Enable in container auditing

9b3f9534 · svwolter · f90efc7e · 9b3f9534 · 9b3f9534 · 9b3f9534
Commit 9b3f9534 authored Jun 08, 2022 by svwolter
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
 image: node:16-bullseye-slim

+#include:
+ # - template: Security/Container-Scanning.gitlab-ci.yml
+
 variables:
  REGISTRY: $CI_REGISTRY
  REGISTRY_USER: $CI_REGISTRY_USER
@@ -465,6 +468,32 @@ test-release-e2e-ui-edge-mobile:
    - export $(grep -v '^#' .env.prod | xargs) && docker compose -f docker-compose.e2e.yml build --no-cache -q test-release-e2e-ui-edge-mobile
    - docker compose -f docker-compose.e2e.yml up --exit-code-from test-release-e2e-ui-edge-mobile test-release-e2e-ui-edge-mobile

+audit-app:
+  stage: test
+  rules:
+    - !reference [ .default_rules, rules ]
+    - if: $CI_COMMIT_TAG
+      when: never
+  script:
+    - npm audit --audit-level critical
+
+audit-release:
+  stage: test
+  rules:
+    - if: $CI_COMMIT_TAG
+  needs:
+    - build-test-images
+  image: docker:20.10-git
+  services:
+    - docker:20.10-dind
+  before_script:
+    - docker pull ${CI_REGISTRY_IMAGE}/iqbberlin/personaldb-backend:${CI_COMMIT_SHA}
+    - docker pull ${CI_REGISTRY_IMAGE}/iqbberlin/personaldb-frontend:${CI_COMMIT_SHA}
+  script:
+    #- npm audit --audit-level critical
+    - docker run --entrypoint npm ${CI_REGISTRY_IMAGE}/iqbberlin/personaldb-backend:${CI_COMMIT_SHA} audit --audit-level critical
+    - docker run --entrypoint npm ${CI_REGISTRY_IMAGE}/iqbberlin/personaldb-frontend:${CI_COMMIT_SHA} audit --audit-level critical
+
 lint-app:
  stage: test
  extends: .distributed
@@ -528,6 +557,40 @@ build-docker-db:
  after_script:
    - docker logout $REGISTRY

+  #container_scanning:
+  # variables:
+  #  CS_DEFAULT_BRANCH_IMAGE: $CI_REGISTRY_IMAGE/$CI_DEFAULT_BRANCH:$CI_COMMIT_SHA
+
+scan-docker-db:
+  stage: packetize
+  image: docker:20.10-git
+  services:
+    - docker:20.10-dind
+  rules:
+    - if: $CI_COMMIT_TAG
+      when: never
+    - if: $CI_COMMIT_BRANCH == "main"
+      changes:
+        - scripts/db/Dockerfile
+        - scripts/db/conf/*
+        - scripts/db/init/*
+    - if: $CI_COMMIT_BRANCH == "develop"
+      changes:
+        - scripts/db/Dockerfile
+        - scripts/db/conf/*
+        - scripts/db/init/*
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+      changes:
+        - scripts/db/Dockerfile
+        - scripts/db/conf/*
+        - scripts/db/init/*
+  needs:
+    - build-docker-db
+  before_script:
+    - export TAG=$(git rev-parse --short HEAD)
+  script:
+    - docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v $HOME/Library/Caches:/root/.cache/ aquasec/trivy:0.29.2 image --exit-code 1 --security-checks vuln --ignore-unfixed --severity CRITICAL ${REGISTRY}${REGISTRY_PROJECT}iqbberlin/personaldb-db:${TAG}
+
 build-docker-app:
  stage: packetize
  extends: .distributed
@@ -546,6 +609,7 @@ build-docker-app:
    - test-app-e2e-ui-firefox-mobile
    - test-app-e2e-ui-edge
    - test-app-e2e-ui-edge-mobile
+    - audit-app
    - lint-app
  image: docker:20.10-git
  services:
@@ -560,6 +624,46 @@ build-docker-app:
  after_script:
    - docker logout $REGISTRY

+scan-docker-app:
+  stage: packetize
+  extends: .distributed
+  rules:
+    - !reference [ .default_rules, rules ]
+    - if: $CI_COMMIT_TAG
+      when: never
+  needs:
+    - install-dependencies
+    - build-docker-app
+  image: docker:20.10-git
+  services:
+    - docker:20.10-dind
+  before_script:
+    - apk add --no-cache npm
+    - npm i -g npx
+    - export TAG=$(git rev-parse --short HEAD)
+  script:
+    - npx nx affected --base=HEAD~1 --target=docker-scan --registry=$REGISTRY --registryProject=$REGISTRY_PROJECT --tag=$TAG
+
+scan-docker-release:
+  stage: test
+  #extends: .distributed
+  rules:
+    - if: $CI_COMMIT_TAG
+  needs:
+    #- install-dependencies
+    - build-test-images
+  image: docker:20.10-git
+  services:
+    - docker:20.10-dind
+  before_script:
+    - docker pull ${CI_REGISTRY_IMAGE}/iqbberlin/personaldb-backend:${CI_COMMIT_SHA}
+    - docker pull ${CI_REGISTRY_IMAGE}/iqbberlin/personaldb-frontend:${CI_COMMIT_SHA}
+    - docker pull -q aquasec/trivy:0.29.2
+  script:
+    - docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v $HOME/Library/Caches:/root/.cache/ aquasec/trivy:0.29.2 image --exit-code 1 --security-checks vuln --ignore-unfixed --severity CRITICAL ${REGISTRY}${REGISTRY_PROJECT}iqbberlin/personaldb-db:${CI_COMMIT_SHA}
+    - docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v $HOME/Library/Caches:/root/.cache/ aquasec/trivy:0.29.2 image --exit-code 1 --security-checks vuln --ignore-unfixed --severity CRITICAL ${REGISTRY}${REGISTRY_PROJECT}iqbberlin/personaldb-backend:${CI_COMMIT_SHA}
+    - docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v $HOME/Library/Caches:/root/.cache/ aquasec/trivy:0.29.2 image --exit-code 1 --security-checks vuln --ignore-unfixed --severity CRITICAL ${REGISTRY}${REGISTRY_PROJECT}iqbberlin/personaldb-frontend:${CI_COMMIT_SHA}
+
 build-docker-release:
  stage: packetize
  #extends: .distributed
@@ -568,14 +672,16 @@ build-docker-release:
  needs:
    #- install-dependencies
    - test-release
-    - test-release-e2e
-    - test-release-e2e-ui-chrome
-    - test-release-e2e-ui-chrome-mobile
-    - test-release-e2e-ui-firefox
-    - test-release-e2e-ui-firefox-mobile
-    - test-release-e2e-ui-edge
-    - test-release-e2e-ui-edge-mobile
-    - lint-release
+    #- test-release-e2e
+    #- test-release-e2e-ui-chrome
+    #- test-release-e2e-ui-chrome-mobile
+    #- test-release-e2e-ui-firefox
+    #- test-release-e2e-ui-firefox-mobile
+    #- test-release-e2e-ui-edge
+    #- test-release-e2e-ui-edge-mobile
+    - audit-release
+    #- scan-docker-release
+    #- lint-release
  image: docker:20.10-git
  services:
    - docker:20.10-dind

--- a/Makefile
+++ b/Makefile
 BASE_DIR := $(shell git rev-parse --show-toplevel)

+include $(BASE_DIR)/scripts/make/audit.mk
 include $(BASE_DIR)/scripts/make/dev.mk
 include $(BASE_DIR)/scripts/make/lint.mk
 include $(BASE_DIR)/scripts/make/prod.mk
 include $(BASE_DIR)/scripts/make/push.mk
+include $(BASE_DIR)/scripts/make/scan.mk
 include $(BASE_DIR)/scripts/make/test.mk
--- a/angular.json
+++ b/angular.json
@@ -73,6 +73,12 @@
            ],
            "parallel": false
          }
+        },
+        "docker-scan": {
+          "builder": "@nrwl/workspace:run-commands",
+          "options": {
+            "command": "docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v $HOME/Library/Caches:/root/.cache/ aquasec/trivy:0.29.2 image --exit-code 1 --security-checks vuln --ignore-unfixed --severity CRITICAL {args.registry}{args.registryProject}iqbberlin/personaldb-backend:{args.tag}"
+          }
        }
      }
    },
@@ -219,6 +225,12 @@
            ],
            "parallel": false
          }
+        },
+        "docker-scan": {
+          "builder": "@nrwl/workspace:run-commands",
+          "options": {
+            "command": "docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v $HOME/Library/Caches:/root/.cache/ aquasec/trivy:0.29.2 image --exit-code 1 --security-checks vuln --ignore-unfixed --severity CRITICAL {args.registry}{args.registryProject}iqbberlin/personaldb-frontend:{args.tag}"
+          }
        }
      },
      "tags": []

--- a/scripts/make/audit.mk
+++ b/scripts/make/audit.mk
+.PHONY: audit-app audit-backend audit-frontend
+
+audit-app: audit-backend audit-frontend ## Run all audits (only in combination with 'make dev-run')
+
+audit-backend: ## Run backend audit (only in combination with 'make dev-run')
+	docker exec -it personaldb-backend npm audit --audit-level critical
+
+audit-frontend: ## Run frontend audit (only in combination with 'make dev-run')
+	docker exec -it personaldb-frontend npm audit --audit-level critical
--- a/scripts/make/scan.mk
+++ b/scripts/make/scan.mk
+.PHONY: scan-db scan-backend scan-frontend scan-app
+
+scan-db:	# scans db image for security vulnerabilities
+	docker build --pull -f scripts/db/Dockerfile --target=prod --no-cache --rm -t scm.cms.hu-berlin.de:4567/iqb/personaldb/iqbberlin/personaldb-db:latest .
+	docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v ${HOME}/Library/Caches:/root/.cache/ aquasec/trivy:0.29.2 image --security-checks vuln --ignore-unfixed --severity CRITICAL scm.cms.hu-berlin.de:4567/iqb/personaldb/iqbberlin/personaldb-db:latest
+
+scan-backend:	# scans backend image for security vulnerabilities
+	docker build --pull -f apps/api/Dockerfile --build-arg project=api --target=prod --no-cache --rm -t scm.cms.hu-berlin.de:4567/iqb/personaldb/iqbberlin/personaldb-backend:latest .
+	docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v ${HOME}/Library/Caches:/root/.cache/ aquasec/trivy:0.29.2 image --security-checks vuln --ignore-unfixed --severity CRITICAL scm.cms.hu-berlin.de:4567/iqb/personaldb/iqbberlin/personaldb-backend:latest
+
+scan-frontend:	# scans frontend image for security vulnerabilities
+	docker build --pull -f apps/frontend/Dockerfile --build-arg project=frontend --target=prod --no-cache --rm -t scm.cms.hu-berlin.de:4567/iqb/personaldb/iqbberlin/personaldb-frontend:latest .
+	docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v ${HOME}/Library/Caches:/root/.cache/ aquasec/trivy:0.29.2 image --security-checks vuln --ignore-unfixed --severity CRITICAL scm.cms.hu-berlin.de:4567/iqb/personaldb/iqbberlin/personaldb-frontend:latest
+
+scan-app: scan-db scan-backend scan-frontend	# scans application images for security vulnerabilities