Merge pull request codefresh-io#19 from codefresh-io/add-twistlock-scan-from-steelcase

adding twistlock scanning plugin from Steelcase

Author: alexei-led

stable/twistlock-scan/Dockerfile

@@ -0,0 +1,50 @@
+FROM ubuntu:xenial
+
+ENV LANG C.UTF-8
+
+RUN { \
+      echo '#!/bin/sh'; \
+      echo 'set -e'; \
+      echo; \
+      echo 'dirname "$(dirname "$(readlink -f "$(which javac || which java)")")"'; \
+    } > /usr/local/bin/docker-java-home && \
+    chmod +x /usr/local/bin/docker-java-home
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+      bzip2 \
+      unzip \
+      xz-utils \
+      apt-transport-https \
+      ca-certificates \
+      curl \
+      software-properties-common \
+      python3-openssl && \
+    curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - && \
+    add-apt-repository \
+    "deb [arch=amd64] https://download.docker.com/linux/ubuntu \
+    $(lsb_release -cs) \
+    stable" && \
+    apt-get update && apt-get install -y --no-install-recommends \
+	  docker-ce=17.09.0~ce-0~ubuntu && \
+    apt-get install -y \
+      openjdk-8-jre \
+    ; \
+    rm -rf /var/lib/apt/lists/*; \
+    \
+    [ "$JAVA_HOME" = "$(docker-java-home)" ]; \
+    \
+    update-alternatives --get-selections | awk -v home="$JAVA_HOME" 'index($3, home) == 1 { $2 = "manual"; print | "update-alternatives --set-selections" }'; \
+    update-alternatives --query java | grep -q 'Status: manual' && \
+    mkdir /packages && \
+    curl -o /packages/twistcli https://cdn.twistlock.com/support/twistcli && \
+    curl -o /packages/nexus-iq-cli-1.38.0-02.jar https://download.sonatype.com/clm/scanner/nexus-iq-cli-1.38.0-02.jar
+
+COPY scripts /scripts
+
+RUN	chmod +x -R /packages
+RUN	chmod +x -R /scripts
+
+WORKDIR /scripts
+
+ENTRYPOINT ["/usr/bin/python3"]
+CMD [""]

stable/twistlock-scan/LICENSE.md

@@ -0,0 +1,7 @@
+© 2017 Steelcase Inc.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

stable/twistlock-scan/README.md

@@ -0,0 +1,105 @@
+# Security Scanning Tools [![Codefresh build status]( https://g.codefresh.io/api/badges/build?repoOwner=SC-TechDev&repoName=docker-security-scanner&branch=master&pipelineName=docker-security-scanner&accountName=sctechdevservice&type=cf-1)]( https://g.codefresh.io/repositories/SC-TechDev/docker-security-scanner/builds?filter=trigger:build;branch:master;service:59e62c5410e3d100019e7f3d~docker-security-scanner)
+
+Docker image which invokes security script using TwistCLI (Nexus coming soon)
+
+### Prerequisites:
+
+Codefresh Subscription (Dedicated Infrastructure) - https://codefresh.io/
+
+Twistlock Subscription - https://www.twistlock.com/
+
+### Documentation:
+
+Twistlock CLI: https://twistlock.desk.com/customer/en/portal/articles/2875595-twistcli?b_id=16619
+
+Nexus IQ CLI: TBD
+
+## Script Library
+
+### twistlock.py
+
+Executes TwistCLI to scan Docker image given.
+
+### options
+
+To use an ENVIRONMENT VARIABLE you need to add the variables to your Codefresh Pipeline and also to your codefresh.yaml.
+
+
+Example `codefresh.yml` build is below with required ENVIRONMENT VARIABLES in place.
+
+
+| ENVIRONMENT VARIABLE | SCRIPT ARGUMENT | DEFAULT | TYPE | REQUIRED | DESCRIPTION |
+|----------------------------|--------------------------------------|----------|---------|----------|---------------------------------------------------------------------------------------------------------------------------------|
+| CF_METADATA | [ -c, --cf_metadata ] | null | boolean | No | In combination with TL_UPLOAD stores Twistlock Report URL in TL_REPORT_URL var for Codefresh metadata annotation |
+| TL_CONSOLE_HOSTNAME | [ -C, --tl_console_hostname ] | null | string | Yes | hostname/ip |
+| TL_CONSOLE_PORT | [ -P, --tl_console_port ] | null | string | Yes | port |
+| TL_CONSOLE_USERNAME | [ -U, --tl_console_username ] | null | string | Yes | username |
+| TL_CONSOLE_PASSWORD | [ -X, --tl_console_password ] | null | string | Yes | password |
+| TL_ONLY | [ -Z, --tl_only ] | null | boolean | Yes | Twistlock Console Only (Required for now Nexus TBD) |
+| TL_TLS_ENABLED | [ -T, --tl_tls_enabled ] | null | boolean | No | enable TLS |
+| TL_HASH | [ -H, --tl_hash ] | [ sha1 ] | string | No | [ md5, sha1, sha256 ] hashing algorithm |
+| TL_UPLOAD | [ -R, --tl_upload ] | null | boolean | No | ( ignores all options below if set and only returns report url ) uploads report to Twistlock to be used later via Twistlock API |
+| TL_DETAILS | [ -D, --tl_details ] | null | boolean | No | prints an itemized list of each vulnerability found by the scanner |
+| TL_ONLY_FIXED | [ -O, --tl_only_fixed ] | null | boolean | No | reports just the vulnerabilites that have fixes available |
+| TL_COMPLIANCE_THRESHOLD | [ -M, --tl_compliance_threshold ] | null | string | No | [ low, medium, high ] sets the the minimal severity compliance issue that returns a fail exit code |
+| TL_VULNERABILITY_THRESHOLD | [ -V, --tl_vulnerability_threshold ] | null | string | No | [ low, medium, high, critical ] sets the minimal severity vulnerability that returns a fail exit code |
+
+### codefresh.yml
+
+Codefresh Build Step to execute Twistlock scan.
+All `${{var}}` variables must be put into Codefresh Build Parameters
+codefresh.yml
+```console
+  buildimage:
+    type: build
+    title: Build Runtime Image
+    dockerfile: Dockerfile
+    image_name: # Image you're building/scanning [repository/image]
+    tag: latest-cf-build-candidate
+
+  nexus_iq_scan_build_stage:
+    type: composition
+    composition:
+      version: '2'
+      services:
+        imagebuild:
+          image: ${{buildimage}}
+          command: sh -c "exit 0"
+          labels:
+            build.image.id: ${{CF_BUILD_ID}}
+    composition_candidates:
+      scan_service:
+        image: sctechdev/docker-security-scanner
+        environment:
+          - TL_CONSOLE_HOSTNAME=${{TL_CONSOLE_HOSTNAME}}
+          - TL_CONSOLE_PORT=${{TL_CONSOLE_PORT}}
+          - TL_CONSOLE_USERNAME=${{TL_CONSOLE_USERNAME}}
+          - TL_CONSOLE_PASSWORD=${{TL_CONSOLE_PASSWORD}}
+          - TL_ONLY=${{TL_ONLY}}
+        command: twistlock.py -i "$$(docker inspect $$(docker inspect $$(docker ps -aqf label=build.image.id=${{CF_BUILD_ID}}) -f {{.Config.Image}}) -f {{.Id}} | sed 's/sha256://g')"
+        depends_on:
+          - imagebuild
+        volumes:
+          - /var/run/docker.sock:/var/run/docker.sock
+          - /var/lib/docker:/var/lib/docker
+          # Everything below this line is Optional for CF_METADATA
+          - '${{CF_VOLUME_NAME}}:/codefresh/volume'
+    add_flow_volume_to_composition: true
+
+  export:
+    title: "Exporting variables..."
+    image: alpine
+    commands:
+      - echo "Exporting variables..."
+
+  set_metadata:
+    title: "Setting metadata on image..."
+    image: alpine
+    commands:
+      - echo "Setting metadata on image..."
+    on_finish:
+      metadata:
+        set:
+          - '${{build_step.imageId}}':
+              - TwistlockSecurityReport: ${{TL_REPORT_URL}}
+```

stable/twistlock-scan/codefresh.yml

@@ -0,0 +1,41 @@
+version: '1.0'
+
+steps:
+
+  buildimage:
+    type: build
+    description: image build step
+    dockerfile: Dockerfile
+    image_name: sctechdev/docker-security-scanner
+    tag: latest-cf-build-candidate
+
+  push_image:
+    type: push
+    candidate: ${{buildimage}}
+    tag: latest
+    when:
+      branch:
+        only:
+          - master
+  push_image1:
+    type: push
+    candidate: ${{buildimage}}
+    tag: ${{CF_BRANCH_TAG_NORMALIZED}}-${{CF_SHORT_REVISION}}
+
+  push_image_nexus_latest:
+    title: Push to Nexus Repo (latest)
+    type: push
+    candidate: ${{buildimage}}
+    tag: latest
+    registry: sonatype-docker-internal
+    when:
+      branch:
+        only:
+          - master
+
+  push_image_neuxs_gitbranch_gitsha:
+    title: Push to Nexus Repo (gitbranch + gitsha)
+    type: push
+    candidate: ${{buildimage}}
+    tag: ${{CF_BRANCH_TAG_NORMALIZED}}-${{CF_SHORT_REVISION}}
+    registry: sonatype-docker-internal

stable/twistlock-scan/plugin.yaml

@@ -0,0 +1,65 @@
+image: docker.io/sctechdev/docker-security-scanner
+tag: master-c81e6d4
+version: 2.2
+description: Execute Twistlock image scan as build step
+keywords:
+  - Twistlock 2.2
+home: https://hub.docker.com/r/sctechdev/docker-security-scanner/
+sources:
+  - https://github.com/SC-TechDev/docker-security-scanner
+maintainers: 
+  - name: Dustin Van Buskirk
+    email: dev@vanbuskirk.me
+  - name: Varun Tagore
+    email: rondevops@gmail.com
+icon: A URL to an SVG or PNG image to be used as an icon (optional)
+envs:
+  - name: CF_METADATA
+    type: required
+    description: Boolean; combination with TL_UPLOAD stores Twistlock Report URL in TL_REPORT_URL var for Codefresh metadata annotation
+  - name: TL_CONSOLE_HOSTNAME
+    type: required
+    description: Hostname or IP of Twistlock Console
+  - name: TL_CONSOLE_PORT
+    type: required
+    description: Port of Twistlock Console
+  - name: TL_CONSOLE_USERNAME
+    type: required
+    description: Username of Twistlock Console
+  - name: TL_CONSOLE_PASSWORD
+    type: required
+    description: Password of Twistlock Console User
+  - name: TL_ONLY
+    type: required
+    description: Twistlock Console Scan Only (No Nexus)
+  - name: TL_TLS_ENABLED
+    type: optional
+    description: Boolean; Enable TLS connection to Twistlock Console
+  - name: TL_HASH
+    type: optional
+    description: Hashing Algorithm to use
+  - name: TL_UPLOAD
+    type: optional
+    description: Upload report to Twistlock Console and return URL (Overrides all other options only returns URL)
+  - name: TL_DETAILS
+    type: optional
+    description: Prints an itemized list of each vulnerability found by the scanner
+  - name: TL_ONLY_FIXED
+    type: optional
+    description: reports just the vulnerabilites that have fixes available
+  - name: TL_COMPLIANCE_THRESHOLD
+    type: optional
+    description: [ low, medium, high ] sets the the minimal severity compliance issue that returns a fail exit code
+  - name: TL_VULNERABILITY_THRESHOLD
+    type: optional
+    description: [ low, medium, high, critical ] sets the minimal severity vulnerability that returns a fail exit code
+volumes:
+  - name: /var/run/docker.sock:/var/run/docker.sock
+    required: true
+    description: Docker socket for DIND
+  - name: /var/lib/docker:/var/lib/docker
+    required: true
+    description: Docker lib access for DIND
+  - name: '${{CF_VOLUME_NAME}}:/codefresh/volume'
+    required: false
+    description: Volume required if setting Docker image metadata using Codefresh