From 0c71852e30d949bccc6feba07ed2e5f29ded3eda Mon Sep 17 00:00:00 2001 From: matta Date: Wed, 16 Oct 2024 17:46:36 -0300 Subject: [PATCH 1/3] Several modifications to dockerfile's ARGs, fixed a bug in the makefile, and updated some docs --- .env | 3 ++- Dockerfile | 50 ++++++++++++++++++++++++++------------------------ Makefile | 9 ++++++--- README.md | 11 ++++++++--- motd | 4 ++-- 5 files changed, 44 insertions(+), 33 deletions(-) diff --git a/.env b/.env index 07d4f7e..de51b5a 100644 --- a/.env +++ b/.env @@ -17,4 +17,5 @@ T_CLOUDSPLAINING=0.7.0 T_HADOLINT=2.12.0 T_DEPCHECK=10.0.4 T_NODEJSSCAN=3.7 -T_RETIRE=5.2.4 \ No newline at end of file +T_RETIRE=5.2.4 +T_DOCKLE=0.4.14 \ No newline at end of file diff --git a/Dockerfile b/Dockerfile index 737889e..1a74368 100644 --- a/Dockerfile +++ b/Dockerfile @@ -6,6 +6,28 @@ ARG GROUPNAME=trg ARG USER_UID=1000 ARG USER_GID=1000 +# Additional ARGs for tool versions +ARG T_SNYK +ARG T_RETIRE +ARG T_GITXRAY +ARG T_SEMGREP +ARG T_DETECT_SECRETS +ARG T_NODEJSSCAN +ARG T_CLOUDSPLAINING +ARG T_CHECKOV +ARG T_SCOUTSUITE +ARG T_GITLEAKS +ARG T_LEGITIFY +ARG T_KICS +ARG T_TRIVY +ARG T_TRUFFLEHOG +ARG T_HADOLINT +ARG T_GRYPE +ARG T_DEPCHECK +ARG T_2MS +ARG T_CLAIR +ARG T_DOCKLE + # Install required packages RUN apt-get update && apt-get install -y \ curl \ @@ -95,8 +117,6 @@ ENV PNPM_HOME="/home/${USERNAME}/.local/share/pnpm" ENV PATH="${PNPM_HOME}:${PNPM_HOME}/global/node_modules/.bin:${PATH}" # Pnpm-related tools -ARG T_SNYK=1.1293.1 -ARG T_RETIRE=5.2.4 RUN pnpm install -g eslint-plugin-security \ eslint-plugin-no-unsanitized \ eslint-plugin-no-secrets \ @@ -108,14 +128,6 @@ RUN pnpm install -g eslint-plugin-security \ retire@${T_RETIRE} # Pipx-related tools -ARG T_GITXRAY=1.0.15 -ARG T_SEMGREP=1.91.0 -ARG T_DETECT_SECRETS=1.5.0 -ARG T_NODEJSSCAN=3.7 -ARG T_CLOUDSPLAINING=0.7.0 -ARG T_CHECKOV=3.2.262 -ARG T_SCOUTSUITE=5.14.0 - RUN pipx install gitxray==$T_GITXRAY \ && pipx install semgrep==$T_SEMGREP \ && pipx install detect-secrets==$T_DETECT_SECRETS \ @@ -133,7 +145,6 @@ RUN git clone https://github.com/awslabs/git-secrets.git git-secrets \ && rm -rf secrets # Install gitleaks -ARG T_GITLEAKS=8.21.0 RUN arch=$(dpkg --print-architecture) \ && if [ "$arch" = "amd64" ]; then arch="x64"; fi \ && wget https://github.com/gitleaks/gitleaks/releases/download/v${T_GITLEAKS}/gitleaks_${T_GITLEAKS}_linux_$arch.tar.gz \ @@ -143,7 +154,6 @@ RUN arch=$(dpkg --print-architecture) \ && rm gitleaks.tar.gz # Install legitify -ARG T_LEGITIFY=1.0.11 RUN wget https://github.com/Legit-Labs/legitify/releases/download/v${T_LEGITIFY}/legitify_${T_LEGITIFY}_linux_$(dpkg --print-architecture).tar.gz \ -O legitify.tar.gz \ && sudo tar -xzf legitify.tar.gz -C /usr/local/bin legitify \ @@ -151,7 +161,6 @@ RUN wget https://github.com/Legit-Labs/legitify/releases/download/v${T_LEGITIFY} && rm legitify.tar.gz # Install kics -ARG T_KICS=2.1.3 RUN git clone https://github.com/Checkmarx/kics.git -b v${T_KICS} \ && cd kics \ && go mod vendor \ @@ -160,7 +169,6 @@ RUN git clone https://github.com/Checkmarx/kics.git -b v${T_KICS} \ && echo 'export KICS_QUERIES_PATH=/src/kics/assets/queries' >> ~/.zshrc # Install Trivy -ARG T_TRIVY=0.56.2 RUN arch=$(dpkg --print-architecture) \ && if [ "$arch" = "amd64" ]; then arch="64bit"; fi \ && if [ "$arch" = "arm64" ]; then arch="ARM64"; fi \ @@ -169,7 +177,6 @@ RUN arch=$(dpkg --print-architecture) \ && rm trivy_${T_TRIVY}_Linux-$arch.deb # Install Trufflehog -ARG T_TRUFFLEHOG=3.82.8 RUN wget https://github.com/trufflesecurity/trufflehog/releases/download/v${T_TRUFFLEHOG}/trufflehog_${T_TRUFFLEHOG}_linux_$(dpkg --print-architecture).tar.gz \ -O trufflehog.tar.gz \ && sudo tar -xzf trufflehog.tar.gz -C /usr/local/bin trufflehog \ @@ -177,7 +184,6 @@ RUN wget https://github.com/trufflesecurity/trufflehog/releases/download/v${T_TR && rm trufflehog.tar.gz # Install hadolint -ARG T_HADOLINT=2.12.0 RUN arch=$(dpkg --print-architecture) \ && if [ "$arch" = "amd64" ]; then arch="x86_64"; fi \ && if [ "$arch" = "arm64" ]; then arch="arm64"; fi \ @@ -186,14 +192,12 @@ RUN arch=$(dpkg --print-architecture) \ && sudo mv hadolint-Linux-$arch /usr/local/bin/hadolint # Install grype -ARG T_GRYPE=0.82.1 RUN wget https://github.com/anchore/grype/releases/download/v${T_GRYPE}/grype_${T_GRYPE}_linux_$(dpkg --print-architecture).deb \ && sudo dpkg -i grype_${T_GRYPE}_linux_$(dpkg --print-architecture).deb \ && rm grype_${T_GRYPE}_linux_$(dpkg --print-architecture).deb # Install dependency-check -ARG T_DEPCHECK=10.0.4 RUN wget -q https://github.com/jeremylong/DependencyCheck/releases/download/v${T_DEPCHECK}/dependency-check-${T_DEPCHECK}-release.zip \ -O dependency-check.zip \ && unzip dependency-check.zip && rm -f dependency-check.zip \ @@ -201,21 +205,19 @@ RUN wget -q https://github.com/jeremylong/DependencyCheck/releases/download/v${T && sudo ln -s /src/dependency-check/bin/dependency-check.sh /usr/local/bin/dependency-check # Install dockle -RUN VERSION=$(curl --silent "https://api.github.com/repos/goodwithtech/dockle/releases/latest" | \ - grep '"tag_name":' | \ - sed -E 's/.*"v([^"]+)".*/\1/') \ - && curl -L -o dockle.deb https://github.com/goodwithtech/dockle/releases/download/v${VERSION}/dockle_${VERSION}_Linux-64bit.deb \ +# VERSION=$(curl --silent "https://api.github.com/repos/goodwithtech/dockle/releases/latest" | \ +# grep '"tag_name":' | \ +# sed -E 's/.*"v([^"]+)".*/\1/') +RUN curl -L -o dockle.deb https://github.com/goodwithtech/dockle/releases/download/v${T_DOCKLE}/dockle_${T_DOCKLE}_Linux-64bit.deb \ && sudo dpkg -i dockle.deb && rm dockle.deb # Install 2ms -ARG T_2MS=3.10.0 RUN wget https://github.com/checkmarx/2ms/releases/download/v${T_2MS}/linux-amd64.zip \ && unzip linux-amd64.zip && rm -f linux-amd64.zip \ && sudo mv 2ms /usr/local/bin/2ms \ && sudo chmod +x /usr/local/bin/2ms # Install clair -ARG T_CLAIR=4.8.0 RUN wget https://github.com/quay/clair/releases/download/v${T_CLAIR}/clairctl-linux-$(dpkg --print-architecture) \ -O clairctl \ && chmod +x clairctl \ diff --git a/Makefile b/Makefile index 7e079f5..0c77cbd 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,4 @@ -IMAGE_NAME := devsecops-toolset +IMAGE_NAME := devsecops-toolkit .DEFAULT_GOAL := help # Get the latest release tag from git @@ -27,7 +27,10 @@ help: # Build the Docker image using current branch build: - docker build $(BUILD_ARGS) -t $(IMAGE_NAME):latest . + @if ! docker images $(IMAGE_NAME) | awk '{ print $$1 }' | grep -q "^$(IMAGE_NAME)$$"; then \ + echo "Docker image $(IMAGE_NAME) not found. Building now..."; \ + docker build $(BUILD_ARGS) -t $(IMAGE_NAME) .; \ + fi # Build the Docker image using the latest release release: @@ -41,6 +44,6 @@ latest: exec: build @echo "Running interactive shell inside the $(IMAGE_NAME) container..." - @docker run --rm -it -v $(PWD):/workdir $(IMAGE_NAME):latest /bin/bash + @docker run --rm -it -v $(PWD):/workdir $(IMAGE_NAME):latest /bin/zsh .PHONY: help build release latest exec \ No newline at end of file diff --git a/README.md b/README.md index 613fbae..4ff9cb4 100644 --- a/README.md +++ b/README.md @@ -5,7 +5,9 @@ Unified repository with OSS security tools, just `make exec` and dive into the c There are some tools that have not been integrated to the main container itself, given their nature, but have been or will be added to the repository with an explanation on how to run them separately. -## Firing up the container +## First step + +### Firing up the container ```bash % make @@ -26,9 +28,12 @@ Examples: make exec ``` -## Go to [how to use the tools inside](./HOWTO.md) to understand how each one of them actually work +## Second step + +Now you have your container up and running, but what am I supposed to do with it? +Well, go to **[how to use the tools inside](./HOWTO.md)** to understand how each one of them actually work. -## Tools included in this container +### Tools included in this repository - [x] GitHub analysis (fake profiles, OSINT): - [x] gitxray: A multifaceted security tool that leverages Public GitHub REST APIs for OSINT, diff --git a/motd b/motd index 8f0ea3f..9e17981 100644 --- a/motd +++ b/motd @@ -8,8 +8,8 @@ \ V V / (_| | | | | (_| | __/ | | __/ | \_/\_/ \__,_|_| |_|\__,_|\___|_| \___|_| - Welcome to the container sec oss tools by The Red Guild + Welcome to the devsecops toolset by The Red Guild This container was created as a resource for a workshop, which intends to spread awareness, help people protect themselves - and the repos they interact with. \ No newline at end of file + and the repos they interact with. Say hi! @theredguild, don't be a stranger. \ No newline at end of file From 21ce417ddc42b870f15b1afa79a3bae9c75e573e Mon Sep 17 00:00:00 2001 From: matta Date: Wed, 16 Oct 2024 17:48:52 -0300 Subject: [PATCH 2/3] Adding dockle to list --- HOWTO.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/HOWTO.md b/HOWTO.md index 1e0669c..765e6ec 100644 --- a/HOWTO.md +++ b/HOWTO.md @@ -18,7 +18,7 @@ checkov, scoutsuite, dependency-check falco, snyk, cloudsplaining **Containers / Images** -clair, snyk, grype, hadolint +clair, snyk, grype, hadolint, dockle **NodeJS** nodejsscan, retirejs, installed-check, better-npm-audit, eslint-plugin-security, eslint-plugin-no-unsanitized, eslint-plugin-no-secrets, node-version-audit, yarn-audit-fix From 3a8f162e133175c26e9ee29d41fca523abdcf749 Mon Sep 17 00:00:00 2001 From: Nicolas Rey Date: Thu, 17 Oct 2024 10:30:45 -0300 Subject: [PATCH 3/3] ci: build with make --- .github/workflows/test-tools.yml | 14 ++++---------- Makefile | 11 +++++++++-- 2 files changed, 13 insertions(+), 12 deletions(-) diff --git a/.github/workflows/test-tools.yml b/.github/workflows/test-tools.yml index de24713..d4b2aab 100644 --- a/.github/workflows/test-tools.yml +++ b/.github/workflows/test-tools.yml @@ -1,5 +1,4 @@ name: Test Security Tools container build - on: push: branches: @@ -17,7 +16,6 @@ on: jobs: build-and-test: runs-on: ubuntu-latest - steps: - name: Checkout uses: actions/checkout@v4 @@ -25,11 +23,7 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - - name: Build container - uses: docker/build-push-action@v6 - with: - push: false - context: . - cache-from: type=gha - cache-to: type=gha,mode=max - tags: theredguild/container-sec-tools:latest \ No newline at end of file + - name: Build container using Make + run: make build + env: + DOCKER_BUILDKIT: 1 \ No newline at end of file diff --git a/Makefile b/Makefile index 0c77cbd..dba1738 100644 --- a/Makefile +++ b/Makefile @@ -7,6 +7,13 @@ LATEST_RELEASE := $(shell git describe --tags --abbrev=0) include .env BUILD_ARGS := $(foreach VAR,$(shell sed 's/=.*//' .env),--build-arg $(VAR)=$($(VAR))) +# Use buildx only in GitHub Actions +ifdef GITHUB_ACTIONS + DOCKER_BUILD_CMD := docker buildx build --load --cache-from type=gha --cache-to type=gha,mode=max +else + DOCKER_BUILD_CMD := docker build +endif + help: @echo "Usage:" @echo " make " @@ -29,7 +36,7 @@ help: build: @if ! docker images $(IMAGE_NAME) | awk '{ print $$1 }' | grep -q "^$(IMAGE_NAME)$$"; then \ echo "Docker image $(IMAGE_NAME) not found. Building now..."; \ - docker build $(BUILD_ARGS) -t $(IMAGE_NAME) .; \ + $(DOCKER_BUILD_CMD) $(BUILD_ARGS) -t $(IMAGE_NAME) .; \ fi # Build the Docker image using the latest release @@ -40,7 +47,7 @@ release: # TODO: Check this. latest: - docker build $(foreach VAR,$(shell sed 's/=.*//' .env),--build-arg $(VAR)=latest) -t $(IMAGE_NAME):latest . + $(DOCKER_BUILD_CMD) $(foreach VAR,$(shell sed 's/=.*//' .env),--build-arg $(VAR)=latest) -t $(IMAGE_NAME):latest . exec: build @echo "Running interactive shell inside the $(IMAGE_NAME) container..."