[skip ci] security: scan images using WIZ cli (#349)

Co-authored-by: buildkite <[email protected]>
komodorio · Feb 2, 2025 · 67d09bf · 67d09bf
1 parent 62ab3d0
commit 67d09bf
Show file tree

Hide file tree

Showing 6 changed files with 73 additions and 353 deletions.
diff --git a/.buildkite/vulnerability-scan/exclude.yaml b/.buildkite/vulnerability-scan/exclude.yaml
diff --git a/.buildkite/vulnerability-scan/main.py b/.buildkite/vulnerability-scan/main.py
diff --git a/.buildkite/vulnerability-scan/pipeline.yaml b/.buildkite/vulnerability-scan/pipeline.yaml
@@ -1,16 +1,26 @@
-env:
-  MEND_URL: "https://saas-eu.mend.io"
 steps:
-
-  - label: "Scan"
+  - label: ":memo: annotate build"
+    command: |
+      buildkite-agent annotate --style info "<a href='https://app.wiz.io/findings/code-cicd-scans#%7E%28filters%7E%28timestamp%7E%28inTheLast%7E%28amount%7E30%7Eunit%7E%27days%29%29%7EcicdScanTrigger%7E%28equals%7E%28%7E%27USER_INITIATED%29%29%7EfindingType%7E%28equals%7E%28%7E%27VULNERABILITY%29%29%7EcicdScanResourceType%7E%28equals%7E%28%7E%27CONTAINER_IMAGE%29%29%29%29'>Wiz scan report</a>"
+    
+  - label: ":microbe: Scan komodor-agent image"
     commands:
-      - curl https://downloads.mend.io/cli/linux_amd64/mend -o /usr/local/bin/mend && chmod +x /usr/local/bin/mend
-      - python3 .buildkite/vulnerability-scan/main.py
+      -  .buildkite/vulnerability-scan/scan_image_with_wiz.sh komodor-agent
     agents:
       builder: "dind"
     plugins:
       - zacharymctague/aws-ssm#v1.0.0:
           parameters:
-            MEND_USER_KEY: /mend/USER_KEY
-            MEND_EMAIL: /mend/EMAIL
-
+            WIZ_CLIENT_ID: /app/ci/wiz/cli/CLIENT_ID
+            WIZ_CLIENT_SECRET: /app/ci/wiz/cli/CLIENT_SECRET
+
+  - label: ":microbe: Scan telegraf image"
+    commands:
+      - .buildkite/vulnerability-scan/scan_image_with_wiz.sh telegraf
+    agents:
+      builder: "dind"
+    plugins:
+      - zacharymctague/aws-ssm#v1.0.0:
+          parameters:
+            WIZ_CLIENT_ID: /app/ci/wiz/cli/CLIENT_ID
+            WIZ_CLIENT_SECRET: /app/ci/wiz/cli/CLIENT_SECRET
diff --git a/.buildkite/vulnerability-scan/requirements.txt b/.buildkite/vulnerability-scan/requirements.txt
diff --git a/.buildkite/vulnerability-scan/scan_image_with_wiz.sh b/.buildkite/vulnerability-scan/scan_image_with_wiz.sh
@@ -0,0 +1,54 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+scan_image() {
+  local image_name="$1"
+  local image
+
+  image=$(helm template "$(dirname "$0")/../../charts/komodor-agent" \
+    --set apiKey=FAKEUUID-0000-1111-2222-333333333333 \
+    --set clusterName=fake | awk '/image:/ {print $2}' | grep -F "${image_name}:" | sort -u) || true
+
+  if [[ -z "$image" ]]; then
+    echo "Error: Image not found: $image_name" >&2
+    exit 1
+  fi
+
+  docker pull "$image"
+  ./wizcli docker scan --image "$image" --group-by resource -p "komodor-agent vulnerabilities policy"
+}
+
+####################
+# MAIN             #
+####################
+
+if [[ -z "${WIZ_CLIENT_ID:-}" || -z "${WIZ_CLIENT_SECRET:-}" ]]; then
+  echo "Error: WIZ_CLIENT_ID and WIZ_CLIENT_SECRET must be set" >&2
+  exit 1
+fi
+
+if [[ $# -lt 1 ]]; then
+  echo "Usage: $0 <image_name>" >&2
+  exit 1
+fi
+
+image_name="$1"
+
+ARCH="$(uname -m)"
+case "$ARCH" in
+  x86_64) ARCH="amd64" ;;
+  aarch64) ARCH="arm64" ;;
+esac
+
+OS="$(uname -s | tr '[:upper:]' '[:lower:]')"
+
+WIZCLI_URL="https://downloads.wiz.io/wizcli/latest/wizcli-${OS}-${ARCH}"
+echo "Downloading wizcli from $WIZCLI_URL"
+curl -fsSL -o wizcli "$WIZCLI_URL" && chmod +x wizcli
+
+./wizcli auth --id "$WIZ_CLIENT_ID" --secret "$WIZ_CLIENT_SECRET"
+
+komo ci docker-login
+
+scan_image "$image_name"