Categorygithub.com/fritterhoff/vulnerability-bot
modulepackage
0.2.2
Repository: https://github.com/fritterhoff/vulnerability-bot.git
Documentation: pkg.go.dev
Overview
Versions
1
Dependencies
4
Dependents
0
Files
27 SLOC

# README

Vulnerability Bot for Gitlab

Small bot to automate vulnerability patches in GitLab

Since keeping docker images up-to-date can be quite cumberstone this little bot was developed. It can be integrated into the GitLab CI and creates a merge request in case of some outstanding (automatic) patches.

Therefore, a new image should be built without using cached data. This image can be compared afterwards to an existing image. In case of vulnerabilities in the old image that are fixed in the new image the merge request is created and the provided dockerfile gets automatically patched. This is done by adding a comment after each FROM line so the caches get missed.

Usage

Usage:
  vulnerability-bot handle [flags]

Flags:
      --assign string   user to assign the MR to
  -h, --help            help for handle
      --new string      new image (may be path or image spec)
      --old string      old image (may be path or image spec)
      --path string     path to patch
      --source string   source branch of the MR
      --target string   target branch of the MR
  -t, --title string    title of the MR

Global Flags:
      --host string      gitlab host
      --project string   project id or name
      --token string     gitlab token
  -v, --verbose          verbose output

Example

build:
  stage: build
  image:
    name: gcr.io/kaniko-project/executor:debug
    entrypoint: [""]
  rules:
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && '$CI_PIPELINE_SOURCE == "push"'
  script:
    - mkdir -p /kaniko/.docker
    - echo "{\"auths\":{\"${CI_REGISTRY}\":{\"auth\":\"$(printf "%s:%s" "${CI_REGISTRY_USER}" "${CI_REGISTRY_PASSWORD}" | base64 | tr -d '\n')\"}}}" > /kaniko/.docker/config.json
    - /kaniko/executor --context "${CI_PROJECT_DIR}/" --dockerfile "${CI_PROJECT_DIR}/Dockerfile" --destination "${CI_REGISTRY_IMAGE}:${CI_COMMIT_REF_SLUG}" --destination "${CI_REGISTRY_IMAGE}:latest" --cache=true

build:on-schedule:
  stage: build
  image:
    name: gcr.io/kaniko-project/executor:debug
    entrypoint: [""]
  rules:
    - if: $CI_PIPELINE_SOURCE == "schedule"
  script:
    - mkdir -p $CI_PROJECT_DIR/artifacts
    - /kaniko/executor --force --context "${CI_PROJECT_DIR}" --dockerfile "${CI_PROJECT_DIR}/Dockerfile" --destination=image --tarPath artifacts/image.tar.gz --no-push
  artifacts:
    paths:
      - artifacts/

test_fix:
  stage: test
  image:
    name: ghcr.io/fritterhoff/vulnerability-bot:latest
    entrypoint: [""]
  script:
    - export TRIVY_USERNAME=${CI_REGISTRY_USER}
    - export TRIVY_PASSWORD=${CI_REGISTRY_PASSWORD}
    - /vulnerability-bot --host "$CI_SERVER_URL" 
                        --project $CI_PROJECT_ID 
                        --token "**TOKEN**" 
                        handle 
                        -t "Vulnerability patch" 
                        --old ${CI_REGISTRY_IMAGE}:latest 
                        --new artifacts/image.tar.gz 
                        --path "Dockerfile"
                        --source "fix" --target "main"
  rules:
    - if: $CI_PIPELINE_SOURCE == "schedule"

# Packages

No description provided by the author
No description provided by the author