Use CircleCI version 2.1 at the top of your .circleci/config.yml file.
1
version: 2.1
Add the orbs
stanza below your version, invoking the orb:
1
2
orbs:
microscanner: aquasecurity/microscanner@0.1.6
Use microscanner
elements in your existing workflows and jobs.
Opt-in to use of uncertified orbs on your organization’s Security settings page.
Scan a newly built docker image with the Aqua Security microscanner.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
version: 2.1
orbs:
microscanner: aquasecurity/microscanner@dev:0.1.1
jobs:
docker-build:
executor: microscanner/default
steps:
- checkout
- run: docker build -t myrepo/myimage:tag .
workflows:
scan-image:
jobs:
- docker-build
- microscanner/scan-image:
requires:
- docker-build
context: myContext
image: myrepo/myimage:mytag
PARAMETER | DESCRIPTION | REQUIRED | DEFAULT | TYPE |
---|---|---|---|---|
token | The Aqua microscanner token | No | $AQUA_TOKEN | string |
microscanner_options | This var allows for option flags to be passed to the MicroScanner. | No | $MICROSCANNER_OPTIONS | string |
image | The image to scan | Yes | - | string |
artifact-type | The type of artifact to output | No | html | string |
dockerfile-path | The path to your Dockerfile | No | . | string |
Create the runtime scanning
PARAMETER | DESCRIPTION | REQUIRED | DEFAULT | TYPE |
---|---|---|---|---|
token | The Aqua MicroScanner token | No | $AQUA_TOKEN | string |
Scan the container image
PARAMETER | DESCRIPTION | REQUIRED | DEFAULT | TYPE |
---|---|---|---|---|
token | The Aqua MicroScanner token | No | $AQUA_TOKEN | string |
microscanner_options | This var allows for option flags to be passed to the MicroScanner. | No | $MICROSCANNER_OPTIONS | string |
image | The image to scan | Yes | - | string |
artifact-type | The type of artifact to output; html is default, json is optional. | No | html | string |
A debian-based machine executor. Note that there is an overhead for provisioning a machine executor as a result of spinning up a private Docker server. Use of the machine key may require additional fees.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
# This code is licensed from CircleCI to the user under the MIT license.
# See here for details: https://circleci.com/developer/orbs/licensing
version: 2.1
description: |
This orb creates a wrapper for the Aqua Security MicroScanner. This tool is freely available on GitHub.
examples:
simple_build_and_scan:
description: Scan a newly built docker image with the Aqua Security microscanner.
usage:
version: 2.1
orbs:
microscanner: aquasecurity/microscanner@dev:0.1.1
jobs:
docker-build:
executor: microscanner/default
steps:
- checkout
- run: docker build -t myrepo/myimage:tag .
workflows:
scan-image:
jobs:
- docker-build
- microscanner/scan-image:
requires:
- docker-build
context: myContext
image: myrepo/myimage:mytag
executors:
default:
description: A debian-based machine executor. Note that there is an
overhead for provisioning a machine executor as a result of
spinning up a private Docker server. Use of the machine key
may require additional fees.
machine:
image: circleci/classic:201808-01
commands:
install:
description: Create the runtime scanning
parameters:
token:
description: The Aqua MicroScanner token
type: string
default: $AQUA_TOKEN
steps:
- run:
name: Import scanning script
command: |
mkdir scanresult
mkdir scantemp
cd scantemp
cat \<< 'EOF' > ./MicroScanner.sh
#!/bin/bash
set -euo pipefail
AQUA_TOKEN="${AQUA_TOKEN:-}"
MICROSCANNER_OPTIONS="${MICROSCANNER_OPTIONS:-}"
DOCKER_IMAGE="${1:-}"
TEMP_IMAGE_TAG=$(LC_CTYPE=C tr -dc 'a-zA-Z0-9' </dev/urandom | fold -w 32 | head -n 1 | tr '[:upper:]' '[:lower:]' || true)
MICROSCANNER_SOURCE="https://get.aquasec.com/microscanner"
main() {
[[ -z ${DOCKER_IMAGE} ]] && {
print_usage
exit 1
}
trap cleanup EXIT
TEMP_DIR=$(mktemp -d)
cd "${TEMP_DIR}"
{
echo "FROM ${DOCKER_IMAGE}"
cat \<<"EOL"
RUN if [ ! -d /etc/ssl/certs/ ] || { [ ! -f /etc/ssl/certs/ca-certificates.crt ] && [ ! -f /etc/ssl/certs/ca-bundle.crt ]; }; then \
PACKAGE_MANAGER=$(basename \
$({ command -v apk apt yum false 2>/dev/null || which apk apt yum false; } \
| head -n1)); \
if [ "${PACKAGE_MANAGER}" = "apk" ]; then \
apk --update add ca-certificates; \
elif [ "${PACKAGE_MANAGER}" = "apt" ]; then \
apt update \
&& apt install --no-install-recommends -y ca-certificates \
&& update-ca-certificates; \
elif [ "${PACKAGE_MANAGER}" = "yum" ]; then \
yum install -y ca-certificates; \
else \
echo 'ca-certificates not found and package manager not apk, apt, or yum. Aborting' >&2; \
exit 1; \
fi; \
fi;
EOL
cat \<<EOL
ADD ${MICROSCANNER_SOURCE} /tmp/microscanner
USER root
RUN [ -x /tmp/microscanner ] || chmod +x /tmp/microscanner \
&& sync \
&& /tmp/microscanner --version \
&& /tmp/microscanner ${MICROSCANNER_OPTIONS} ${AQUA_TOKEN}
EOL
} | docker build --force-rm -t ${TEMP_IMAGE_TAG} -f - .
}
print_usage() {
echo "Usage: ./MicroScanner.sh DOCKER_IMAGE"
}
cleanup() {
if docker inspect --type=image "${TEMP_IMAGE_TAG}" &>/dev/null; then
docker image rm --force "${TEMP_IMAGE_TAG}" || true
fi
rm -rf "${TEMP_DIR}" || true
}
main
EOF
chmod +x ./MicroScanner.sh
scan:
description: Scan the container image
parameters:
token:
description: The Aqua MicroScanner token
type: string
default: $AQUA_TOKEN
microscanner_options:
description: This var allows for option flags to be passed to the MicroScanner.
type: string
default: $MICROSCANNER_OPTIONS
image:
description: The image to scan
type: string
artifact-type:
description: The type of artifact to output; html is default, json is optional.
type: string
default: html
steps:
- run:
name: Scan for vulneribilities and upload report artifact
command: |
cd scantemp
if [[ <<parameters.artifact-type>> == html ]]; then
AQUA_TOKEN=<<parameters.token>>
MICROSCANNER_OPTIONS=<<parameters.microscanner_options>>
MICROSCANNER_OPTIONS="${MICROSCANNER_OPTIONS} --html" ./MicroScanner.sh <<parameters.image>> | sed -n '/<!DOCTYPE html>/,/<\/body>/p' > ../scanresult/AquaMicroscannerOutput.html
echo These options were sent to MicroScanner -> $MICROSCANNER_OPTIONS
else
AQUA_TOKEN=<<parameters.token>>
MICROSCANNER_OPTIONS=<<parameters.microscanner_options>>
MICROSCANNER_OPTIONS="${MICROSCANNER_OPTIONS} --json" ./MicroScanner.sh <<parameters.image>> | sed -n '/<!DOCTYPE html>/,/<\/body>/p' > ../scanresult/AquaMicroscannerOutput.json
echo These options were sent to MicroScanner -> $MICROSCANNER_OPTIONS
fi
- store_artifacts:
path: scanresult
jobs:
scan-image:
executor: default
parameters:
token:
description: The Aqua microscanner token
type: string
default: $AQUA_TOKEN
microscanner_options:
description: This var allows for option flags to be passed to the MicroScanner.
type: string
default: $MICROSCANNER_OPTIONS
image:
description: The image to scan
type: string
artifact-type:
description: The type of artifact to output
type: string
default: html
dockerfile-path:
description: The path to your Dockerfile
type: string
default: .
steps:
- install
- scan:
image: <<parameters.image>>