Skip to content

Latest commit

 

History

History
101 lines (79 loc) · 3.13 KB

README.md

File metadata and controls

101 lines (79 loc) · 3.13 KB

Vulnerable Image Check

Overview

This project will scan all the images in registries monitored by Halo and return a non-zero status if there are any critical vulnerabilities.

Install

  • pip install vulnerable_image_check - this will install the library.
  • git clone - this will allow for stand-alone usage.

Use

It expects API keys to be in environment variables.

Mandatory:

  • HALO_API_KEY - a Halo API key
  • HALO_API_SECRET_KEY - a Halo API secret

Optional:

  • REGISTRY_NAME - the name of a monitored registry. If this is empty the output will default to all monitored registries.
  • REPO_NAME - the name of a repository. If this is empty the output will default to all monitored repositories.
  • IMAGE_TAG - the name of an image tag. If this is empty the output will default to all tags.
  • OUTPUT_FORMAT - if the output format is anything other than 'csv' the output will be formatted text.
  • OCTO_BOX - unless this is explicitly set to True, it will not run for octo-box. This means the output will be decoded base64.

Default:

  • FAIL_ON_CRITICAL = "0" - defaults to success

Stand-Alone Use:

  1. Python - python runner.py Note: this is configured to work with both a local or pip installed module

  2. Docker -

* To build run:

docker build -t vulnerable_image_check:latest .

To execute run:

docker run -it -e HALO_API_KEY=$HALO_API_KEY
-e HALO_API_SECRET_KEY=$HALO_API_SECRET_KEY
vulnerable_image_check

Sample Output

Registry: DPR
  Repository: robert_rails
    Tag: dev
      Vulnerabilities: Package: sensible-utils Package Version: 0.0.9 | CVE List: cve-2017-17512 # NOQA Package Version: 2.0.0+dfsg-2ubuntu1.40 | CVE List: cve-2013-4544 cve-2014-0150 cve-2014-2894 # NOQA

Project Structure

  • vulnerable_image_check - base directory
  1. .gitchangelog.rc - configuration file for gitchangelog
  2. .gitignore - gitignore file
  3. .travis.yml - Travis CI configuration for CI testing
  4. Dockerfile - Dockerfile for building a Docker image for running the application stand-alone. There are several packages pinned to specific versions to remediate vulnerabilities.
  5. LICENSE - BSD 2-Clause License
  6. README.md - README.md(README_v1)
  7. setup.py - PyPI setup file
  8. runner.py
    • vulnerable_image_check - application directory
    1. _init_.py - author and version string
    2. config_helper.py - the application configuration
    3. vulnerable_image_check.py - the application
      * lib - support scripts
      1) _init_.py - import and version string
      2) report.py - reporting tool that outputs base64 encoded csv and formatted text
      3) utility.py - used by report.py
    • test - test directory
      * style - style tests
      1) test_style_flake8.py - flake8 tests
      * unit - unit tests
      1) test_config_helper.py - tests the application configuration
      2) test_report.py - test the report output
      3) test_vulnerable_image_check.py - test application code