Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Aqua (#418) #419

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 0 additions & 8 deletions coming-soon/aqua/icon.svg

This file was deleted.

11 changes: 0 additions & 11 deletions coming-soon/aqua/workflowTemplate.yaml

This file was deleted.

9 changes: 9 additions & 0 deletions workflows/aqua/CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
# Changelog

## v0.0.1 7/2/2022

Initial Aqua template.

Template includes:

* Aqua Security scan
60 changes: 60 additions & 0 deletions workflows/aqua/assets/icon.svg
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
18 changes: 18 additions & 0 deletions workflows/aqua/versions/0.0.1/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
# Starting-Template

## Summary

Execute an Aqua container security scan.

## Templates


1. [Aqua Security Scan](https://github.com/codefresh-io/argo-hub/blob/main/workflows/aqua/versions/0.0.1/docs/aqua-security-scan.md)



## Security

Minimal required permissions

[Full rbac permissions list](https://github.com/codefresh-io/argo-hub/blob/main/workflows/aqua/versions/0.0.1/rbac.yaml)
63 changes: 63 additions & 0 deletions workflows/aqua/versions/0.0.1/docs/aqua-security-scan.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
# aqua-security-scan

## Summary
Execute an Aqua container security scan.

## Inputs/Outputs

### Inputs
* AQUA_HOST (required) - Aqua Host URI including protocol ex. https://aqua.mydomain.com
* AQUA_SECRET (required) - The Kubernetes secret with Aqua log in credentials
* AQUA_PASSWORD (optional) - The key in the Kubernetes secret with the Aqua password. Default is 'password'
* AQUA_USERNAME (optional) - The key in the Kubernetes secret with the Aqua username. Default is 'username'
* AQUA_TOKEN (optional) - The key in the Kubernetes secret with the Aqua scanner token. A unique token generated for each scanner while adding a scanner daemon from the Administration > Scanners page. Default is 'token'
* IMAGE (required) - Image Name
* REGISTRY (required) - Name of registry that holds the image
* TAG (optional) - Image Tag. Default is 'latest'

### Secrets
* Aqua Secret - in order for this template to work a secret named `aqua-secret` must exist with aqua token.
```
apiVersion: v1
kind: Secret
metadata:
name: aqua-secret
type: Opaque
data:
token: echo -n 'aqua scanner token' | base64
username: echo -n 'aqua username' | base64
password: echo -n 'aqua password' | base64
```

### Outputs
no outputs

## Examples

### task Example
```
apiVersion: argoproj.io/v1alpha1
kind: Workflow
metadata:
generateName: aqua-security-scan-
spec:
entrypoint: main
templates:
- name: main
dag:
tasks:
- name: aqua-security-scan
templateRef:
name: argo-hub.aqua.0.0.1
template: aqua-security-scan
arguments:
parameters:
- name: AQUA_HOST
value: 'https://aqua.mydomain.com'
- name: AQUA_SECRET
value: 'aqua-secret'
- name: IMAGE
value: 'image'
- name: REGISTRY
value: 'dockerhub'
```
43 changes: 43 additions & 0 deletions workflows/aqua/versions/0.0.1/rbac.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: argo-hub.aqua.0.0.1
annotations:
argo-hub/version: '0.0.1'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: argo-hub.aqua.0.0.1
annotations:
argo-hub/version: '0.0.1'
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- watch
- patch
- apiGroups:
- ""
resources:
- pods/log
verbs:
- get
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: argo-hub.aqua.0.0.1
annotations:
argo-hub/version: '0.0.1'
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: argo-hub.aqua.0.0.1
subjects:
- kind: ServiceAccount
name: argo-hub.aqua.0.0.1
82 changes: 82 additions & 0 deletions workflows/aqua/versions/0.0.1/workflowTemplate.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,82 @@
apiVersion: argoproj.io/v1alpha1
kind: WorkflowTemplate
metadata:
name: argo-hub.aqua.0.0.1
annotations:
argo-hub/version: '0.0.1'
argo-hub/description: 'Aqua template'
argo-hub/categories: 'utilities'
argo-hub/license: 'MIT'
argo-hub/owner_name: 'Matthew Chung'
argo-hub/owner_email: '[email protected]'
argo-hub/owner_avatar: 'https://github.com/matthewchungcodefresh.png'
argo-hub/owner_url: 'https://github.com/matthewchungcodefresh'
argo-hub/icon_url: "https://cdn.jsdelivr.net/gh/codefresh-io/argo-hub@main/workflows/aqua/assets/icon.svg"
argo-hub/icon_background: "#f4f4f4"

spec:
templates:
- name: aqua-security-scan
serviceAccountName: argo-hub.aqua.0.0.1
metadata:
annotations:
argo-hub-template/description: 'Execute an Aqua container security scan'
argo-hub-template/icon_url: "https://cdn.jsdelivr.net/gh/codefresh-io/argo-hub@main/workflows/aqua/assets/icon.svg"
argo-hub-template/icon_background: "#f4f4f4"
retryStrategy:
limit: "3"
retryPolicy: "Always"
backoff:
duration: "5s"
inputs:
parameters:
# required
- name: AQUA_HOST
- name: AQUA_SECRET
- name: IMAGE
# optional
- name: AQUA_PASSWORD
default: password
- name: AQUA_USERNAME
default: username
- name: AQUA_TOKEN
default: token
- name: REGISTRY
default: ""
- name: TAG
default: latest
script:
imagePullPolicy: Always
image: node:15.2
env:
- name: AQUA_PASSWORD
valueFrom:
secretKeyRef:
name: '{{ inputs.parameters.AQUA_SECRET }}'
key: '{{ inputs.parameters.AQUA_PASSWORD }}'
- name: AQUA_USERNAME
valueFrom:
secretKeyRef:
name: '{{ inputs.parameters.AQUA_SECRET }}'
key: '{{ inputs.parameters.AQUA_USERNAME }}'
- name: AQUA_TOKEN
valueFrom:
secretKeyRef:
name: '{{ inputs.parameters.AQUA_SECRET }}'
key: '{{ inputs.parameters.AQUA_TOKEN }}'
- name: AQUA_HOST
value: '{{ inputs.parameters.AQUA_HOST }}'
- name: IMAGE
value: '{{ inputs.parameters.IMAGE }}'
- name: TAG
value: '{{ inputs.parameters.TAG }}'
- name: REGISTRY
value: '{{ inputs.parameters.REGISTRY }}'
command: [sh]
source: |
docker login registry.aquasec.com -u $AQUA_USERNAME -p $AQUA_PASSWORD
docker pull registry.aquasec.com/scanner:6.5
docker run -it --rm -v /var/run/docker.sock:/var/run/docker.sock registry.aquasec.com/scanner:6.5 scan -H $AQUA_HOST --token $AQUA_TOKEN --registry $REGISTRY $IMAGE:$TAG