From e8e39fa5374ed2b3ad13fa1a1abf8cff79277e22 Mon Sep 17 00:00:00 2001 From: Felipe Costa Date: Sun, 10 May 2020 18:10:09 +0400 Subject: [PATCH 1/5] Github Actions Update --- README.md | 155 ++++++++++++++++++++++++++----------------- Trend-Micro-Logo.png | Bin 0 -> 14784 bytes action.yml | 64 ++++++++++++++++++ 3 files changed, 159 insertions(+), 60 deletions(-) create mode 100644 Trend-Micro-Logo.png create mode 100644 action.yml diff --git a/README.md b/README.md index ec875c3..5428e42 100644 --- a/README.md +++ b/README.md @@ -1,30 +1,41 @@ # Deep Security Smart Check Scan Action -For scanning your images as part of your CI pipeline using [Deep Security Smart -Check][]. + -[deep security smart check]: https://www.trendmicro.com/smartcheck +## Scan your containers with [Deep Security Smart Check](https://www.trendmicro.com/smartcheck). -This tool is used by the Deep Security Smart Check plugin for Jenkins and can -also be used as a [GitHub Action](https://github.com/features/actions). +This tool is used by the Deep Security Smart Check plugin for [Jenkins](https://plugins.jenkins.io/deepsecurity-smartcheck/) and can also be used as a [GitHub Action](https://github.com/features/actions). + +## Requirements + +* Have an [Deep Security Smart Check](https://www.trendmicro.com/smartcheck) deployed. [Sign up for free trial now](https://www.trendmicro.com/product_trials/download/index/us/168) if it's not already the case! +* A container image to scan in any [supported Docker Registry](https://deep-security.github.io/smartcheck-docs/admin_docs/admin.html#supported-registries). ## Usage -Add an Action in your `main.workflow` file to scan your image with Deep Security +Add an Action in your `.github/workflow` yml file to scan your image with Deep Security Smart Check. -```main.workflow -action "Scan with Deep Security Smart Check" { - needs = "Push image to GCR" - uses = "docker://deepsecurity/smartcheck-scan-action" - secrets = [ - "DSSC_SMARTCHECK_HOST", - "DSSC_SMARTCHECK_USER", - "DSSC_SMARTCHECK_PASSWORD", - "DSSC_IMAGE_PULL_AUTH" - ] - args = ["--image-name registry.example.com/my-project/my-image"] -} +```yml +- name: Deep Security Smart Check + uses: deepsecurity/Deep-Security-Smart-Check@version* + with: + # Mandatory + DSSC_IMAGE_NAME: myorg/myimage + DSSC_SMARTCHECK_HOST: myorg.com + DSSC_SMARTCHECK_USER: admin + DSSC_SMARTCHECK_PASSWORD: 12345 + DSSC_IMAGE_PULL_AUTH: {"username":"","password":""} + + # Optional + DSSC_INSECURE_SKIP_TLS_VERIFY: true + DSSC_INSECURE_SKIP_REGISTRY_TLS_VERIFY: true + DSSC_PREREGISTRY_SCAN: false + DSSC_PREREGISTRY_HOST: myorg.com + DSSC_PREREGISTRY_USER: admin + DSSC_PREREGISTRY_PASSWORD: 12345 + DSSC_RESULTS_FILE: /results.json + DSSC_FINDINGS_THRESHOLD: '{"malware": 100, "vulnerabilities": { "defcon1": 100, "critical": 100, "high": 100 }, "contents": { "defcon1": 100, "critical": 100, "high": 100 }, "checklists": { "defcon1": 100, "critical": 100, "high": 100 }}' ``` ### Parameters @@ -56,7 +67,13 @@ be given with `DSSC_IMAGE_NAME`. "username": "", "password": "" } + ``` + - If you're using AWS, you can use this example below: + + ```json + '{"aws":{"region":"us-east-1","accessKeyID":"'$AWS_ACCESS_KEY_ID'","secretAccessKey":"'$AWS_SECRET_ACCESS_KEY'"}}' ``` + **PS.: ALWAYS use secrets to expose your credentials!** See [creating a scan][] in the [Deep Security Smart Check API Reference][] for additional registry credentials options. @@ -146,47 +163,65 @@ be given with `DSSC_IMAGE_NAME`. } ``` -## Example Workflow - -```main.workflow -workflow "Push image" { - on = "push" - resolves = "Scan with Deep Security Smart Check" -} - -action "Build image" { - uses = "docker://docker:stable" - args = ["build", "-t", "registry.example.com/my-project/my-image", "."] -} - -action "Docker Login" { - uses = "actions/docker/login@master" - env = { - DOCKER_REGISTRY_URL = "registry.example.com" - } - secrets = [ - "DOCKER_USERNAME", - "DOCKER_PASSWORD" - ] -} - -action "Push image" { - needs = ["Build image", "Docker Login"] - uses = "actions/docker/cli@master" - args = "push registry.example.com/my-project/my-image" -} - -action "Scan with Deep Security Smart Check" { - needs = "Push image" - uses = "docker://deepsecurity/smartcheck-scan-action" - secrets = [ - "DSSC_SMARTCHECK_HOST", - "DSSC_SMARTCHECK_USER", - "DSSC_SMARTCHECK_PASSWORD", - "DSSC_IMAGE_PULL_AUTH" - ] - args = ["--image-name registry.example.com/my-project/my-image"] -} +## Example Workflow Using Github Actions + +```yml +name: Deep Security Smart Check + +on: + push: + branches: + - master + +jobs: + SmartCheck-Scan-Action: + runs-on: ubuntu-latest + steps: + + # AWS Example: + - name: Deep Security Smart Check Scan ECR + uses: deepsecurity/Deep-Security-Smart-Check@version* + with: + DSSC_IMAGE_NAME: myECRrepo/myimage + DSSC_SMARTCHECK_HOST: ${{ secrets.DSSC_SMARTCHECK_HOST }} + DSSC_SMARTCHECK_USER: ${{ secrets.DSSC_SMARTCHECK_USER }} + DSSC_SMARTCHECK_PASSWORD: ${{ secrets.DSSC_SMARTCHECK_PASSWORD }} + DSSC_IMAGE_PULL_AUTH: ${{ secrets.DSSC_IMAGE_PULL_AUTH }} + DSSC_FINDINGS_THRESHOLD: '{"malware": 999, "vulnerabilities": { "defcon1": 999, "critical": 999, "high": 999 }, "contents": { "defcon1": 999, "critical": 999, "high": 999 }, "checklists": { "defcon1": 999, "critical": 999, "high": 999 }}' + DSSC_INSECURE_SKIP_TLS_VERIFY: true + DSSC_INSECURE_SKIP_REGISTRY_TLS_VERIFY: true + + # Azure Example: + - name: Deep Security Smart Check Scan ACR + uses: deepsecurity/Deep-Security-Smart-Check@version* + with: + DSSC_IMAGE_NAME: myrepo.azurecr.io/myimage + DSSC_SMARTCHECK_HOST: ${{ secrets.DSSC_SMARTCHECK_HOST }} + DSSC_SMARTCHECK_USER: ${{ secrets.DSSC_SMARTCHECK_USER }} + DSSC_SMARTCHECK_PASSWORD: ${{ secrets.DSSC_SMARTCHECK_PASSWORD }} + DSSC_IMAGE_PULL_AUTH: '{"username": "${{ secrets.ACR_USER }}","password": "${{ secrets.ACR_PASSWORD }}"}' + DSSC_FINDINGS_THRESHOLD: '{"malware": 999, "vulnerabilities": { "defcon1": 999, "critical": 999, "high": 999 }, "contents": { "defcon1": 999, "critical": 999, "high": 999 }, "checklists": { "defcon1": 999, "critical": 999, "high": 999 }}' + DSSC_INSECURE_SKIP_TLS_VERIFY: true + DSSC_INSECURE_SKIP_REGISTRY_TLS_VERIFY: true +``` + +## Example Workflow Running a Docker Container + +```yml +name: Deep Security Smart Check Pipeline Example + +on: + push: + branches: + - master + +jobs: + SmartCheck-Scan-Action: + runs-on: ubuntu-latest + steps: + - name: Deep Security Smart Check + run: | + docker run -v /var/run/docker.sock:/var/run/docker.sock deepsecurity/smartcheck-scan-action --image-name MYREGISTRY/MYIMAGE --smartcheck-host=DSSC_URL --smartcheck-user=DSSC_USER --smartcheck-password=DSSC_PASSSWORD --insecure-skip-tls-verify --insecure-skip-registry-tls-verify --image-pull-auth='{"aws":{"region":"us-east-1","accessKeyID":"'$AWS_ACCESS_KEY_ID'","secretAccessKey":"'$AWS_SECRET_ACCESS_KEY'"}}' --findings-threshold '{"malware": 100, "vulnerabilities": { "defcon1": 100, "critical": 100, "high": 100 }, "contents": { "defcon1": 100, "critical": 100, "high": 100 }, "checklists": { "defcon1": 100, "critical": 100, "high": 100 }}' ``` ## Pre-registry scanning @@ -219,4 +254,4 @@ save yourself some time!). ## Support Official support from Trend Micro is not available. Individual contributors may -be Trend Micro employees, but are not official support. +be Trend Micro employees, but are not official support. \ No newline at end of file diff --git a/Trend-Micro-Logo.png b/Trend-Micro-Logo.png new file mode 100644 index 0000000000000000000000000000000000000000..1146cf6474637530c655ec4b46484c58077dc059 GIT binary patch literal 14784 zcmY*=bwC|W&o6LrcXxLVR;0K?ad!?bMT;HWwYU^_x8f9cE$&j>-Cb{=_j~U9-8-|{ zWU{{`llg0RvJ;`KD2;+hhzJ1zfg&p-q578(|0PLy*uQr)x3bi~4ANOuS`6an1o6?| zL9n^Dtc8LC1mj;B9s&ju69VuL4J2TAl_SrwB0UknrkM3^-M^uHM0 zzxvWD5Xs5O1-_YC@T*El{cHYrBuHuH;^N59#^&zs z&g#y|>hR5yjh&B=j}6Gd#=*hz7s2A}VeeuLX0dms`X49%*N=p`v*|Z$M;B`cd-8w$ z8k;z{x(HHI{uAiG?SJO!Vr}uik?fuSP3v!hZ2vrAV`l}j{nz(jQ-Oc9{7T=f&HqOJ z$G;G}z<-ecpYGo{0&M>T|9>X)KbihV`!`h~L;<${E}Iadd@r321O$(xtc0jK81l>j z$=g6O?PFqRy?wSpR$OmpUls`)-6}u>u|v`kPhB~HF~2#GeA^kL2PX~@{) z(J8=H5?i9jaJ@Qo2JbfBeMXvag?9X9-D_g`!*7C*=Yf`Iq(gRP?ai*ZgYRH0?a5+4 zzS}s(k zW~X!rgVMe3($ixS>L=H$taVl2=P50$<{1MU8Z|0Tw`xjqO4xzP_z-W32IQu5tOho$ zRaMc?${3dC&(pCnWVSXs78fT1)5m9gGv`Nw>d$Z%uv9AJ5-7K&qX5Nj^;K+cg<5B4 z&)d~Z16|RrPd-w{RV}%vMZIcDJ_UzKYWGhyi{a2eDs{~jI3r`@k51H0L2~%iIHnEj zE^73ui#0PVjW1+lf?kZy_im9L)q0eI08H_+AH@+^QzS#MS}@4c+{_k8_AcXf+*FuY zYO^%xTmzYc;`#NFX1QhyhC6ZM*^8t5Lb^`Vl74fzZ0E+E)>3IUb*Z5Trl1+*y8XIQ zs4o|tda}qsImH{EpReAPd0XH2V+@9%|G3Hed6h_9*V&Ft))M#m5AOPNtJe~y_H?-7 z_Xwx&e2Xk6wSNjX`*9|+eJG_>9iNfHq`N0@l&03oSy8^dMKG$=;k+M$_la{To#qSF z7n`pmeh8q~Vnw48_BcLR>>`V76zpc3WYR$gn0rhU(Z})Tk18!ZuEq%>t0e}& za`D;Na3fbAu;0z4mfe7S*+MrzC(PCyKaMA6&*j0UXFWU(ZltcORlsIJeNF9g8f`=1 zW!2fej-^7YibJbXH<`;lO@^rCM&6WM?VAQZz&Um51qZUp(0xtkt?|THx4Ft!#oZu7 z!V*uiky#CnbJOx`uk~%Poa{88Q2imlsMyb3e}fk&$s)-*KVx&H&C-F5isykzzp>0D z+6d=7?5W~{Vs;=aEC=nH!goA4Jcku*CtW>f!Y-dPwjiR7Cw&*6tXn)hiN?%a3idB# zzvd!na|idBj8k(!O@Y>}N93$F?Z1Szd8;KnWAvM8FXm>2cpl2DJL=PM*<^^1U9nic z@o#)MAe;4*=W-BcnS8c?yGqFJ5`1V2Y$U>SL6u@oQ`ro+>$wfaCJ>d!dSV|n4_zgm zz67ZGs{r#Xy^#aQ0#gH@VXSHeh7j&kCR0|6zH|XU7BVhO5!B&ISPZPUJ^6JoVP_~U zb<29wEh-`YE{?~%C9IL}9mURFGzZW@Q-X_yUc0ZG8{x8$l-DSLkY-sYf6weYG+-MU zIlSJZU}nkNsT(saCDL7`A13nBezSLSUFR($th2Y3_aMi?DpoKwQZdXLxiB_h>z136 zE^UWhVOGl|)4u)o`=VLL{XSajx;1v17BLPJ>~E5Ia}x|RppvQ;4JSnf@R#2U2~fh% z+n$W~40(kA=`Er05{NL7MYlgjIbB~T2}h;kxf~RPd9uzH-*o2o(R!zO?(o4`Q}UiA zOib|&m1$4lxiqgzpKqKR>m=_ZrDf1OZk~J|hkWgM(&)LPUCZd>e0@KwNmDi4iO@OP z$+;vz&3ptV_cYgPd3n42mr`Yn<^XoUj$&Nw2F9;tgKW5!AI01?{2fEb@pG$%T#( z;2f34EqMCvJnmqEA+stY>Df%3CE=BcH8D`_hpgMO_cU;$#?zC!&N5cQ-93Em50VN5 zmX2>Hv|J<&c$gv~BnNfh#F3XybPa@ge*z58sC;h?72YS+d{aq=wXl|7<+DsfoyEt; z0u-pWI8@oRzD6Pe*xIiz-+z!aX{vWeT+PX#0-TX2SO}ZwtubDAVG=&j{Mh)EbBKY8 zek9DM)$NQy59=%u{P9M{Hg4@DBg~HPbVZw)^+kt4C9(^deC0i;`|Kd7u{|g5D0s>s z?e8r_4@SW&R@-a0{1Lr#w>h=I%~?HFLON`YMn~SJx95}Clb2aehk#PQ&16_5U_{bh7C4uB>^1t<-&4Pi#fRAuQ4KR;ce8?4)*IVr@FU}H`i-e=)> z9PX1#pfBcii{Mz}7gR2R6g#E!?*faa#UO|#6B)ES7U z!5C=C3prM6ftetoS7(M`JD!LH0|TRo510nh^Mi)&`iw7Bg>dH<_>F)0^ke$%grdXt zoS&a#yb0S&v5B(idpc&+RZfFqlZOCbbI*LqWJOsnsi-b@wAjytL|Q88UWDyl`;o33 zUQcZNRNv!c*HT^v_3+%&m6d9mHoI~z=S@+68mESl(Rv=)GMAnvEgf6pY*;6M2hEHJ z^5Ln4W()mF&GYC#9H{%g?2?`yZ^V?rG_7Trl<(J}@VoQMl_!Tu6g;U&W9%?^Ap=AJ zLw6ddu~66bCj|#Qj)ac%YDxeCd9@RqDDOyECatc@9Mff2`d@{7rOeO!``ax=uQn?* zSyBwHD9#2_vX89&CZVRMQy8-?RCz#{9pGYK`gy|-ToGgbdUUBJQ5gg|#Gg@0w7}2D z<*8=lU+Xr8ztm1a~RqGLs%I<)3ga>YJ?lZCWoRGbE z<*4+?$Wi4E%*{{7c_cbqeG7ZpgM)+j!2-=1qCKT)MjlQ06PT5d4^YaVR+{QNi>^q8 zAmR$O4_3<5FiHQ z)gxZsqlp}l&JWSSng+ zzHf2ZtU6Ga-roQ#BQ0V5{B4~b3cD1mU5V$<@ET<3_0dmLDx!U_*^&T=Zd6hC(aRj^ zwsHY0hp{@?d^}N9?`?XYtud;pnE9%QI4NSV^4qE*;Sd!hW$;uIFznNK3pEIKq6ri+mnSG;%FdsIYKg8n**nZN1iaN- zPVpr|&ms1w`Z4~{RQ#ZsqE*>*=q;Rjz8Kylrp&2U+AIt7)`#cezfxFhIq)lTlzzc@ z)9IlPUFQYR?4=(Dg&d0w%zQIW*vkh|BhKX_nyQM0hD`G}Re!k+`EI@$^T!ya_ z@EH(kVm-aN%4g!c^IH!eFI(_)6`|uq_boi&PypP#)bWV2xtQZf((mK4#Ku1EZ}-Os zg!+3g>w@6iF!l7*7KSLuSQr7?8h$oRJT=1n@gaB~twcd?z}8?) zkagP%BI<$tTx0lm?>!)X%}i|f;e<$(K=$r7`;GU<^2Pib#~KI1RQL1sZYj^v%47joy#7RZmwo+BQ#!q>Q=S z+U~-q7_;z|a-(z|4#h$Kof2c$EOp@2Oah_=M7*1u=sRDAgraV(iKOivZ#ZS#W8uO= zAU*}fEf*z8aM{75R+N?Yg4PZ3k38S-FY<}e-YrWoB569RCZb>D;I;Gfe*5E(Pbww4 zXqpfpJS@YGF5HqkA_hWw1Za~JC{7|klihSCsV0f;o@xL2#OC*CELp59_5*l^YUQ@V!S83T>BXy} z9NHg(#&7hee(uW9`}Yudc+v=(iiSdai#%7p=Jdp*)5d)_#=B~arO?rfm7*ua(nE)b zHuR~m{#L|CbI1pJhqoze{lP4U@6S4M)J(@28Cqc? z0>+CX0gG3gO)2XWt*8N;TzXBeA?133_qa+~U;t|Q52OQzar;ndATk; z?U9&3T^T!0N}h;Esde@|Rh{#}9wCd2j_A)Cl%n6eF_C~GXuyz6toB-X&~3`06bV>` z=^|nPb$;kD#+bM}xcRM^OyldKk--N&F`-t>+0<~TwX3V^ZmTeL;N1l~8m~0YmLf4< ztCQE2b82SiR*9^ug7OBYk*PR}v`ke~ZR6EIKVIMYMOAs}V~~mbA4q`5Bi<9lOx3wz zokZfwim^_+wEa~-%QqKpE*{}z{^`H9%ulI(1pW;SA;abdoyZzr;0mJ1JvoUH z37`xrx7wAm@~i$h>XU_1JBA%EZNWspjQOU)2(u`*5 zp?9Z7Mn>Ac>NE7i?;^z#FF(9AFfb~j@T|6H%q=kw$!xFrAp zpestx9pp%=Nkr-s50oT07faOR(L|?nRgUDX0LeVM%ft)C%5n^j4%e+lJM~?i_QbBF zJLA~y9Eh$E2l9&`IGdy*?ThL?!*zQ?1g*m}KCZlOoNuVLKh1eWqslQMwIV1f zKZ;?3G?-1@X+WQ%KPECN+tm0C#Vp5zw7(C3q4w6!2bfM()U%yKNRMp~zV!mfG7$t* zJ>|9ZY|ev!+~2!#IZy!@Z;_IkqZC9h7qR5W~-r-^u zuUGOpYv|Z-Z2q7kK<8?%FsQ5|k`&%f)i!i@$n|o6IRdve-PbnERRZ)rpbru4T9u~| z_JxkqFLl>U-kl)P-|R|Jy*1_gy~aN+azX{4$0B(X<8IqS)663=vccH!b|*qg?{0mD zug}Hh&Z*o`*@)zlFF_=Mo%7o*6o3%7#RukuY}w6j%8ft60O-?~&f2r}^ zFKd4eg6@CG=srrp#sJ^gjz!?sGH+T-=wSyfwYjs6!qvJH!p86fhnTdBP$HRp46dry z+H5F`%Puoj%S^v)#GW4F!{z%>4=hg(bO-fQP$NH@>--_2zPSEQ zh|JV=VKCXl{`pIN4cx%dnL&)pN1cQX!?DgX26X-=@v89D^0ZIPje@rCgk)psGws6n zJLaHodJ07YJ|)I;uv`2St*r~s(NPlk(^vLfA10wY7TICkfo%kwno2OBwP;@4v;uDE z9c67POdMlsm~jSMEBn^E^7d^#@}B~8Np}$e9^Y))9s1vB>^)HnOp~*rx$EJSSms&m z+6s1=v^I@TX;{9i1qw5Rp|i0$m)?B*EKOZAes8B1T|-NNw{4s)nEcAhM^jFQXG z{s``aW;LWoI=h4_TIHz%W}V1-UyT2 zJz>b!o|S~hMeT`DGfa0xMFr{ox`}Kc^I#X&XGN7quL?$HK3JqvG^h~Lbnm!Wi5s1! zeR~PTs`tqc-4Ll%;hONQ>fnYR%Oqth^U%}jMtaNgX!;W%u7t@{T)saAlxI}H_Pzw& zmKx}DcO64pi1N#I0Wf<>)uTwW3&;p4e=eFW&dou0P|NyM<3pncN}IG`@of{VHk7h| zt&;LPM`PlAEcc@kgqZ{*iwk~Ub`!tfy6T76rJRB{jVrzfgdd<&{sza_gWC*`q z$kE|R?2q()WB|(8paR+^CMj@dt^sP^ee{8#i0r1|-Ds8JIltiWIA4^aSXf)9@_g@` zMukEKs%pq=FJu}tt~cv9WA>@-Kyp9*ye2R$L0MGrz?H%flm+h0`bA5IacKlbb%VUPT+7*uZMDM$}cGs=^$LZ zE<``l*|Lfm6gYqd4g}@m9B)JF(_bkLmEXTmeC2QNl+*b%nrQ`3VTvydbf@?sFN0@W z%m_z4^`#Hmkdr#u?zm0w3;Xui?lmh>!MdtKuco%W#5H@I>%>seV|`A1{$5F|S6`ZD zV>}gvBtJaHqV}Ti^2^x?4)aU2mUb?pt}MYm3qCKV=e!?}xmJ{vqC<{qmPMB94r~>b6K1OQzqA>1Y%0rY^m$~O=>p9gMOjqfBn87D{AK&ACF%GPDK`Pv(8Sm9G zI3*zk%bDctY9t}3PfS3Giz&(`RSaSBsFmKrj%1%B z;YfsFZ*}eJ(3H*G49V#c%R7+7fR{NvLjm5plJe5#J)E?QD^C!nxqiGUzwEan%kN8G zo=6|z`kc5T5VxskX0?rwgDb)nPv6#x!M;HqhT*3(_)%iV#S}BXa#!<7s%3K_Oi5CN^Z5200>ZFpU{^)#$ zwH_>^*1g+0&)=$PSG(4Z3lpSuH6e9wAA9eo!{o_m6BK46r=m0h623g1f7>q+)nK3BW}L&$?7tF zq-lnM#s9!=xi><*dB>QDJ%&P}Mh7ELUMY!2`YxW`yNMT=2lk6SMXThP+8iCQ5{?iP z+X?1Vc4I(Z45Pmu>FAj3=5~ai=yvED>y3uMHE9)Kc+e5{JUjZ0Ag8*WDKfl0otaEP z034~WkB=klmT%}z-NRN&$h`0e8Icjzy)+uW$Z1czxXwpt9*FFU&tup2&Ie041o0_* z!0%YyQpm(80^wY>NcuxD6n}_Dz6u(ee(2E`#PdQE(Oj3YbhVScl`xx9Cyt3((eov> ze$^mDVTUs+9v>5r!@SUUMM3Uyt2uj}c30f`QlI(Klf=sqTu#yy?k~$cWY5gV;DI}d zd4De9ZP~^H-4~)r=MUg*Jf}o$IJ(aoD5t=)o-S2IG3ih-48{mW#K4Lt6<186K z?L!9S);{k47A_E)6p1XPfmy8;t*kk~3!Qe$^p-h-Wvlo|U6{X~>uTiQ!$I>038Qt= z_5@ndlFUi`v4khny$gg{<$mDYJOXs1bX1OrEIAjM+E~8DCCv7fB;@)E87lNVss8Tm zZ$Vh&yp)BsbnZB9d;OLilbT*@pVj(s2fo{UyV~*mWS`B7l9yw&H=UP63MuRIUo zCr1!0udN@9g}*4X2`Kr!TJ7y2A?PDz-F1U!ga7Gz>tPXclu)59BEXvzo*p^`bLS&v z{Y4^*Cho=VPczg!binjFguADLo?#=X2aZTrH~S_$9-3EoQ;ed|n^|i8jD~WH^HPBl z3q(C9LaiFUQ2>O0CB5L2Q>!aNWO zsn-$wn#nUEl^uxA&sW4Ycko}E`J(R3hS0j=T#T-VfQRr1ELHD_9#7SBCj$#MT$VP64oR?T!7O5lf_I~w`88qRt3>Yn z?3Ze#GS`S+uZ*jK0v?S(s4NQTedCbTlfyJVH|skVmc|;yj;QHNGi|DAki0-1|K<~6 zyWd12WrTzfF(sm^Ms@_`-OLu7v_OF-Y$00{JXHL(S5!L{ZIjIQF~7Jr={oKxQLUcJ zLk{R<$vv0x*%`w>`j-#5v+&qoPc~VEYvEIKh2|`7_atHvjK>d1LJZZ-Fza;jM{kVF zR8vIvxY5i>yLREx@EIm@7h~KH{@$bM;I7}*WKhuKS^>6iuVPrI@ zlPF8Sj4}mZE>D8_gGL;Cy+OQD2*Tn}m+h5HP3~s)yv!b#HVOm8E*{n&Qv@bIG+N5% zf%~AR-vATY)Am3xHW+}dnvZ!uOm(>1ufO5pnA%(XbhMe-R_i_|eJk>YIpf#Uq+8 zNuo2VAd26lV7^w+^3t`$ga(X;xlC>`?LUHVp(R$UYv{_~SwYpG`*Q3T+Z5Q26 z54$ZkTjE4{A(1MgZd=4spSI8{m`r-K`i{jYC5TbOf1J0ShnNh7@KpXlQ#ue!o#|T1 zbEejPX-!)F@K4HyBNGY+pJ{7dSP!xJ(E!i{>G$c&lYbvl_J`-Lw_@0u=%@N|AZP1n zK)IdbMpZu;6S>T>dvL`T9Ngc}W9fsD4b~=wt)$5&xuL3eQZXlJrtpW5wQFK1b2-B% zX|RoE>v3tv9sLWv?KfXZBXle z>h7R6XCvWnzgq6AJ*bR1Q~%xN>I`y1a8=z4+@wlQPPW|Ez{TawT>&}&G&Sx)ICEE+ zY}e?aQtVM2G}4&N`3NMNtT0c%C4~@;hA$^Bl~qu*MYr3(cb`C$g0+Hn97Av!f~tK; zPtRzV7@qawc=wspxQkCRQ&Z)DJ~ z@UN|Zi=hiId?xGGwjT66I1pZ1lt1RuU76l4X=OQ{lL8j0o)oQVIy? zeqLdyF>T@j{jnbpj3nFiB`GBnv^+imha-fNNZ$w;BME!|FhRxCXUvB?V6Qm+_+#VV zu4$NEFdZt#Un|TUw!oGRg~sE?F?1S6rZ`TVS&&a+P~Aa$2130lHFX+e*jKgHv)Kn_ z@xmIXm+)u`f3y>p)fPxbt74S`F>=GYe>a!sxaY890J{k9!uBkMqr>$3n3!r;Yv*#o zp8Gd`^mJwCzU_W{Uh6yjnpxgU@2-^%R4bXvgW7kCsrC&vA zMkB#qv1p8y2J)ClKb$8&n=0kgG1~zkcnry&Avl_)dWefSC4tMo+_*<6{9Y52{5`Nv zdb~DF=If0M8i<`64)?-ZqD0+O*b51<2bPczE7n^0&`1n_9p%r9oJN|lpZvJ{IADv2 z5O&*#Je&%OlxgZi>-!^CtWjdd-}-d)yg!(+3G{%$>_Jeu=w>BoF8xfDDs#K~n(`oi zG=JkP?_JWjRRaGy3ICYT%NC+_XnR~sCU4fb5a9+dz}4>Y#iSKsqvBkY0K{A6oxOBX z8AfgOfr)wL+RF+(O6bSEJ8Jaiutn+Qp<}ht?p32x37d^8Rw<;ob&|I_Q%{X1IFD@5MzQF2mYIZU%!Qxuyp`c_x#hUzpp_Vr z*@tkg`G`9W_51h>wPlHW7E9L z_GIaN8Mg?H5h_NGdOdFBYCyW^oa5`y&(CYA+ML+{hS3c9G}FC3U$B4d7uIzpYUQka zMoHL|zni0!&fUoUb*5{#21uMU8ZAphg8+EOtlQlEFH+U4cE_5mq6I8V2LH&3%c|;eS6GjgY(qvGt-7S@{;}m6*evQA%wH zQFUt;e@Y|4nlG^VGB~row_l%Kr-_P+q(ug>KbQbYlwPIeNAQD&^CY~ z2l+9Po$m@3Uzxa`ePPMWEWkbD2tP(X4b?+Ln|=uhC*93L$a|0x|1uj*JWzVGEtA&b znC6T8)ri=Myt9$}jzuBop~jziXMX0(k)e8;w*HGyodG;@JN(*Hy(|NVANiFYFYmLs zGSkl<=9r4!ki+kWw()C`=0iqc%Vo@O#djJ<9{MUjjNeh$*x@joz9wjC2we=w-0{*5 z#e$u%TIg4&*ry|OH=sHvVJ$|pDz(wWI8K9{cXi{INPt(NkePOx^1Ek%t^ATfNJuSM zzeVHf>oLiQPtUW`Kw+0w>mRs;JMo?HD#e`z|yQ*+pS+_)j0TKt~e3+xwjI z*<}PtSybKpIRFEh4TgHbgqC4437wxvnZ^pmQgEasUt$gy4?bbVZ_2&o~yT{=h1B8~sinI$x1!Tq{6uf_*GvQE9YwM-8A& zz#scvFkR{ZJD%kDhS)4`sB+~hv-iiPdep-Zd!_ddRUWuU-JHujARBJf_ZIv+jh)vD zc{iQTG*6K)$g?D}*%e~`Tdw#cG=3MMb3lf;a!7C5I6$^Sb38MBSvw!T589iWNlwe4 zSE@x4Tp3KZKv#~Zt{((>EDhGQ8%pkRz^j%O_38LQWjS8_>)3_!5}OAtNC(@Urbzw@ zgk5^SJr3W@po;cAzkd@^DDczQ(Db4Hbsf6RG6Lzf4C2)giuoqC^z?XT#r&+og!=}CdTsCG zw4)!ZrihBtHpYGqp#X-b78)>)!|kGRt|4*+-wSGM`E`-Z#`L^-ga@Gs7iWaNi$9k6 zKzmfieZHVXPTpv{7J8>j2$h=fsJ{@Y&aMiz=)|WpOHOHHI3yUA<(KcL-gg4b=B6~x zm<(*;Hr;S&y*Dn(9u44qQPe1c$}5DGG8cYi#6|P@13CYdOeoHjRR|Xf12Z1$+g{#D z3F(WR=dk#sD=ZWm@%{73%i?eX#Kb{im!d93u(~lD&4C0tupII1FgIk0(U;?VV*rf< z_3vxWC#&;;PcgkU`w^mSH_)u5pVdXDB)tzNq5Z)+z+3O{RQ&MRL}|MMnQo8i4>nlp z1;6TC3J9!z4|$z)KCzAA@PY>;X1;vhhZ#eL4www58~+)Ue&cNd3uG7;?ZR^sWk$b- z2s=|&SyNJ=rj>Uh>jjg-ifgcz3IH~h)VQdwM_c#znJ^O^N=r+@1SbZ{^$mP+NsBvc zWb7BJLE2)i7{4N)x#asra-VzYvcb3+%0|Bl z!$O6tk?0RP(xm|Q!xQwjYxl@yiENmy zPAL+h;Ji?>QdtR(B z7wQ$Tj&6b)^xHW^Ht&rEk^C5Hjng9#-5APo!NcK?&sEM8*8kgQmoW+)L9} z%!awb8V7Bw-4ec2Q{q+(om14#_Ag}(nKkNW233bcTZm$VJafrM8nOrzM7(uaoFrcT zHtWSe+ulBp!C1fiRh?_p1F>QvsYF8WQH>Xa5@zR{S)W2Xy!0@e0wIFXL*&QgQ_ko= zvEIMjEQ@ETG;~TK^(z~-*k=r59!Aq(Z(?`0ddVNT26fRzu?V1(X#(Dq;O@DF#4$6% zvI9n9UGl5Ui!8=cjl=kO?N|Dxv*d%A{1TBack{{-68K>-cjQvlk$}Z259JW!-ZMUM zt&vCNAU{+d!@Mh(bkJzI+?v0$$FCp?Xkq)LZ~GHj-!J;kA@;8f6ZsW{}>cZJE!5?%5@K&4`HnXMWGCwkiYV0hGeoMAGS z&BmX}kcEp+dU&oFI>vlCmcA)8zRXu&v;ERN9b5$W9cBW1xd4~1#=@@O6hPao@%{HG z)7FU#B{lq8jggcbu~%75f>Q|RSHtHrrz8Z_m4)slVpCPmgOwzDA0HolBxjaK#`sMR z)OF%uugN@T!coWGZH^x!LI*gC!T1Nr^hEa$L@R_%6p@7qKMOS;gBw}!JkT?RbkWwl z9xkTJBHh?fFn)TL2lZohJ|(15Yza+}M|s)q$=xyD&!kuDFin1-H;rwBjOMaCG8vT< z{6&yrd~$XL@AZy+-0Lss|Yw+I9_%n=>>Ee$c7O`we= zdpUP}r1Fw&9u|N0dk%j!xz2_0UX^yl%x^0Z-=ftRmx>MAQ9wm?k2Hs=&a8iD>-Y+a zxfA{XdKO=;mwK87P`KeYwIc+UZc}4-_(6R(sz1YHzwD;mz25^*p)PpM{UQrPmg;We zJ<|97{>9|#8CXmnrUY?>Sa@P=`=<&N>@KPT^gucwT7GQQb329d9hE3@ndiN5TmAm| z*b0?4A6b{RP;4du=Uq|$7Bc45$r{(0VvKfB_!n=4=%XDnI^7!8pG+@bH}>lfxYQs< zNTxi-z^|&xFyG9Ef2&4`SrD)}?t+x%H#xtE5gT7S{#tujrCa0K2;ZVMA{pGY4V$Hy z=PuX4LW(B<8o3><_>ro7oI6a<4(_H=8Dd;QcAgg!utA39K%cU0DG%xIH<#I)-;^e28e=F5piS5WiY^XpAjkx3d9cxA;Ja>U!nt{e7z_#qQL8jX=K&6wcyUUBUmYz2@# zHmXWXhs&*OBIjGeOn2hk>X<6xzW2wv& za?^_)3@gRUidjk$;PVKOPDWt%P3{a`sSjp7Y_LVw*xvf{fdyhUL*7nrv1y&}f`%8RV7m%X3S{aOfa3PZ;O`YF!lC=-10l&%-X_wbfYkm@$E#)TAAa z)|w?z+SPSyTHk0i{6xhASSAjbaN6QjQ{Ow4)WVGz?v%+qP8>kIM_i^3Ew)JEl_)`2 z;X1_rCfzj9Ah8X8N-cKAUO&Jc6G6S7Ze9S^Xf$xFGpz;)M*wen+Up^QFbgcuy)rd?e;ezMiG%tx|7ZVqjTu4 z*S%)mhaHMKpRJa?Mrds8`t)Cg+$pnLl7F-K9kQK86~h!%kPbhka-4`Y28!{~ehaOO zZAbD_u_8Nljx?miN3OF>O0w;C
    _QFdsp7EV#{@ireEdbZHHLBg(alypsk#q5efZkDjlTL4~)mt{6Pf=+du@)pxC`aX2IQoZSo`t zcz=>iK;|BpYV&jIKE9c+WB(U<#Hj1OtU~m3O*$M<@z_BjE;NrRraveV&s0xs_5}UK zXe$mjwSG&-kxr4w8|DEmw-YBg_PSGhaYdKxTaol&P^5Xv6fr+mqO-b=R-!eryfpjh zwYGDp9^q&n;BOqEBgLR@uXb7+9KFYmOxDtz_pHLFY4)ZMVBV2MK#mNtDg(K{# z2L1W2b#Sn2a{+!hOFN2Bw5uSr8HoW3~G`M*IvG^kbaq0Vaa61-#XK)4=ivHBs1s{LEP*&vXws$0T1uj1?YyNF9p@T=_=IMzY@MyXKZDHdqJ8yI-0r7+F8pL z;y&G=DqMIw@AgDh%D`$~l!f^bkuyC^k4wmbI%Z`ai^$Gq%=utK$w@ufaxyH94SjfV zKkkTbZ-Rcl_nB%UBmQ>RKh+`w^de{IM2b`5Pqe;6F~*nD0-t7wSVngyV{dXWxVM1G zHR?2CtXnnq5mZc0gLQ)%l5rO8K+PH92f=> z0cC=k3-DDhg{6zm&u@|jAlQLCww|1u12BJe1>B*r6Ht~ zS{h$e%-fAzP)Qw-mfCKDdsB=B|5G5}+8Jw2=7+^*Fz>)!I_!fVF@Qkr*hZT}6P(ys zr4i-_Mc4L<>8ns=pv^87-i;Z6AaF{0`+C19F^sM@iH&%tzu}Ld#pHifga?SNBH|&P z)^rCL&FD6Q5BumD-)?iPk<9`Fq6mV!DXJTQF3&h|2pM=RjEde|~D*Jg|Nvo{Kkk?Ce`%pD)5?J;8^NkwYlF-hkB zxW1J$1_TNE0gU{m17CjQIf0l-R!#M*$OO;K&r6ryj~Dz@?4X*b3UV6zICL<1B{NCJ z@A9w6f1aRl$ytZ7>_pLNko|QY`-C5d$|Pmz^|4uY>=oILkqx63^ zX-Nni6@xx{`BF=(A(Gkp1wD?00v9+u5gXq*FF4Yak1Y@3jGZn<`0$!60q)R zaa@-c4AE(|nLST-)q`3>@q(no*c3n*{e3XCnKuS~Ht5-c5TF(n@By1cd%MyV^REBT PF-BQQMTwtcpuqnFNDZd1 literal 0 HcmV?d00001 diff --git a/action.yml b/action.yml new file mode 100644 index 0000000..bdee9b4 --- /dev/null +++ b/action.yml @@ -0,0 +1,64 @@ +name: "Deep Security Smart Check" +description: "Scan container images with Deep Security Smart Check." +inputs: + DSSC_IMAGE_NAME: + description: "Container repository, eg myorg/myimage." + required: true + DSSC_SMARTCHECK_HOST: + description: "Deep Security Smart Check url, eg mydomain.com." + required: true + DSSC_SMARTCHECK_USER: + description: "Deep Security Smart Check username, eg admin." + required: true + DSSC_SMARTCHECK_PASSWORD: + description: (MANDATORY) Deep Security Smart Check password, eg 12345. + required: true + DSSC_IMAGE_PULL_AUTH: + description: (MANDATORY) Container registry credentials in a json format, eg '{"username":"","password":""}' or {"aws":{"region":"us-east-1","accessKeyID":"'AWS_ACCESS_KEY_ID'","secretAccessKey":"'AWS_SECRET_ACCESS_KEY'"}}' + required: true + DSSC_INSECURE_SKIP_TLS_VERIFY: + description: (OPTIONAL) If the client should ignore certificate errors when connecting to Deep Security Smart Check. You may want to set this if you've configured a self signed cert. eg true + required: false + default: "true" + DSSC_INSECURE_SKIP_REGISTRY_TLS_VERIFY: + description: (OPTIONAL) If Deep Security Smart Check should ignore certificate errors from the image registry. eg true + required: false + default: "true" + DSSC_PREREGISTRY_SCAN: + description: (OPTIONAL) Specify this option to trigger a "pre-registry scan", which pushes the image to a temporary registry on the scan system. + required: false + DSSC_PREREGISTRY_HOST: + description: (OPTIONAL) The hostname of the temporary registry. Defaults to the smartcheck-host on port 5000. + required: false + DSSC_PREREGISTRY_USER: + description: (OPTIONAL) The username to authenticate with the temporary registry. + required: false + DSSC_PREREGISTRY_PASSWORD: + description: (OPTIONAL) The password to authenticate with the temporary registry. + required: false + DSSC_RESULTS_FILE: + description: (OPTIONAL) The path to write the scan results to. If not provided, the scan results will be written to stdout. + required: false + DSSC_FINDINGS_THRESHOLD: + description: (OPTIONAL) A JSON object that can be used to fail this step if an image contains findings that exceed the threshold. + required: false +branding: + icon: "check" + color: "red" +runs: + using: "docker" + image: "docker://deepsecurity/smartcheck-scan-action:latest" + env: + DSSC_IMAGE_NAME: ${{ inputs.DSSC_IMAGE_NAME }} + DSSC_SMARTCHECK_HOST: ${{ inputs.DSSC_SMARTCHECK_HOST }} + DSSC_SMARTCHECK_USER: ${{ inputs.DSSC_SMARTCHECK_USER }} + DSSC_SMARTCHECK_PASSWORD: ${{ inputs.DSSC_SMARTCHECK_PASSWORD }} + DSSC_IMAGE_PULL_AUTH: ${{ inputs.DSSC_IMAGE_PULL_AUTH }} + DSSC_INSECURE_SKIP_TLS_VERIFY: ${{ inputs.DSSC_INSECURE_SKIP_TLS_VERIFY }} + DSSC_INSECURE_SKIP_REGISTRY_TLS_VERIFY: ${{ inputs.DSSC_INSECURE_SKIP_REGISTRY_TLS_VERIFY }} + DSSC_PREREGISTRY_SCAN: ${{ inputs.DSSC_PREREGISTRY_SCAN }} + DSSC_PREREGISTRY_HOST: ${{ inputs.DSSC_PREREGISTRY_HOST }} + DSSC_PREREGISTRY_USER: ${{ inputs.DSSC_PREREGISTRY_USER }} + DSSC_PREREGISTRY_PASSWORD: ${{ inputs.DSSC_PREREGISTRY_PASSWORD }} + DSSC_RESULTS_FILE: ${{ inputs.DSSC_RESULTS_FILE }} + DSSC_FINDINGS_THRESHOLD: ${{ inputs.DSSC_FINDINGS_THRESHOLD }} From ebf26551f06725af7e2c0d191f07b3e2448a1fb3 Mon Sep 17 00:00:00 2001 From: gregt Date: Fri, 11 Sep 2020 10:05:22 -0400 Subject: [PATCH 2/5] add GCP example, format input descriptions consistently in action.yml --- README.md | 28 +++++++++++++++++++++------- action.yml | 6 +++--- 2 files changed, 24 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 5428e42..61b2c85 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ ## Scan your containers with [Deep Security Smart Check](https://www.trendmicro.com/smartcheck). -This tool is used by the Deep Security Smart Check plugin for [Jenkins](https://plugins.jenkins.io/deepsecurity-smartcheck/) and can also be used as a [GitHub Action](https://github.com/features/actions). +This project was built by the [Deep Security Smart Check](trendmicro.com/smartcheck) team to help you to scan your containers in your CI/CD pipeline, you can use as a standalone Docker container published in the [Dockerhub](https://hub.docker.com/r/deepsecurity/smartcheck-scan-action) to scan your images. This tool is also used by the [Deep Security Smart Check plugin for Jenkins](https://plugins.jenkins.io/deepsecurity-smartcheck/) and the GitHub Action, that wraps the container published in Dockerhub. ## Requirements @@ -21,8 +21,8 @@ Smart Check. uses: deepsecurity/Deep-Security-Smart-Check@version* with: # Mandatory - DSSC_IMAGE_NAME: myorg/myimage - DSSC_SMARTCHECK_HOST: myorg.com + DSSC_IMAGE_NAME: registryhost/myimage + DSSC_SMARTCHECK_HOST: smartcheck.example.com DSSC_SMARTCHECK_USER: admin DSSC_SMARTCHECK_PASSWORD: 12345 DSSC_IMAGE_PULL_AUTH: {"username":"","password":""} @@ -31,7 +31,7 @@ Smart Check. DSSC_INSECURE_SKIP_TLS_VERIFY: true DSSC_INSECURE_SKIP_REGISTRY_TLS_VERIFY: true DSSC_PREREGISTRY_SCAN: false - DSSC_PREREGISTRY_HOST: myorg.com + DSSC_PREREGISTRY_HOST: pre-registryhost.com DSSC_PREREGISTRY_USER: admin DSSC_PREREGISTRY_PASSWORD: 12345 DSSC_RESULTS_FILE: /results.json @@ -71,7 +71,7 @@ be given with `DSSC_IMAGE_NAME`. - If you're using AWS, you can use this example below: ```json - '{"aws":{"region":"us-east-1","accessKeyID":"'$AWS_ACCESS_KEY_ID'","secretAccessKey":"'$AWS_SECRET_ACCESS_KEY'"}}' + '{"aws":{"region":"us-east-1","accessKeyID":"$AWS_ACCESS_KEY_ID","secretAccessKey":"$AWS_SECRET_ACCESS_KEY"}}' ``` **PS.: ALWAYS use secrets to expose your credentials!** @@ -186,7 +186,7 @@ jobs: DSSC_SMARTCHECK_HOST: ${{ secrets.DSSC_SMARTCHECK_HOST }} DSSC_SMARTCHECK_USER: ${{ secrets.DSSC_SMARTCHECK_USER }} DSSC_SMARTCHECK_PASSWORD: ${{ secrets.DSSC_SMARTCHECK_PASSWORD }} - DSSC_IMAGE_PULL_AUTH: ${{ secrets.DSSC_IMAGE_PULL_AUTH }} + DSSC_IMAGE_PULL_AUTH: '{"aws":{"region":"us-east-1","accessKeyID":"$AWS_ACCESS_KEY_ID","secretAccessKey":"$AWS_SECRET_ACCESS_KEY"}}' DSSC_FINDINGS_THRESHOLD: '{"malware": 999, "vulnerabilities": { "defcon1": 999, "critical": 999, "high": 999 }, "contents": { "defcon1": 999, "critical": 999, "high": 999 }, "checklists": { "defcon1": 999, "critical": 999, "high": 999 }}' DSSC_INSECURE_SKIP_TLS_VERIFY: true DSSC_INSECURE_SKIP_REGISTRY_TLS_VERIFY: true @@ -203,8 +203,22 @@ jobs: DSSC_FINDINGS_THRESHOLD: '{"malware": 999, "vulnerabilities": { "defcon1": 999, "critical": 999, "high": 999 }, "contents": { "defcon1": 999, "critical": 999, "high": 999 }, "checklists": { "defcon1": 999, "critical": 999, "high": 999 }}' DSSC_INSECURE_SKIP_TLS_VERIFY: true DSSC_INSECURE_SKIP_REGISTRY_TLS_VERIFY: true + + - name: Cloud One Container Security Scan GCR + uses: felipecosta09/Deep-Security-Smart-Check-Scan-Action@version* + with: + DSSC_IMAGE_NAME: region.gcr.io/projectname/myimage + DSSC_SMARTCHECK_HOST: ${{ secrets.DSSC_SMARTCHECK_HOST }} + DSSC_SMARTCHECK_USER: ${{ secrets.DSSC_SMARTCHECK_USER }} + DSSC_SMARTCHECK_PASSWORD: ${{ secrets.DSSC_SMARTCHECK_PASSWORD }} + DSSC_IMAGE_PULL_AUTH: '{"username": "oauth2accesstoken", "password": "${{ secrets.GCP_TOKEN }}"}' + DSSC_FINDINGS_THRESHOLD: '{"malware": 999, "vulnerabilities": { "defcon1": 999, "critical": 999, "high": 999 }, "contents": { "defcon1": 999, "critical": 999, "high": 999 }, "checklists": { "defcon1": 999, "critical": 999, "high": 999 }}' + DSSC_INSECURE_SKIP_TLS_VERIFY: true + DSSC_INSECURE_SKIP_REGISTRY_TLS_VERIFY: true ``` +**PS.: For GCP users, you'll need to setup your authentication using an Access token and assigning the right permissions, more details here: https://cloud.google.com/container-registry/docs/advanced-authentication#token** + ## Example Workflow Running a Docker Container ```yml @@ -221,7 +235,7 @@ jobs: steps: - name: Deep Security Smart Check run: | - docker run -v /var/run/docker.sock:/var/run/docker.sock deepsecurity/smartcheck-scan-action --image-name MYREGISTRY/MYIMAGE --smartcheck-host=DSSC_URL --smartcheck-user=DSSC_USER --smartcheck-password=DSSC_PASSSWORD --insecure-skip-tls-verify --insecure-skip-registry-tls-verify --image-pull-auth='{"aws":{"region":"us-east-1","accessKeyID":"'$AWS_ACCESS_KEY_ID'","secretAccessKey":"'$AWS_SECRET_ACCESS_KEY'"}}' --findings-threshold '{"malware": 100, "vulnerabilities": { "defcon1": 100, "critical": 100, "high": 100 }, "contents": { "defcon1": 100, "critical": 100, "high": 100 }, "checklists": { "defcon1": 100, "critical": 100, "high": 100 }}' + docker run deepsecurity/smartcheck-scan-action --image-name registryhost/myimage --smartcheck-host=smartcheck.example.com --smartcheck-user=admin --smartcheck-password=12345 --image-pull-auth='{"username":"","password":""}' ``` ## Pre-registry scanning diff --git a/action.yml b/action.yml index bdee9b4..e45906f 100644 --- a/action.yml +++ b/action.yml @@ -2,13 +2,13 @@ name: "Deep Security Smart Check" description: "Scan container images with Deep Security Smart Check." inputs: DSSC_IMAGE_NAME: - description: "Container repository, eg myorg/myimage." + description: "(MANDATORY) Container repository, eg registryhost/myimage." required: true DSSC_SMARTCHECK_HOST: - description: "Deep Security Smart Check url, eg mydomain.com." + description: "(MANDATORY) Deep Security Smart Check url, eg smartcheck.example.com" required: true DSSC_SMARTCHECK_USER: - description: "Deep Security Smart Check username, eg admin." + description: "(MANDATORY) Deep Security Smart Check username, eg admin." required: true DSSC_SMARTCHECK_PASSWORD: description: (MANDATORY) Deep Security Smart Check password, eg 12345. From caf9f3998ed31dc1187e95b18c50fd31ec070c4d Mon Sep 17 00:00:00 2001 From: gregt Date: Fri, 11 Sep 2020 10:13:29 -0400 Subject: [PATCH 3/5] adjust findings threshold Co-authored-by: felipecosta09 --- README.md | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 61b2c85..136f9dc 100644 --- a/README.md +++ b/README.md @@ -187,7 +187,7 @@ jobs: DSSC_SMARTCHECK_USER: ${{ secrets.DSSC_SMARTCHECK_USER }} DSSC_SMARTCHECK_PASSWORD: ${{ secrets.DSSC_SMARTCHECK_PASSWORD }} DSSC_IMAGE_PULL_AUTH: '{"aws":{"region":"us-east-1","accessKeyID":"$AWS_ACCESS_KEY_ID","secretAccessKey":"$AWS_SECRET_ACCESS_KEY"}}' - DSSC_FINDINGS_THRESHOLD: '{"malware": 999, "vulnerabilities": { "defcon1": 999, "critical": 999, "high": 999 }, "contents": { "defcon1": 999, "critical": 999, "high": 999 }, "checklists": { "defcon1": 999, "critical": 999, "high": 999 }}' + DSSC_FINDINGS_THRESHOLD: '{"malware": 100, "vulnerabilities": { "defcon1": 100, "critical": 100, "high": 100 }, "contents": { "defcon1": 100, "critical": 100, "high": 100 }, "checklists": { "defcon1": 100, "critical": 100, "high": 100 }}' DSSC_INSECURE_SKIP_TLS_VERIFY: true DSSC_INSECURE_SKIP_REGISTRY_TLS_VERIFY: true @@ -200,8 +200,7 @@ jobs: DSSC_SMARTCHECK_USER: ${{ secrets.DSSC_SMARTCHECK_USER }} DSSC_SMARTCHECK_PASSWORD: ${{ secrets.DSSC_SMARTCHECK_PASSWORD }} DSSC_IMAGE_PULL_AUTH: '{"username": "${{ secrets.ACR_USER }}","password": "${{ secrets.ACR_PASSWORD }}"}' - DSSC_FINDINGS_THRESHOLD: '{"malware": 999, "vulnerabilities": { "defcon1": 999, "critical": 999, "high": 999 }, "contents": { "defcon1": 999, "critical": 999, "high": 999 }, "checklists": { "defcon1": 999, "critical": 999, "high": 999 }}' - DSSC_INSECURE_SKIP_TLS_VERIFY: true + DSSC_FINDINGS_THRESHOLD: '{"malware": 100, "vulnerabilities": { "defcon1": 100, "critical": 100, "high": 100 }, "contents": { "defcon1": 100, "critical": 100, "high": 100 }, "checklists": { "defcon1": 100, "critical": 100, "high": 100 }}' DSSC_INSECURE_SKIP_TLS_VERIFY: true DSSC_INSECURE_SKIP_REGISTRY_TLS_VERIFY: true - name: Cloud One Container Security Scan GCR @@ -212,8 +211,7 @@ jobs: DSSC_SMARTCHECK_USER: ${{ secrets.DSSC_SMARTCHECK_USER }} DSSC_SMARTCHECK_PASSWORD: ${{ secrets.DSSC_SMARTCHECK_PASSWORD }} DSSC_IMAGE_PULL_AUTH: '{"username": "oauth2accesstoken", "password": "${{ secrets.GCP_TOKEN }}"}' - DSSC_FINDINGS_THRESHOLD: '{"malware": 999, "vulnerabilities": { "defcon1": 999, "critical": 999, "high": 999 }, "contents": { "defcon1": 999, "critical": 999, "high": 999 }, "checklists": { "defcon1": 999, "critical": 999, "high": 999 }}' - DSSC_INSECURE_SKIP_TLS_VERIFY: true + DSSC_FINDINGS_THRESHOLD: '{"malware": 100, "vulnerabilities": { "defcon1": 100, "critical": 100, "high": 100 }, "contents": { "defcon1": 100, "critical": 100, "high": 100 }, "checklists": { "defcon1": 100, "critical": 100, "high": 100 }}' DSSC_INSECURE_SKIP_TLS_VERIFY: true DSSC_INSECURE_SKIP_REGISTRY_TLS_VERIFY: true ``` From 6150c503da3d7ed8a570fdcd9ed318fa95f01685 Mon Sep 17 00:00:00 2001 From: gregt Date: Fri, 11 Sep 2020 12:53:07 -0400 Subject: [PATCH 4/5] additional comments and documentation --- README.md | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 136f9dc..9a697f9 100644 --- a/README.md +++ b/README.md @@ -186,6 +186,7 @@ jobs: DSSC_SMARTCHECK_HOST: ${{ secrets.DSSC_SMARTCHECK_HOST }} DSSC_SMARTCHECK_USER: ${{ secrets.DSSC_SMARTCHECK_USER }} DSSC_SMARTCHECK_PASSWORD: ${{ secrets.DSSC_SMARTCHECK_PASSWORD }} + # You will need to generate an access key and secret for your AWS user DSSC_IMAGE_PULL_AUTH: '{"aws":{"region":"us-east-1","accessKeyID":"$AWS_ACCESS_KEY_ID","secretAccessKey":"$AWS_SECRET_ACCESS_KEY"}}' DSSC_FINDINGS_THRESHOLD: '{"malware": 100, "vulnerabilities": { "defcon1": 100, "critical": 100, "high": 100 }, "contents": { "defcon1": 100, "critical": 100, "high": 100 }, "checklists": { "defcon1": 100, "critical": 100, "high": 100 }}' DSSC_INSECURE_SKIP_TLS_VERIFY: true @@ -210,12 +211,18 @@ jobs: DSSC_SMARTCHECK_HOST: ${{ secrets.DSSC_SMARTCHECK_HOST }} DSSC_SMARTCHECK_USER: ${{ secrets.DSSC_SMARTCHECK_USER }} DSSC_SMARTCHECK_PASSWORD: ${{ secrets.DSSC_SMARTCHECK_PASSWORD }} - DSSC_IMAGE_PULL_AUTH: '{"username": "oauth2accesstoken", "password": "${{ secrets.GCP_TOKEN }}"}' + # You will need to generate a JSON service account key in GCP and save it as a secret + DSSC_IMAGE_PULL_AUTH: '{"username": "_json_token", "password": "${{ secrets.GCP_JSON_KEY }}"}' DSSC_FINDINGS_THRESHOLD: '{"malware": 100, "vulnerabilities": { "defcon1": 100, "critical": 100, "high": 100 }, "contents": { "defcon1": 100, "critical": 100, "high": 100 }, "checklists": { "defcon1": 100, "critical": 100, "high": 100 }}' DSSC_INSECURE_SKIP_TLS_VERIFY: true DSSC_INSECURE_SKIP_REGISTRY_TLS_VERIFY: true ``` +The example above demonstrates how to add a Smartcheck Scan action as a step in your Github Worflow. This can be used to scan an image from a container registry in either Google Container Registry, Microsoft Azure Container Registry or Amazon Elastic Container Registry. -**PS.: For GCP users, you'll need to setup your authentication using an Access token and assigning the right permissions, more details here: https://cloud.google.com/container-registry/docs/advanced-authentication#token** +For Google Container Registry and Microsoft Azure Container Registry, the `username` and `password` required for `DSSC_IMAGE_PULL_AUTH` are the same as the docker login credentials you would use to authenticate to a registry in the provided platform: +- [Google Cloud Platform](https://cloud.google.com/container-registry/docs/advanced-authentication#json-key) +- [Microsoft Azure Web Services](https://docs.microsoft.com/en-us/azure/container-registry/container-registry-authentication) + +To authenticate to an Amazon Elastic Container Registry the `DSSC_IMAGE_PULL_AUTH` should be formatted to match the `credentials.aws` object specified in the [Smartcheck API Documentation to create a Scan](https://deep-security.github.io/smartcheck-docs/api/index.html#operation/createScan). ## Example Workflow Running a Docker Container From 24a97f133277d4554b796ae032124367c2510d89 Mon Sep 17 00:00:00 2001 From: Felipe Costa Date: Tue, 22 Sep 2020 13:34:01 +0400 Subject: [PATCH 5/5] README Improvments --- README.md | 33 ++++++++++++++++++--------------- action.yml | 2 +- 2 files changed, 19 insertions(+), 16 deletions(-) diff --git a/README.md b/README.md index 9a697f9..151dca0 100644 --- a/README.md +++ b/README.md @@ -4,11 +4,11 @@ ## Scan your containers with [Deep Security Smart Check](https://www.trendmicro.com/smartcheck). -This project was built by the [Deep Security Smart Check](trendmicro.com/smartcheck) team to help you to scan your containers in your CI/CD pipeline, you can use as a standalone Docker container published in the [Dockerhub](https://hub.docker.com/r/deepsecurity/smartcheck-scan-action) to scan your images. This tool is also used by the [Deep Security Smart Check plugin for Jenkins](https://plugins.jenkins.io/deepsecurity-smartcheck/) and the GitHub Action, that wraps the container published in Dockerhub. +This project was built by the [Deep Security Smart Check](trendmicro.com/smartcheck) team to help you to scan your containers in your CI/CD pipeline. You can use the Smartcheck Scan Action as a standalone Docker container published in [Dockerhub](https://hub.docker.com/r/deepsecurity/smartcheck-scan-action) to scan your images. This tool is also used by the [Deep Security Smart Check plugin for Jenkins](https://plugins.jenkins.io/deepsecurity-smartcheck/) and the GitHub Action, which provides a useful wrapper for the container published in Dockerhub for Github Workflow. ## Requirements -* Have an [Deep Security Smart Check](https://www.trendmicro.com/smartcheck) deployed. [Sign up for free trial now](https://www.trendmicro.com/product_trials/download/index/us/168) if it's not already the case! +* Have [Deep Security Smart Check](https://www.trendmicro.com/smartcheck) deployed. [Sign up now for a free trial](https://www.trendmicro.com/product_trials/download/index/us/168)! * A container image to scan in any [supported Docker Registry](https://deep-security.github.io/smartcheck-docs/admin_docs/admin.html#supported-registries). ## Usage @@ -18,7 +18,7 @@ Smart Check. ```yml - name: Deep Security Smart Check - uses: deepsecurity/Deep-Security-Smart-Check@version* + uses: deep-security/smartcheck-scan-action@version* with: # Mandatory DSSC_IMAGE_NAME: registryhost/myimage @@ -73,7 +73,7 @@ be given with `DSSC_IMAGE_NAME`. ```json '{"aws":{"region":"us-east-1","accessKeyID":"$AWS_ACCESS_KEY_ID","secretAccessKey":"$AWS_SECRET_ACCESS_KEY"}}' ``` - **PS.: ALWAYS use secrets to expose your credentials!** + **PS.: ALWAYS use secrets to not expose your credentials!** See [creating a scan][] in the [Deep Security Smart Check API Reference][] for additional registry credentials options. @@ -180,32 +180,34 @@ jobs: # AWS Example: - name: Deep Security Smart Check Scan ECR - uses: deepsecurity/Deep-Security-Smart-Check@version* + uses: deep-security/smartcheck-scan-action@version* with: - DSSC_IMAGE_NAME: myECRrepo/myimage + DSSC_IMAGE_NAME: accountid.dkr.ecr.region.amazonaws.com/myimage DSSC_SMARTCHECK_HOST: ${{ secrets.DSSC_SMARTCHECK_HOST }} DSSC_SMARTCHECK_USER: ${{ secrets.DSSC_SMARTCHECK_USER }} DSSC_SMARTCHECK_PASSWORD: ${{ secrets.DSSC_SMARTCHECK_PASSWORD }} # You will need to generate an access key and secret for your AWS user - DSSC_IMAGE_PULL_AUTH: '{"aws":{"region":"us-east-1","accessKeyID":"$AWS_ACCESS_KEY_ID","secretAccessKey":"$AWS_SECRET_ACCESS_KEY"}}' + DSSC_IMAGE_PULL_AUTH: '{"aws":{"region":"us-east-1","accessKeyID":"$AWS_ACCESS_KEY_ID" "secretAccessKey":"$AWS_SECRET_ACCESS_KEY"}}' DSSC_FINDINGS_THRESHOLD: '{"malware": 100, "vulnerabilities": { "defcon1": 100, "critical": 100, "high": 100 }, "contents": { "defcon1": 100, "critical": 100, "high": 100 }, "checklists": { "defcon1": 100, "critical": 100, "high": 100 }}' DSSC_INSECURE_SKIP_TLS_VERIFY: true DSSC_INSECURE_SKIP_REGISTRY_TLS_VERIFY: true # Azure Example: - name: Deep Security Smart Check Scan ACR - uses: deepsecurity/Deep-Security-Smart-Check@version* + uses: deep-security/smartcheck-scan-action@version* with: DSSC_IMAGE_NAME: myrepo.azurecr.io/myimage DSSC_SMARTCHECK_HOST: ${{ secrets.DSSC_SMARTCHECK_HOST }} DSSC_SMARTCHECK_USER: ${{ secrets.DSSC_SMARTCHECK_USER }} DSSC_SMARTCHECK_PASSWORD: ${{ secrets.DSSC_SMARTCHECK_PASSWORD }} DSSC_IMAGE_PULL_AUTH: '{"username": "${{ secrets.ACR_USER }}","password": "${{ secrets.ACR_PASSWORD }}"}' - DSSC_FINDINGS_THRESHOLD: '{"malware": 100, "vulnerabilities": { "defcon1": 100, "critical": 100, "high": 100 }, "contents": { "defcon1": 100, "critical": 100, "high": 100 }, "checklists": { "defcon1": 100, "critical": 100, "high": 100 }}' DSSC_INSECURE_SKIP_TLS_VERIFY: true + DSSC_FINDINGS_THRESHOLD: '{"malware": 100, "vulnerabilities": { "defcon1": 100, "critical": 100, "high": 100 }, "contents": { "defcon1": 100, "critical": 100, "high": 100 }, "checklists": { "defcon1": 100, "critical": 100, "high": 100 }}' + DSSC_INSECURE_SKIP_TLS_VERIFY: true DSSC_INSECURE_SKIP_REGISTRY_TLS_VERIFY: true - - - name: Cloud One Container Security Scan GCR - uses: felipecosta09/Deep-Security-Smart-Check-Scan-Action@version* + + # GCP Example: + - name: Deep Security Smart Check Scan GCR + uses: deep-security/smartcheck-scan-action@version* with: DSSC_IMAGE_NAME: region.gcr.io/projectname/myimage DSSC_SMARTCHECK_HOST: ${{ secrets.DSSC_SMARTCHECK_HOST }} @@ -213,14 +215,15 @@ jobs: DSSC_SMARTCHECK_PASSWORD: ${{ secrets.DSSC_SMARTCHECK_PASSWORD }} # You will need to generate a JSON service account key in GCP and save it as a secret DSSC_IMAGE_PULL_AUTH: '{"username": "_json_token", "password": "${{ secrets.GCP_JSON_KEY }}"}' - DSSC_FINDINGS_THRESHOLD: '{"malware": 100, "vulnerabilities": { "defcon1": 100, "critical": 100, "high": 100 }, "contents": { "defcon1": 100, "critical": 100, "high": 100 }, "checklists": { "defcon1": 100, "critical": 100, "high": 100 }}' DSSC_INSECURE_SKIP_TLS_VERIFY: true + DSSC_FINDINGS_THRESHOLD: '{"malware": 100, "vulnerabilities": { "defcon1": 100, "critical": 100, "high": 100 }, "contents": { "defcon1": 100, "critical": 100, "high": 100 }, "checklists": { "defcon1": 100, "critical": 100, "high": 100 }}' + DSSC_INSECURE_SKIP_TLS_VERIFY: true DSSC_INSECURE_SKIP_REGISTRY_TLS_VERIFY: true ``` -The example above demonstrates how to add a Smartcheck Scan action as a step in your Github Worflow. This can be used to scan an image from a container registry in either Google Container Registry, Microsoft Azure Container Registry or Amazon Elastic Container Registry. +The example above demonstrates how to add a Deep Security Smart Check Scan action as a step in your Github Workflow. This can be used to scan an image from a container registry in either Google Container Registry, Microsoft Azure Container Registry or Amazon Elastic Container Registry. For Google Container Registry and Microsoft Azure Container Registry, the `username` and `password` required for `DSSC_IMAGE_PULL_AUTH` are the same as the docker login credentials you would use to authenticate to a registry in the provided platform: - [Google Cloud Platform](https://cloud.google.com/container-registry/docs/advanced-authentication#json-key) -- [Microsoft Azure Web Services](https://docs.microsoft.com/en-us/azure/container-registry/container-registry-authentication) +- [Microsoft Azure](https://docs.microsoft.com/en-us/azure/container-registry/container-registry-authentication) To authenticate to an Amazon Elastic Container Registry the `DSSC_IMAGE_PULL_AUTH` should be formatted to match the `credentials.aws` object specified in the [Smartcheck API Documentation to create a Scan](https://deep-security.github.io/smartcheck-docs/api/index.html#operation/createScan). diff --git a/action.yml b/action.yml index e45906f..6ccf797 100644 --- a/action.yml +++ b/action.yml @@ -1,4 +1,4 @@ -name: "Deep Security Smart Check" +name: "Deep Security Smart Check Scan Action" description: "Scan container images with Deep Security Smart Check." inputs: DSSC_IMAGE_NAME: