Merge pull request #46 from kubescape/feat-image-scanning

feat: support image scanning

.github/workflows/example-scan-image.yaml

@@ -0,0 +1,30 @@
+name: Kubescape scanning for image vulnerabilities
+on: [push, pull_request]
+jobs:
+  kubescape-scan-image:
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    steps:
+    - uses: actions/checkout@v3
+    - uses: kubescape/github-action@main
+      continue-on-error: true
+      with:
+        image: quay.io/kubescape/kubescape
+        format: sarif
+        outputFile: results.sarif
+        # severityThreshold: "critical"
+        # # Username for a private registry with the image
+        # # Username for the image registry account you use to retrieve and scan images
+        # registryUsername: ${{secrets.SCANNER_REGISTRY_USERNAME}}
+        # # Password for a private registry with the image
+        # registryPassword: ${{secrets.REGISTRY_PASSWORD}}
+        # # Fail at or above the specified vulnerability severity threshold
+        # Kubescape cloud account ID
+        # account: ${{secrets.KUBESCAPE_ACCOUNT}}
+    - name: Upload Kubescape scan results to Github Code Scanning
+      uses: github/codeql-action/upload-sarif@v2
+      with:
+        sarif_file: results.sarif

Dockerfile

@@ -1,4 +1,4 @@
-FROM quay.io/kubescape/kubescape:v2.3.8
+FROM quay.io/kubescape/kubescape-cli:v2.9.2
 
 # Kubescape uses root privileges for writing the results to a file
 USER root

README.md

@@ -132,6 +132,44 @@ Please note that since Kubescape provides automatic fixes only to the rendered Y
 
 The next important thing to note is that Kubescape only fixes the files. It does not open pull requests or generate code reviews on its own.
 
+### Scanning images
+
+The Kubescape Github Action is also able to scan images. But you should be aware that image scanning cannot run in parallel with configuration scanning and file fixing at the moment. If you would like to run both image and configuration scanning, you should define at least two separate steps with the same action but different arguments: one for image scanning and the other for configuration scanning.
+
+To scan a container image with a Kubescape Github Action, use the following workflow definition, keeping in mind that you need to replace `image: "nginx"` with the appropriate image name:
+
+```yaml
+name: Kubescape scanning for image vulnerabilities
+on: [push, pull_request]
+jobs:
+  kubescape-scan-image:
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    steps:
+    - uses: actions/checkout@v3
+    - uses: kubescape/github-action@main
+      continue-on-error: true
+      with:
+        image: quay.io/kubescape/kubescape
+        format: sarif
+        outputFile: results.sarif
+        # severityThreshold: "critical"
+        # # Username for a private registry with the image
+        # registryUsername: ${{secrets.REGISTRY_USERNAME}}
+        # # Password for a private registry with the image
+        # registryPassword: ${{secrets.REGISTRY_PASSWORD}}
+        # # Fail at or above the specified vulnerability severity threshold
+        # Kubescape cloud account ID
+        # account: ${{secrets.KUBESCAPE_ACCOUNT}}
+    - name: Upload Kubescape scan results to Github Code Scanning
+      uses: github/codeql-action/upload-sarif@v2
+      with:
+        sarif_file: results.sarif
+```
+
 ## Inputs
 
 | Name | Description | Required |
@@ -146,6 +184,10 @@ The next important thing to note is that Kubescape only fixes the files. It does
 | verbose | Display all of the input resources and not only failed resources. Default is off | No |
 | exceptions | The JSON file containing at least one resource and one policy. Refer [exceptions](https://hub.armo.cloud/docs/exceptions) docs for more info. Objects with exceptions will be presented as exclude and not fail. | No |
 | controlsConfig | The file containing controls configuration. Use `kubescape download controls-inputs` to download the configured controls-inputs. | No |
+| image | The image you wish to scan. Launches an image scan, which cannot run together with configuration scans. | No |
+| registryUsername | Username to a private registry that hosts the scanned image. | No |
+| registryPassword | Password to a private registry that hosts the scanned image. | No |
+
 ## Examples
 
 

action.yml

@@ -79,6 +79,22 @@ inputs:
       use these fixes to open Pull Requests from your CI/CD pipeline.
     required: false
     default: "false"
+  image:
+    description: |
+      An image to scan.
+
+      This option runs an image scan instead of the usual configuration scan.
+
+      Example: "nginx" or "bitnami/redis" or "quay.io/kubescape/kubescape"
+    required: false
+  registryUsername:
+    description: |
+      A username for a private registry that contains the image to be scanned.
+    required: false
+  registryPassword:
+    description: |
+      A password for a private registry that contains the image to be scanned.
+    required: false
 runs:
   using: docker
   image: Dockerfile

entrypoint.sh

@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/busybox/sh
 
 # Checks if `string` contains `substring`.
 #
@@ -20,7 +20,21 @@ set -e
 export KS_CLIENT="github_actions"
 
 if [ -n "${INPUT_FRAMEWORKS}" ] && [ -n "${INPUT_CONTROLS}" ]; then
-  echo "Framework and Control is specified. Please specify either one of them or neither"
+  echo "Framework and Control are specified. Please specify either one of them or neither"
+  exit 1
+fi
+
+if [ -n "${INPUT_FRAMEWORKS}" ] && [ -n "${INPUT_IMAGE}" ] || [ -n "${INPUT_CONTROLS}" ] && [ -n "${INPUT_IMAGE}" ] ; then
+  errmsg="Image and Framework / Control are specified. Kubescape does not support scanning both at the moment."
+  errmsg="${errmsg} Please specify either one of them or neither."
+  echo "${errmsg}"
+  exit 1
+fi
+
+if [ -n "${INPUT_IMAGE}" ] && [ "${INPUT_FIXFILES}" = "true" ]; then
+  errmsg="The run requests both an image scan and file fix suggestions. Kubescape does not support fixing image scan results at the moment."
+  errmsg="${errmsg} Please specify either one of them or neither."
+  echo "${errmsg}"
   exit 1
 fi
 
@@ -42,7 +56,7 @@ fi
 frameworks_cmd=$([ -n "${INPUT_FRAMEWORKS}" ] && echo "framework ${INPUT_FRAMEWORKS}" || echo "")
 controls_cmd=$([ -n "${INPUT_CONTROLS}" ] && echo control "${controls}" || echo "")
 
-files=$([ -n "${INPUT_FILES}" ] && echo "${INPUT_FILES}" || echo .)
+scan_input=$([ -n "${INPUT_FILES}" ] && echo "${INPUT_FILES}" || echo .)
 
 output_formats="${INPUT_FORMAT}"
 have_json_format="false"
@@ -96,8 +110,43 @@ severity_threshold_opt=$(
     echo ""
 )
 
+# Handle image scanning request
+image_subcmd=""
+echo "image is <${INPUT_IMAGE}>"
+if [ -n "${INPUT_IMAGE}" ]; then
+
+  # By default, assume we are not authenticated. This means we can pull public
+  # images from the container runtime daemon
+  image_arg="${INPUT_IMAGE}"
+
+  severity_threshold_opt=$(
+    [ -n "${INPUT_SEVERITYTHRESHOLD}" ] &&
+      echo --severity-threshold "${INPUT_SEVERITYTHRESHOLD}" ||
+      echo ""
+  )
+
+  auth_opts=""
+  if [ -n "${INPUT_REGISTRYUSERNAME}" ] && [ -n "${INPUT_REGISTRYPASSWORD}" ]; then
+    auth_opts="--username=${INPUT_REGISTRYUSERNAME} --password=${INPUT_REGISTRYPASSWORD}"
+
+    # When trying to authenticate, we cannot assume that the runner has access
+    # to an *authenticated* container runtime daemon, so we should always try
+    # to pull images from the registry
+    image_arg="registry://${image_arg}"
+  else
+    echo "NOTICE: Received no registry credentials, pulling without authentication."
+    printf "Hint: If you provide credentials, make sure you include both the username and password.\n\n"
+  fi
+
+  # Build the image scanning subcommand with options
+  image_subcmd="image ${auth_opts}"
+  # Override the scan input
+  scan_input="${image_arg}"
+  echo "Scan subcommand: ${image_subcmd}"
+fi
+
 # TODO: include artifacts_opt once https://github.com/kubescape/kubescape/issues/1040 is resolved
-scan_command="kubescape scan ${frameworks_cmd} ${controls_cmd} ${files} ${account_opt} ${fail_threshold_opt} ${severity_threshold_opt} --format ${output_formats} --output ${output_file} ${verbose} ${exceptions} ${controls-config}"
+scan_command="kubescape scan ${image_subcmd} ${frameworks_cmd} ${controls_cmd} ${scan_input} ${account_opt} ${fail_threshold_opt} ${severity_threshold_opt} --format ${output_formats} --output ${output_file} ${verbose} ${exceptions} ${controls_config}"
 
 echo "${scan_command}"
 eval "${scan_command}"