Merge pull request #40 from nyrahul/main

GAR container img bulk scan

Author: nyrahul

.gitignore

@@ -4,3 +4,4 @@ __pycache__
 .venv
 .ks
 .kscache
+POLDUMP

api-samples/checkNodeEnrollment.sh

@@ -2,18 +2,17 @@
 
 # To set .accuknox.cfg check https://github.com/accuknox/tools/tree/main/api-samples
 . ${ACCUKNOX_CFG:-~/.accuknox.cfg}
+. util.sh
 
 # Other params
-TMP=/tmp/$(basename $0).$$
+TMP=$DIR/$(basename $0)
 clusterspec=".*" # regex for cluster names
 
 get_node_list()
 {
-	curl $CURLOPTS "$CWPP_URL/cm/api/v1/cluster-management/nodes-in-cluster" \
-				  -H "authorization: Bearer $TOKEN" \
-				  -H 'content-type: application/json' \
-				  -H "x-tenant-id: $TENANT_ID" \
-				  --data-raw "{\"workspace_id\":$TENANT_ID,\"cluster_id\":[$cid],\"from_time\":[],\"to_time\":[]}" | jq -r '.result[].NodeName' > $TMP
+	data_raw="{\"workspace_id\":$TENANT_ID,\"cluster_id\":[$cid],\"from_time\":[],\"to_time\":[]}"
+	ak_api "$CWPP_URL/cm/api/v1/cluster-management/nodes-in-cluster"
+	echo $json_string | jq -r '.result[].NodeName' > $TMP
 cat <<EOH
 {
 "Cluster": "$cname",
@@ -31,32 +30,19 @@ EOH
 
 get_cluster_id()
 {
+	ak_api "$CWPP_URL/cluster-onboarding/api/v1/get-onboarded-clusters?wsid=$TENANT_ID"
 	while read cline; do
 		cid=${cline/ */}
 		cname=${cline/* /}
 		[[ ! $cname =~ $clusterspec ]] && echo "ignoring cluster [$cname] ..." && continue
 		get_node_list
-	done < <(curl $CURLOPTS "$CWPP_URL/cluster-onboarding/api/v1/get-onboarded-clusters?wsid=$TENANT_ID" \
-	  -H 'accept: */*' \
-	  -H "authorization: Bearer $TOKEN" \
-	  -H 'content-type: application/json' \
-	  -H "x-tenant-id: $TENANT_ID" | jq -r '.[] | "\(.ID) \(.ClusterName)"')
+	done < <(echo $json_string | jq -r '.[] | "\(.ID) \(.ClusterName)"')
 }
 
-function cleanup {
-	rm -f $TMP
-}
-prereq()
-{
-	command -v jq >/dev/null 2>&1 || { echo >&2 "require 'jq' to be installed. Aborting."; exit 1; }
-}
-
-trap cleanup EXIT
-
 main()
 {
-	prereq
-	get_cluster_id | jq .
+	ak_prereq
+	get_cluster_id
 }
 
 # Processing starts here

api-samples/policyDump.sh

@@ -2,20 +2,18 @@
 
 # To set .accuknox.cfg check https://github.com/accuknox/tools/tree/main/api-samples
 . ${ACCUKNOX_CFG:-~/.accuknox.cfg}
+. util.sh
 
 # Other params
 clusterspec=".*" # regex for cluster name for whom to dump the policies
-TMP=/tmp/$(basename $0).$$
+TMP=$DIR/$(basename $0).$$
 OUT="POLDUMP" # output directory where the policies will be dumped
 
 dump_policy_file()
 {
-	policy_id=$1
-	curl $CURLOPTS "$CWPP_URL/policymanagement/v2/policy/$policy_id" \
-	  -H "Authorization: Bearer $TOKEN" \
-	  -H 'Content-Type: application/json' \
-	  -H "X-Tenant-Id: $TENANT_ID" | jq -r .yaml > $polpath
-	[[ $? -ne 0 ]] && echo "could not get policy with ID=[$policy_id]" && return
+	ak_api "$CWPP_URL/policymanagement/v2/policy/$1"
+	echo $json_string | jq -r .yaml > $polpath
+	[[ $? -ne 0 ]] && echo "could not get policy with ID=[$1]" && return
 }
 
 get_policy_list()
@@ -25,6 +23,8 @@ get_policy_list()
 		pgnext=$(($pgprev + $polperpage))
 		echo "fetching policies $pgprev to $pgnext ..."
 		cnt=0
+		data_raw="{\"workspace_id\":$TENANT_ID,\"workload\":\"k8s\",\"page_previous\":$pgprev,\"page_next\":$pgnext,\"filter\":{\"cluster_id\":[$1],\"namespace_id\":[],\"workload_id\":[],\"kind\":[],\"node_id\":[],\"pod_id\":[],\"type\":[],\"status\":[],\"tags\":[],\"name\":{\"regex\":[]},\"tldr\":{\"regex\":[]}}}"
+		ak_api "$CWPP_URL/policymanagement/v2/list-policy"
 		while read pline; do
 			((cnt++))
 			arr=($pline)
@@ -33,17 +33,14 @@ get_policy_list()
 			polpath=$poldir/${arr[1]}.yaml
 			echo $polpath
 			dump_policy_file ${arr[0]}
-		done < <(curl $CURLOPTS "$CWPP_URL/policymanagement/v2/list-policy" \
-		  -H "Authorization: Bearer $TOKEN" \
-		  -H 'Content-Type: application/json' \
-		  -H "X-Tenant-Id: $TENANT_ID" \
-		  --data-raw "{\"workspace_id\":$TENANT_ID,\"workload\":\"k8s\",\"page_previous\":$pgprev,\"page_next\":$pgnext,\"filter\":{\"cluster_id\":[$1],\"namespace_id\":[],\"workload_id\":[],\"kind\":[],\"node_id\":[],\"pod_id\":[],\"type\":[],\"status\":[],\"tags\":[],\"name\":{\"regex\":[]},\"tldr\":{\"regex\":[]}}}" | jq -r '.list_of_policies[] | "\(.policy_id) \(.name) \(.namespace_name)"')
+		done < <(echo $json_string | jq -r '.list_of_policies[] | "\(.policy_id) \(.name) \(.namespace_name)"')
 		[[ $cnt -lt $polperpage ]] && break
 	done
 }
 
 get_cluster_id()
 {
+	ak_api "$CWPP_URL/cluster-onboarding/api/v1/get-onboarded-clusters?wsid=$TENANT_ID"
 	while read cline; do
 		cid=${cline/ */}
 		cname=${cline/* /}
@@ -52,27 +49,12 @@ get_cluster_id()
 		mkdir $cpath 2>/dev/null
 		echo "fetching policies for cluster [$cname] ..."
 		get_policy_list $cid
-	done < <(curl $CURLOPTS "$CWPP_URL/cluster-onboarding/api/v1/get-onboarded-clusters?wsid=$TENANT_ID" \
-	  -H 'accept: */*' \
-	  -H "authorization: Bearer $TOKEN" \
-	  -H 'content-type: application/json' \
-	  -H "x-tenant-id: $TENANT_ID" | jq -r '.[] | "\(.ID) \(.ClusterName)"')
-}
-
-function cleanup {
-	rm -rf $TMP 2>/dev/null
-}
-trap cleanup EXIT
-
-init()
-{
-	mkdir -p $TMP 2>/dev/null
-	mkdir -p $OUT 2>/dev/null
+	done < <(echo $json_string | jq -r '.[] | "\(.ID) \(.ClusterName)"')
 }
 
 main()
 {
-	init
+	mkdir -p $OUT 2>/dev/null
 	get_cluster_id
 }
 

api-samples/ticketReport.sh

@@ -2,34 +2,22 @@
 
 # To set .accuknox.cfg check https://github.com/accuknox/tools/tree/main/api-samples
 . ${ACCUKNOX_CFG:-~/.accuknox.cfg}
-
-# Other params
-TMP=/tmp/$$
+. util.sh
 
 get_ticket_details()
 {
-	curl $CURLOPTS "$CSPM_URL/api/v1/tickets/$1" \
-	  -H 'accept: */*' \
-	  -H "authorization: Bearer $TOKEN" \
-	  -H 'content-type: application/json' | jq .
+	ak_api "$CSPM_URL/api/v1/tickets/$1"
+	echo $json_string | jq .
 }
 
 get_ticket_list()
 {
+	ak_api "$CSPM_URL/api/v1/tickets?page=1&page_size=20&status=Opened&created_before=2024-11-13&created_after=2024-11-05"
 	while read line; do
 		echo $line
 		get_ticket_details $line
-	done < <(curl $CURLOPTS "$CSPM_URL/api/v1/tickets?page=1&page_size=20&status=Opened&created_before=2024-11-13&created_after=2024-11-05" \
-	  -H 'accept: */*' \
-	  -H "authorization: Bearer $TOKEN" \
-	  -H 'content-type: application/json' | jq -r '.results[].id')
-}
-
-
-function cleanup {
-	rm -f $TMP 2>/dev/null
+	done < <(echo $json_string | jq -r '.results[].id')
 }
-trap cleanup EXIT
 
 main()
 {

api-samples/util.sh

@@ -0,0 +1,41 @@
+#!/bin/bash
+
+DIR=/tmp/$$
+
+ak_api()
+{
+	apiverbosity=${API_VERBOSE:-0}
+	[[ $apiverbosity -gt 0 ]] && echo "API: [$1]"
+	unset apicmd
+	unset json_string
+	read -r -d '' apicmd << EOH
+curl $CURLOPTS "$1" \
+	  -H "authorization: Bearer $TOKEN" \
+	  -H 'content-type: application/json' \
+	  -H "x-tenant-id: $TENANT_ID"
+EOH
+	if [ "$data_raw" != "" ]; then
+		apicmd="$apicmd --data-raw '$data_raw'"
+	fi
+	[[ $apiverbosity -gt 1 ]] && echo "$apicmd"
+	json_string=`eval "$apicmd"`
+	if ! jq -e . >/dev/null 2>&1 <<<"$json_string"; then
+		echo "API call failed: [$json_string]"
+		exit 1
+	fi
+	[[ $apiverbosity -gt 1 ]] && echo "$json_string"
+	unset data_raw
+}
+
+ak_prereq()
+{
+	[[ "$DIR" != "" ]] && mkdir -p $DIR
+	command -v jq >/dev/null 2>&1 || { echo >&2 "require 'jq' to be installed. Aborting."; exit 1; }
+}
+
+function ak_cleanup {
+	[[ "$DIR" != "" ]] && rm -rf $DIR
+}
+
+trap ak_cleanup EXIT
+

imgscan/Dockerfile

@@ -0,0 +1,16 @@
+FROM accuknox/accuknox-container-scan:latest
+WORKDIR /home/ak
+RUN apk add jq curl bash python3
+
+RUN curl https://dl.google.com/dl/cloudsdk/release/google-cloud-sdk.tar.gz > /tmp/google-cloud-sdk.tar.gz
+
+# Installing the package
+RUN mkdir -p /usr/local/gcloud \
+  && tar -C /usr/local/gcloud -xvf /tmp/google-cloud-sdk.tar.gz \
+    && /usr/local/gcloud/google-cloud-sdk/install.sh
+
+COPY imagescan.sh .
+RUN chmod +x /home/ak/imagescan.sh
+ENV PATH=$PATH:/usr/local/gcloud/google-cloud-sdk/bin
+
+ENTRYPOINT ["/home/ak/imagescan.sh"]

imgscan/README.md

@@ -0,0 +1,60 @@
+# Bulk scan of GAR registry locally
+
+GAR Prerequisites:
+1. **REGISTRY**: Full registry path for GAR
+2. **SA_EMAIL**: [Service Account Email](../res/gcp-service-account.png)
+3. Service Account Json: File containing the creds
+4. **IMGSPEC**: Regular expression for images to scan/upload-results. E.g. `.*:latest` => scan all the images having `latest` tag. Sample image name:`us-east1-docker.pkg.dev/kube-airgapped/accuknox-onprem/nginx:foobar`
+
+AccuKnox Prerequisites:
+1. **LABEL**: [AccuKnox Label](https://help.accuknox.com/how-to/how-to-create-labels/)
+2. **TENANT**: [Tenant ID](https://help.accuknox.com/how-to/how-to-create-tokens/)
+3. **TOKEN**: [AccuKnox Token](https://help.accuknox.com/how-to/how-to-create-tokens/)
+4. **AKURL**: cspm.demo.accuknox.com
+
+Scan images with tags `foobar`.
+```bash
+docker run -eIMGSPEC=".*:foobar$" \
+           -eREGISTRY=us-east1-docker.pkg.dev/kube-airgapped/accuknox-onprem \
+           -e"SA_EMAIL=<service-account-email>" \
+           -eLABEL=labeltmp \
+           -eTENANT=4093 \
+           -eTOKEN=<get token> \
+           -eAKURL=cspm.demo.accuknox.com \
+           -v$PWD/service_account.json:/home/ak/service_account.json \
+           -it accuknox/accuknox-container-scan:bulk
+```
+
+## Jenkins Script
+
+```
+pipeline {
+    agent any
+    environment {
+        SA_FILE = credentials('SA_FILE')
+        TOKEN = credentials('TOKEN')
+        SA_EMAIL = credentials('SA_EMAIL')
+    }
+    stages {
+        stage('Accuknox') {
+            steps {
+                script {
+                    sh 'echo "$SA_FILE" > service_account.json'
+                   
+                    sh '''
+                    docker run -e IMGSPEC=".*:foobar$" \
+                        -e REGISTRY=us-east1-docker.pkg.dev/kube-airgapped/accuknox-onprem \
+                        -e "[email protected]" \
+                        -e LABEL=mylabel \
+                        -e TENANT=4093 \
+                        -e TOKEN=$TOKEN \
+                        -e AKURL=cspm.demo.accuknox.com \
+                        -v "$PWD/service_account.json:/home/ak/service_account.json" \
+                        accuknox/accuknox-container-scan:bulk
+                    '''
+                }
+            }
+        }
+    }
+}
+```

imgscan/imagescan.sh

@@ -0,0 +1,25 @@
+#!/bin/bash
+
+SA_JSON="$(pwd)/service_account.json"
+[[ "$SA_EMAIL" == "" ]] && echo "SA_EMAIL / ServiceAccount Email not provided" && exit 1
+[[ "$AKURL" == "" ]] && echo "AKURL / Accuknox endpoint is not set" && exit 1
+[[ "$TENANT" == "" ]] && echo "TENANT / Tenant id is not set" && exit 1
+[[ "$LABEL" == "" ]] && echo "LABEL / Labels are not set" && exit 1
+[[ "$TOKEN" == "" ]] && echo "TOKEN / Auth token is not set" && exit 1
+[[ "$IMGSPEC" == "" ]] && echo "IMGSPEC token is not set" && exit 1
+[[ ! -f "$SA_JSON" ]] && echo "$SA_JSON file not found" && exit 1
+
+export GOOGLE_APPLICATION_CREDENTIALS=$SA_JSON
+
+#REGISTRY=${REGISTRY:-us-east1-docker.pkg.dev/kube-airgapped/accuknox-onprem}
+
+gcloud auth activate-service-account $SA_EMAIL --key-file=$SA_JSON
+
+for img in `gcloud artifacts docker images list "$REGISTRY" --include-tags --format=json | jq -r '.[] | "\(.package):\(.tags[])"' 2>/dev/null`; do
+	[[ ! $img =~ $IMGSPEC ]] && echo -en "\nskipping image [$img] ...\n" && continue
+	echo -en "\nscanning $img ...\n"
+	rm -f report.json 2>/dev/null
+	trivy image $img --format json --timeout 3600s -o report.json > report.log  2>&1
+	[[ ! -f "report.json" ]] && echo "image scanning failed $img" && continue
+	curl -L -X POST "https://$AKURL/api/v1/artifact/?tenant_id=$TENANT&data_type=TR&label_id=$LABEL&save_to_s3=false" -H "Tenant-Id: $TENANT" -H "Authorization: Bearer $TOKEN" --form 'file=@"./report.json"'
+done