Categorygithub.com/equinor/radix-vulnerability-scanner
modulepackage
0.0.0-20240801111128-bfaf2c4e1c13
Repository: https://github.com/equinor/radix-vulnerability-scanner.git
Documentation: pkg.go.dev

# README

build workflow

radix-vulnerability-scanner

Introduction

radix-vulnerability-scanner scans Docker images defined in RadixDeployment CRDs for vulnerabilities, and stores the results in a database. Scanning is triggered whenever new RadixDeployment resources are created or updated, and on a schedule defined by a cron spec. Only images in active RadixDeployments are scanned. Once an image is scanned, it will not be rescanned before the age of the last scan exceeds a certain threshold (defaults to 24 hours).

Installation

radix-vulnerability-scanner installation is handled by Flux using Radix Flux. Flux prerequisites is bootstrapped with Terraforms Vulnerability Scanner module (in each environment)

Azure Resources

radix-vulnerability-scanner stores scan results in a SQL Server database. The database and schema is deployed using Github actions.

Database Permissions

The user configured for connecting to the SQL Server must be member of the radixwriter database role and authenticates with managed identity using Azure ActiveDirectoryDefault profile.

  • Run the Vulnerability Scanner Terraform module in each environment to set up Managed Identities.
  • Take a note of any changed CLIENT-IDs:
    • radix-id-vulnerability-scan-admin-<ENV> must be added in ./.github/workflows/build-push.yml in this project
    • radix-id-vulnerability-scan-github-<ENV> must be added in ./.github/workflows/deploy-database.yml in this project
    • radix-id-vulnerability-scan-reader-<ENV> must be added in Radixconfig.yaml file for each environment in https://github.com/equinor/radix-vulnerability-scanner-api
    • radix-id-vulnerability-scan-writer-<ENV> must be added in VULNERABILITY_SCANNER_SQL_CLIENT_ID in https://github.com/equinor/radix-flux/blob/master/clusters/development/postBuild.yaml
    • Check https://github.com/equinor/radix-vulnerability-scanner/issues/54 for special considerations to deploy roles and external users.

Configuration

Environment variables

NameTypeRequiredDescription
SNYK_TOKENstringYesA SNYK service account access token used to access the SNYK API when scanning images for vulnerabilities

Command line arguments

NameTypeRequiredDescriptionDefault
full-sync-cron-specstringNoCron spec defining how often all images should be scheduled for scan"0 0 * * *"
app-name-exclude-liststring | listNoComma separated list of Radix application names to exclude from scanning""
workersnumberNoNumber of concurrent workers to scan images1
db-serverstringYesName/URL of the SQL Server where scan results are stored""
db-databasestringYesName of the SQL Server database where scan results are stored""
vulnerability-scan-timeoutstringNoContext timeout for each image scan"5m"
vulnerability-rescan-agestringNoDefines the minimum age of an image scan before a new scan is performed. An image is not scanned if the age of the last scan is less than this value"24h"
docker-config-filestringNoPath to docker file with auths for accessing private image repositories""
kube-config-filestringNoPath to Kubernetes config file used for accessing K8s API server. InClusterConfig is used if this file is omitted""

Every command line argument can be specified as an environment variable by prefixing it with RVS_, capitalizing it, and replicaing hyphens (-) with underscores (_), e.g. full-sync-cron-spec becomes RVS_FULL_SYNC_CRON_SPEC.

Developing

You need Go (>=1.22) installed. Make sure GOPATH and GOROOT are properly set up. Clone the repo into your GOPATH and run go mod download

Contribution

Want to contribute? Read our contributing guidelines

Generating mocks

We use gomock to generate mocks used in unit test. You need to regenerate mocks if you make changes to any of the interface types used by the application.

make mocks

Debugging locally

Create a copy of .env.template and name it .env. Set variables to allow local debugging. This file is ignored by git.

Security

This is how we handle security issues

# Packages

No description provided by the author