockerfile --severity-threshold=high --docker node:14.15-alpine'
#
# To test locally, we need to use the image which replicates github actions. It takes a while to download the (6GB) image
# and to extract (18GB), be patient!
# > act -s SNYK_TOKEN=xxx pull_request -j docker_analysis -P ubuntu-latest=nektos/act-environments-ubuntu:18.04
5 changes: 0 additions & 5 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,6 @@
<!-- ALL-CONTRIBUTORS-BADGE:END -->
<a href="https://panther-labs-oss-slackin.herokuapp.com/"><img src="https://panther-labs-oss-slackin.herokuapp.com/badge.svg" alt="Slack"/></a>
<a href="https://circleci.com/gh/panther-labs/panther"><img src="https://circleci.com/gh/panther-labs/panther.svg?style=svg" alt="CircleCI"/></a>
<a href="https://app.fossa.com/projects/custom%2B15287%2Fgit%40github.com%3Apanther-labs%2Fpanther.git?ref=badge_shield"><img src="https://app.fossa.com/api/projects/custom%2B15287%2Fgit%40github.com%3Apanther-labs%2Fpanther.git.svg?type=shield" alt="FOSSA License Status"/></a>
<a href="https://cla-assistant.io/panther-labs/panther"><img src="https://cla-assistant.io/readme/badge/panther-labs/panther" alt="CLA Assistant"/></a>
<a href="https://magefile.org"><img src="https://magefile.org/badge.svg" alt="Built with Mage"/></a>
</p>
Expand Down Expand Up @@ -140,10 +139,6 @@ We welcome all contributions! Please read our contributing [guidelines](https://

Panther source code is licensed under [AGPLv3](https://github.com/panther-labs/panther/blob/master/LICENSE).

### FOSSA Status

[![FOSSA Status](https://app.fossa.com/api/projects/custom%2B15287%2Fgit%40github.com%3Apanther-labs%2Fpanther.git.svg?type=large)](https://app.fossa.com/projects/custom%2B15287%2Fgit%40github.com%3Apanther-labs%2Fpanther.git?ref=badge_large)

## Contributors

Thanks goes to these wonderful people ([emoji key](https://allcontributors.org/docs/en/emoji-key)):
Expand Down
6 changes: 3 additions & 3 deletions deployments/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -21,12 +21,12 @@
#
# **************** BUILD STAGE *******************
#
FROM node:13.2-alpine AS build-env
FROM node:14.15-alpine AS build-env

LABEL description="The image that builds the web code and serves it through an express NodeJS server"

# Update debian distro
RUN apk update && apk add --no-cache --update nasm libtool alpine-sdk autoconf automake
RUN apk update && apk add --no-cache --update nasm libtool alpine-sdk autoconf automake python

# Move all of our logic
RUN mkdir /code
Expand All @@ -49,7 +49,7 @@ RUN npm run build
#
# **************** DEPLOYMENT & SERVE STAGE *******************
#
FROM node:13.2-alpine
FROM node:14.15-alpine

# Default to exposing `8080`
ENV SERVER_PORT=8080
Expand Down
4 changes: 2 additions & 2 deletions tools/mage/deploy/deploy.go
Original file line number Diff line number Diff line change
Expand Up @@ -130,8 +130,8 @@ func PreCheck() error {
if err != nil {
return fmt.Errorf("failed to check node version: %v", err)
}
if !strings.HasPrefix(strings.TrimSpace(nodeVersion), "v12") {
return fmt.Errorf("node version must be v12.x.x, found %s", nodeVersion)
if !strings.HasPrefix(strings.TrimSpace(nodeVersion), "v14") {
return fmt.Errorf("node version must be v14.x.x, found %s", nodeVersion)
}

// Make sure docker is running
Expand Down

0 comments on commit 45ac3cb

Please sign in to comment.