-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
fecfbd2
commit 83bb12d
Showing
29 changed files
with
197 additions
and
989 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,135 +1,26 @@ | ||
# ECR Scan Results Buildkite Plugin | ||
# Example Go Buildkite Plugin | ||
|
||
Buildkite plugin to retrieve ECR scan results from AWS's ECR image scanning | ||
service. By default the plugin will cause the step to fail if there are critical | ||
or high vulnerabilities reported, but there are configurable thresholds on this | ||
behaviour. | ||
An example Buildkite plugin written in Go, demonstrating on-demand download of the | ||
public release files from Github and execution. | ||
|
||
> ℹ️ TIP: if you want the build to continue when vulnerabilities are found, be | ||
> sure to supply values for `max-criticals` and `max-highs` parameters. If these | ||
> are set to high values your build will never fail, but details will be | ||
> supplied in the annotation. | ||
> | ||
> Check out the FAQs below for more information | ||
To demonstrate interaction with the Buildkite agent, the example includes code | ||
to annotate the build with a message. | ||
|
||
This example is reverse engineered from [@cultureamp/ecr-scan-results-buildkite-plugin](https://github.com/cultureamp/ecr-scan-results-buildkite-plugin). | ||
|
||
## Example | ||
|
||
Add the following lines to your `pipeline.yml`: | ||
|
||
```yml | ||
steps: | ||
- command: "command which creates an image" | ||
# the docker-compose plugin may be used here instead of a command | ||
plugins: | ||
- cultureamp/ecr-scan-results#v1.2.0: | ||
image-name: "$BUILD_REPO:deploy-$BUILD_TAG" | ||
``` | ||
In a pipeline this will look something like: | ||
```yml | ||
steps: | ||
- label: ":docker: Build and push CDK deployment image" | ||
command: "bin/ci_cdk_build_and_push.sh" | ||
agents: | ||
queue: ${BUILD_AGENT} | ||
plugins: | ||
- cultureamp/aws-assume-role: | ||
role: ${BUILD_ROLE} | ||
- cultureamp/ecr-scan-results#v1.2.0: | ||
image-name: "$BUILD_REPO:deploy-$BUILD_TAG" | ||
``` | ||
If you want the pipeline to pass with some vulnerabilities then set | ||
`max-criticals` and `max-highs` like below. This pipeline will pass if there is | ||
one critical vulenerability but fail if there are two. Similarly it will fail if | ||
there are eleven high vulnerabilities. | ||
|
||
```yml | ||
steps: | ||
- label: ":docker: Build and push CDK deployment image" | ||
command: "bin/ci_cdk_build_and_push.sh" | ||
agents: | ||
queue: ${BUILD_AGENT} | ||
plugins: | ||
- cultureamp/aws-assume-role: | ||
role: ${BUILD_ROLE} | ||
- cultureamp/ecr-scan-results#v1.2.0: | ||
image-name: "$BUILD_REPO:deploy-$BUILD_TAG" | ||
max-criticals: "1" | ||
max-highs: "10" | ||
- plugins: | ||
- cultureamp/example-go#v0.1.0: | ||
message: "This is the message that will be annotated!" | ||
``` | ||
## Configuration | ||
### `image-name` (Required, string) | ||
|
||
The name of the container image in ECR. This should be the same string that is | ||
supplied as an arguement to the `docker push` command used to push the image to | ||
AWS ECR. It should have the form: | ||
`AWS_ACCOUNT_ID.dkr.ecr.REGION.amazonaws.com/REPOSITORY_NAME:IMAGE_TAG` with the | ||
text in capitals replaced with the appropriate values for your environment. | ||
|
||
### `max-criticals` (Optional, string) | ||
|
||
If the number of critical vulnerabilities in the image exceeds this threshold | ||
the build is failed. Defaults to 0. Use a sufficiently large number (e.g. 999) | ||
to allow the build to always pass. | ||
|
||
### `max-highs` (Optional, string) | ||
|
||
If the number of high vulnerabilities in the image exceeds this threshold the | ||
build is failed. Defaults to 0. Use a sufficiently large number (e.g. 999) to | ||
allow the build to always pass. | ||
|
||
### `image-label` (Optional, string) | ||
|
||
When supplied, this is used to title the report annotation in place of the | ||
repository name and tag. Useful sometimes when the repo name and tag make the | ||
reports harder to scan visually. | ||
|
||
## Requirements | ||
|
||
### ECR Scan on Push | ||
|
||
This plugin assumes that the ECR repository has the `ScanOnPush` setting set (see | ||
the [AWS | ||
docs](https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html) | ||
for more information). By default this is not set on AWS ECR repositories. | ||
However `Base Infrastructure for Services` configures this for all repostories | ||
that it creates so for `cultureamp` pipelines no change should be required. | ||
|
||
### Agent role requires the ecr:DescribeImages permission | ||
|
||
The Buildkite agent needs the AWS IAM `ecr:DescribeImages` permission to | ||
retrieve the vulnerability scan counts. Culture Amp build-roles created by `Base | ||
Infrastructure for Services` have all been modified to include this permission. | ||
|
||
### Scratch images are not supported | ||
|
||
ECR cannot scan scratch based images, and this should be OK as the underlying | ||
container doesn't contain packages to scan. | ||
|
||
If this plugin is installed and pointed at a scratch image you may receive an | ||
error and it may block the pipeline as a result. The error | ||
`UnsupportedImageError` is expected in this scenario; see [the ECR | ||
docs](https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning-troubleshooting.html) | ||
for more information. | ||
|
||
## FAQ | ||
|
||
### I have a vulnerability that isn't resolved yet, but I can wait on fixing. How do I do configure this plugin so I can unblock my builds? | ||
|
||
Refer to how to set your [max-criticals](https://github.com/cultureamp/ecr-scan-results-buildkite-plugin#max-criticals-optional-string), and [max-highs](https://github.com/cultureamp/ecr-scan-results-buildkite-plugin#max-highs-optional-string). | ||
|
||
### Are there guidelines on using up? | ||
|
||
Yes. Changing the `max-criticals` and `max-high` settings should not be taken lightly. | ||
|
||
This option is effectively a deferral of fixing the vulnerability. **Assess the situation first**. If the CVE describes a scenario that aligns with how your project is used, then you should be working to fix it rather than defer it. For help on this, check out the following the steps outlined [here](https://cultureamp.atlassian.net/wiki/spaces/PST/pages/2960916852/Central+SRE+Support+FAQs#I-have-high%2Fcritical-vulnerabilities-for-my-ECR-image%2C-and-its-blocking-my-builds.-What%E2%80%99s-going-on%3F). | ||
|
||
Below are some recommendations if you choose to exercise this option: | ||
|
||
1. Set the thresholds to the number of identified high or critical vulnerabilities. This is so you’re not permitting more vulnerabilities than you should. Especially for those you can fix by updating dependencies or packages. | ||
### `message` (Required, string) | ||
|
||
2. Set a scheduled reminder for your team to check if a fix is available for the CVE. If a fix is available, address it, and then lower your threshold for the respective vulnerability severity. | ||
The message to annotate onto the build. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,17 +1,17 @@ | ||
apiVersion: backstage.io/v1alpha1 | ||
kind: Component | ||
metadata: | ||
name: ecr-scan-results-buildkite-plugin | ||
name: example-go-buildkite-plugin | ||
description: | | ||
Buildkite plugin to retrieve ECR scan results | ||
Example Buildkite plugin to demonstate Github release delivery | ||
tags: | ||
- camp-sre | ||
- data-internal-use-only | ||
- users-internal | ||
annotations: | ||
github.com/project-slug: cultureamp/ecr-scan-results-buildkite-plugin | ||
github.com/team-slug: cultureamp/sre-foundations | ||
github.com/project-slug: cultureamp/example-go-buildkite-plugin | ||
github.com/team-slug: cultureamp/sre-enablement | ||
spec: | ||
type: library | ||
owner: sre-foundations | ||
owner: sre-enablement | ||
lifecycle: production |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,20 +1,11 @@ | ||
name: ECR Scan Results | ||
name: Example Go | ||
description: > | ||
Retrieves vulnerability scan results from ECR, creating a report as an | ||
annotation on the build. Will fail the step if vulnerabilities exist (though | ||
this is configurable). | ||
Demonstrates an on-demand Github release download | ||
and run pattern for delivery Go-based Buildkite | ||
plugins. | ||
author: https://github.com/cultureamp | ||
requirements: | ||
- docker | ||
- jq | ||
requirements: [] | ||
configuration: | ||
properties: | ||
image-name: | ||
message: | ||
type: string | ||
max-criticals: | ||
type: string | ||
max-highs: | ||
type: string | ||
image-label: | ||
type: string | ||
additionalProperties: false |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,43 +1,21 @@ | ||
module github.com/cultureamp/ecrscanresults | ||
module github.com/cultureamp/examplego | ||
|
||
go 1.20 | ||
|
||
require ( | ||
github.com/MarvinJWendt/testza v0.4.1 | ||
github.com/aws/aws-sdk-go-v2 v1.17.7 | ||
github.com/aws/aws-sdk-go-v2/config v1.18.19 | ||
github.com/aws/aws-sdk-go-v2/service/ecr v1.18.7 | ||
github.com/justincampbell/timeago v0.0.0-20160528003754-027f40306f1d | ||
github.com/kelseyhightower/envconfig v1.4.0 | ||
github.com/stretchr/testify v1.7.1 | ||
github.com/stretchr/testify v1.8.4 | ||
) | ||
|
||
require github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.6 // indirect | ||
require ( | ||
github.com/kr/pretty v0.1.0 // indirect | ||
github.com/stretchr/objx v0.5.0 // indirect | ||
gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 // indirect | ||
) | ||
|
||
require ( | ||
github.com/atomicgo/cursor v0.0.1 // indirect | ||
github.com/aws/aws-sdk-go-v2/credentials v1.13.18 // indirect | ||
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.1 // indirect | ||
github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.31 // indirect | ||
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.25 // indirect | ||
github.com/aws/aws-sdk-go-v2/internal/ini v1.3.32 // indirect | ||
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.25 // indirect | ||
github.com/aws/aws-sdk-go-v2/service/sso v1.12.6 // indirect | ||
github.com/aws/aws-sdk-go-v2/service/sts v1.18.7 // indirect | ||
github.com/aws/smithy-go v1.13.5 // indirect | ||
github.com/davecgh/go-spew v1.1.1 // indirect | ||
github.com/gookit/color v1.5.0 // indirect | ||
github.com/jmespath/go-jmespath v0.4.0 // indirect | ||
github.com/justincampbell/bigduration v0.0.0-20160531141349-e45bf03c0666 // indirect | ||
github.com/klauspost/cpuid/v2 v2.0.12 // indirect | ||
github.com/mattn/go-runewidth v0.0.13 // indirect | ||
github.com/pmezard/go-difflib v1.0.0 // indirect | ||
github.com/pterm/pterm v0.12.41 // indirect | ||
github.com/rivo/uniseg v0.2.0 // indirect | ||
github.com/sergi/go-diff v1.2.0 // indirect | ||
github.com/xo/terminfo v0.0.0-20210125001918-ca9a967f8778 // indirect | ||
golang.org/x/sys v0.6.0 | ||
golang.org/x/term v0.0.0-20220411215600-e5f449aeb171 // indirect | ||
golang.org/x/text v0.8.0 | ||
gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect | ||
gopkg.in/yaml.v3 v3.0.1 // indirect | ||
) |
Oops, something went wrong.