0.5.0 • Published 11 months ago

@w3sec/w3security-cr-monitor v0.5.0

Weekly downloads
-
License
ISC
Repository
github
Last release
11 months ago

w3security-cr-monitor

CircleCI Known Vulnerabilities

Basic Flow

  • Query the Artifactory API to gather Docker repos to test
  • Iterate through results, running w3security monitor against each *repo* for either the *latest* image tag, or all tags using the --all-tags option
  • Provides mechanism to run multiple jobs simultaneously that is configurable

Note that w3security monitor will run a docker pull behind-the-scenes.

Please use the W3SECURITY_CR_MONITOR_MAX_JOBS and W3SECURITY_CR_MONITOR_JOB_SPACING variables, as describe below, to control the throughput to your docker repos, as pulling too many images at once may be taxing on the system.

Usage

Usage: ./w3security-cr-monitor [OPTIONS]
              If no arguments are specified, values will be picked up from
              environment variables

Options:
  --version               Show version number                          [boolean]
  --w3security-token            W3Security API Key, if not specified $W3SECURITY_TOKEN
  --w3security-org              W3Security Organization ID to post test results, if not
                          specified $W3SECURITY_ORG
  --artifactory-api-host  Artifactory API HOST, if not specified
                          $ARTIFACTORY_API_HOST
  --artifactory-cli-host  Artifactory host used for docker login/pull, if not
                          specified $ARTIFACTORY_CLI_HOST
  --artifactory-user      Artifactory API User, if not speciied
                          $ARTIFACTORY_USER
  --artifactory-key       Artifactory API Key, if not specified $ARTIFACTORY_KEY
  --all-tags              Process all image tags, if omitted then "latest" tags
                          are processed                                [boolean]
  --docker-repo           Optionally process only the docker repo with a given
                          name
  --max-jobs              Number of simultaneous jobs to run
  --job-spacing           milliseconds in between job launches
  --help                  Show help                                    [boolean]

set environment

required (if not set at command line)

# Your W3Security Api Key (General Settings -> API Token, or Settings -> Service Accounts)
export W3SECURITY_TOKEN=<w3security_api_key>

# the W3Security Org ID to post results to (Settings -> General -> Organization ID)
export W3SECURITY_ORG=<w3security_org_id> 

# The hostname (and optional port) of the on-premise artifactory instance, where the API will be accessible
# example: onpremartifactory.example.com, or onpremartifactory.example.com:8443
export ARTIFACTORY_API_HOST=<api_hostname> 

# The hostname (and optional port) of the host used with docker login
# This is separate from the API host because they may be different, 
# for example onpremartifactory.example.com:5000
export ARTIFACTORY_CLI_HOST=<cli_endpoint_hostname>

# The username for which the api key being used is created for
# This is needed in the docker pull command.
export ARTIFACTORY_USER=<artifactory_user_for_key>

# Artficatory API Key
export ARTIFACTORY_KEY=<artifactory_api_key>

optional: 

# Number of container scanning jobs that may be simultaneously running
# if unspecified, default is 5
export W3SECURITY_CR_MONITOR_MAX_JOBS=<num-jobs>

# Number of milliseconds between job launches to space requests out
# If unspecified, default is 1500 (1.5 seconds)
export W3SECURITY_CR_MONITOR_JOB_SPACING=<milliseconds-between-job-launches>

If connecting to an on-prem Artifactory instance over HTTPS with a self-signed certificate, you will need to set

export NODE_TLS_REJECT_UNAUTHORIZED=0

or

export NODE_EXTRA_CA_CERTS=[your CA certificate file path]

Running as a container

docker build -t w3security-cr-monitor .
docker run -v /var/run/docker.sock:/var/run/docker.sock \
           -e W3SECURITY_TOKEN=$W3SECURITY_TOKEN \
           -e W3SECURITY_ORG=$W3SECURITY_ORG \
           -e ARTIFACTORY_USER=$ARTIFACTORY_USER \
           -e ARTIFACTORY_KEY=$ARTIFACTORY_KEY \
           -e ARTIFACTORY_API_HOST=$ARTIFACTORY_API_HOST \
           -e ARTIFACTORY_CLI_HOST=$ARTIFACTORY_CLI_HOST \
           -e W3SECURITY_CR_MONITOR_MAX_JOBS=$W3SECURITY_CR_MONITOR_MAX_JOBS \
           -e W3SECURITY_CR_MONITOR_JOB_SPACING=$W3SECURITY_CR_MONITOR_JOB_SPACING
       w3security-cr-monitor
  • If extra environment variables are needed for self-signed certs, add them to the command above or the script below.

Use bash wrapper script

modify arguments as needed for your environment

$ chmod +x w3security-cr-monitor
$ ./w3security-cr-monitor

Running natively

requires node, docker, w3security

$ npm install -g 
$ w3security-cr-monitor

References

API Documentation Artificatory APIs

TODO

  • add support for AQL file option for customer image tag searches
@types/yargsaxiosdebugreflect-metadatatslibyargs
@everything-registry/sub-chunk-996
0.5.0

11 months ago