From 45ac3cb9a3ee7023c6fc61e3e54d20a207d32dc8 Mon Sep 17 00:00:00 2001 From: Nick Angelou Date: Fri, 11 Dec 2020 12:31:45 -0600 Subject: [PATCH] Add Snyk docker container scanning (#2258) * wip: adding snyk docker container scanning * feat: upgrade to 15.2 alpine * fix: github args * fix: remove fossa * fix: comments * fix: comments * fix: comments * fix: use node 14.15.x LTS --- .circleci/config.yml | 15 ------- .github/workflows/code-analysis.yml | 17 +++++++- .github/workflows/docker-analysis.yml | 63 +++++++++++++++++++++++++++ README.md | 5 --- deployments/Dockerfile | 6 +-- tools/mage/deploy/deploy.go | 4 +- 6 files changed, 84 insertions(+), 26 deletions(-) create mode 100644 .github/workflows/docker-analysis.yml diff --git a/.circleci/config.yml b/.circleci/config.yml index 620027fa29..480ff42d72 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -209,17 +209,6 @@ jobs: name: Check bundle size command: npm run bundlesize - # Upload dependency metadata to FOSSA, analyze offline - fossa_upload: - executor: panther-buildpack - resource_class: small - steps: - - checkout - - run: | - curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install.sh | bash - - run: - command: fossa # generate config file, run dependency analysis, and upload metadata to FOSSA - workflows: version: 2 pipeline: @@ -241,7 +230,3 @@ workflows: - bundlesize: requires: - setup - - fossa_upload: - filters: - branches: - only: master diff --git a/.github/workflows/code-analysis.yml b/.github/workflows/code-analysis.yml index a6ce5d89a3..f1503af597 100644 --- a/.github/workflows/code-analysis.yml +++ b/.github/workflows/code-analysis.yml @@ -1,5 +1,20 @@ -name: 'Code Analysis' +# Panther is a Cloud-Native SIEM for the Modern Security Team. +# Copyright (C) 2020 Panther Labs Inc +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as +# published by the Free Software Foundation, either version 3 of the +# License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . +name: 'Code Analysis' on: pull_request: branches: diff --git a/.github/workflows/docker-analysis.yml b/.github/workflows/docker-analysis.yml new file mode 100644 index 0000000000..6a1ff29293 --- /dev/null +++ b/.github/workflows/docker-analysis.yml @@ -0,0 +1,63 @@ +# Panther is a Cloud-Native SIEM for the Modern Security Team. +# Copyright (C) 2020 Panther Labs Inc +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as +# published by the Free Software Foundation, either version 3 of the +# License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +name: 'Docker Analysis' +on: + pull_request: + branches: + - master + schedule: + # Run every Sunday at 3pm + # https://docs.github.com/en/free-pro-team@latest/actions/reference/events-that-trigger-workflows#schedule + - cron: '0 15 * * 0' + +jobs: + docker_analysis: + name: Scan the web docker container for vulnerabilities + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v2 + with: + # We must fetch at least the immediate parents so that if this is + # a pull request then we can checkout the head. + fetch-depth: 2 + + # If this run was triggered by a pull request event (and not a scheduled run), then checkout + # the head of the pull request instead of the merge commit. + - run: git checkout HEAD^2 + if: ${{ github.event_name == 'pull_request' }} + + - name: Run Snyk to check Docker images for vulnerabilities + # Snyk can be used to break the build when it detects vulnerabilities. + # In this case we want it to fail CI + continue-on-error: false + uses: snyk/actions/docker@master + env: + # In order to use the Snyk Action you will need to have a Snyk API token. + # More details in https://github.com/snyk/actions#getting-your-snyk-token + # or you can signup for free at https://snyk.io/login + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + image: node:14.15-alpine + args: '--file=deployments/Dockerfile --severity-threshold=high' + # The default parameters do not work when testing locally with 'act' (brew install act). Therefore, we inline theme here which mimics + # how they would be interpreted if the above inputs worked. + # args: 'snyk test --file=deployments/Dockerfile --severity-threshold=high --docker node:14.15-alpine' + # + # To test locally, we need to use the image which replicates github actions. It takes a while to download the (6GB) image + # and to extract (18GB), be patient! + # > act -s SNYK_TOKEN=xxx pull_request -j docker_analysis -P ubuntu-latest=nektos/act-environments-ubuntu:18.04 diff --git a/README.md b/README.md index 944155baab..3ded2ee85a 100644 --- a/README.md +++ b/README.md @@ -20,7 +20,6 @@ Slack CircleCI - FOSSA License Status CLA Assistant Built with Mage

@@ -140,10 +139,6 @@ We welcome all contributions! Please read our contributing [guidelines](https:// Panther source code is licensed under [AGPLv3](https://github.com/panther-labs/panther/blob/master/LICENSE). -### FOSSA Status - -[![FOSSA Status](https://app.fossa.com/api/projects/custom%2B15287%2Fgit%40github.com%3Apanther-labs%2Fpanther.git.svg?type=large)](https://app.fossa.com/projects/custom%2B15287%2Fgit%40github.com%3Apanther-labs%2Fpanther.git?ref=badge_large) - ## Contributors Thanks goes to these wonderful people ([emoji key](https://allcontributors.org/docs/en/emoji-key)): diff --git a/deployments/Dockerfile b/deployments/Dockerfile index 12c97e37a8..b45b66b4df 100644 --- a/deployments/Dockerfile +++ b/deployments/Dockerfile @@ -21,12 +21,12 @@ # # **************** BUILD STAGE ******************* # -FROM node:13.2-alpine AS build-env +FROM node:14.15-alpine AS build-env LABEL description="The image that builds the web code and serves it through an express NodeJS server" # Update debian distro -RUN apk update && apk add --no-cache --update nasm libtool alpine-sdk autoconf automake +RUN apk update && apk add --no-cache --update nasm libtool alpine-sdk autoconf automake python # Move all of our logic RUN mkdir /code @@ -49,7 +49,7 @@ RUN npm run build # # **************** DEPLOYMENT & SERVE STAGE ******************* # -FROM node:13.2-alpine +FROM node:14.15-alpine # Default to exposing `8080` ENV SERVER_PORT=8080 diff --git a/tools/mage/deploy/deploy.go b/tools/mage/deploy/deploy.go index b521ae943e..a113950648 100644 --- a/tools/mage/deploy/deploy.go +++ b/tools/mage/deploy/deploy.go @@ -130,8 +130,8 @@ func PreCheck() error { if err != nil { return fmt.Errorf("failed to check node version: %v", err) } - if !strings.HasPrefix(strings.TrimSpace(nodeVersion), "v12") { - return fmt.Errorf("node version must be v12.x.x, found %s", nodeVersion) + if !strings.HasPrefix(strings.TrimSpace(nodeVersion), "v14") { + return fmt.Errorf("node version must be v14.x.x, found %s", nodeVersion) } // Make sure docker is running