From acda32dbf0a06fab76b95f486ae5e7e9972fddb7 Mon Sep 17 00:00:00 2001 From: Rahul Jadhav Date: Tue, 26 Nov 2024 20:57:07 +0530 Subject: [PATCH] removed SA_EMAIL Signed-off-by: Rahul Jadhav --- imgscan/README.md | 8 ++------ imgscan/imagescan.sh | 17 +++++++++++------ 2 files changed, 13 insertions(+), 12 deletions(-) diff --git a/imgscan/README.md b/imgscan/README.md index 2ecfa8c..80d7b30 100644 --- a/imgscan/README.md +++ b/imgscan/README.md @@ -2,9 +2,8 @@ GAR Prerequisites: 1. **REGISTRY**: Full registry path for GAR -2. **SA_EMAIL**: [Service Account Email](../res/gcp-service-account.png) -3. Service Account Json: File containing the creds -4. **IMGSPEC**: Regular expression for images to scan/upload-results. E.g. `.*:latest` => scan all the images having `latest` tag. Sample image name:`us-east1-docker.pkg.dev/kube-airgapped/accuknox-onprem/nginx:foobar` +1. **Service Account Json**: [File containing the creds](../res/gcp-service-account.png) +1. **IMGSPEC**: Regular expression for images to scan/upload-results. E.g. `.*:latest` => scan all the images having `latest` tag. Sample image name:`us-east1-docker.pkg.dev/kube-airgapped/accuknox-onprem/nginx:foobar` AccuKnox Prerequisites: 1. **LABEL**: [AccuKnox Label](https://help.accuknox.com/how-to/how-to-create-labels/) @@ -16,7 +15,6 @@ Scan images with tags `foobar`. ```bash docker run -eIMGSPEC=".*:foobar$" \ -eREGISTRY=us-east1-docker.pkg.dev/kube-airgapped/accuknox-onprem \ - -e"SA_EMAIL=" \ -eLABEL=labeltmp \ -eTENANT=4093 \ -eTOKEN= \ @@ -33,7 +31,6 @@ pipeline { environment { SA_FILE = credentials('SA_FILE') TOKEN = credentials('TOKEN') - SA_EMAIL = credentials('SA_EMAIL') } stages { stage('Accuknox') { @@ -44,7 +41,6 @@ pipeline { sh ''' docker run -e IMGSPEC=".*:foobar$" \ -e REGISTRY=us-east1-docker.pkg.dev/kube-airgapped/accuknox-onprem \ - -e "SA_EMAIL=rj-test@kube-airgapped.iam.gserviceaccount.com" \ -e LABEL=mylabel \ -e TENANT=4093 \ -e TOKEN=$TOKEN \ diff --git a/imgscan/imagescan.sh b/imgscan/imagescan.sh index 4816c2a..ebe0d5f 100755 --- a/imgscan/imagescan.sh +++ b/imgscan/imagescan.sh @@ -1,7 +1,6 @@ #!/bin/bash SA_JSON="$(pwd)/service_account.json" -[[ "$SA_EMAIL" == "" ]] && echo "SA_EMAIL / ServiceAccount Email not provided" && exit 1 [[ "$AKURL" == "" ]] && echo "AKURL / Accuknox endpoint is not set" && exit 1 [[ "$TENANT" == "" ]] && echo "TENANT / Tenant id is not set" && exit 1 [[ "$LABEL" == "" ]] && echo "LABEL / Labels are not set" && exit 1 @@ -11,15 +10,21 @@ SA_JSON="$(pwd)/service_account.json" export GOOGLE_APPLICATION_CREDENTIALS=$SA_JSON -#REGISTRY=${REGISTRY:-us-east1-docker.pkg.dev/kube-airgapped/accuknox-onprem} - -gcloud auth activate-service-account $SA_EMAIL --key-file=$SA_JSON +gcloud auth activate-service-account --key-file=$SA_JSON +[[ $? -ne 0 ]] && echo "gcloud auth failed ret=$?" && exit 2 +imgcnt=0 +imgscanned=0 +imgskip=0 for img in `gcloud artifacts docker images list "$REGISTRY" --include-tags --format=json | jq -r '.[] | "\(.package):\(.tags[])"' 2>/dev/null`; do - [[ ! $img =~ $IMGSPEC ]] && echo -en "\nskipping image [$img] ...\n" && continue + ((imgcnt++)) + [[ ! $img =~ $IMGSPEC ]] && echo -en "\nskipping image [$img] ...\n" && ((imgskip++)) && continue echo -en "\nscanning $img ...\n" rm -f report.json 2>/dev/null trivy image $img --format json --timeout 3600s -o report.json > report.log 2>&1 - [[ ! -f "report.json" ]] && echo "image scanning failed $img" && continue + [[ ! -f "report.json" ]] && echo "image scanning failed $img" && cat report.log && continue curl -L -X POST "https://$AKURL/api/v1/artifact/?tenant_id=$TENANT&data_type=TR&label_id=$LABEL&save_to_s3=false" -H "Tenant-Id: $TENANT" -H "Authorization: Bearer $TOKEN" --form 'file=@"./report.json"' + ((imgscanned++)) done +echo -en "\nStats:\nTotal:$imgcnt\nScanned:$imgscanned\nSkipped:$imgskip\n" +exit 0