Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
gitpod-io
GitHub Repository: gitpod-io/gitpod
 Path: blob/main/scripts/lw-scan-images.sh
2486 views
1
#!/bin/bash

2
set -euo pipefail

3


4
if [[ -z "$VERSION" ]]; then

5
  echo "VERSION env var is required"

6
  exit 1

7
fi

8


9
if [[ -z "$LW_ACCESS_TOKEN" ]]; then

10
  echo "LW_ACCESS_TOKEN env var is required"

11
  exit 1

12
fi

13


14
TMP=$(mktemp -d)

15
echo "workdir: $TMP"

16


17
HOME="/home/gitpod"

18
BIN="$HOME/bin"

19
mkdir -p "$BIN"

20


21
SCANNER="$BIN/lw-scanner"

22
if [ ! -f "$SCANNER" ]; then

23
  curl -L https://github.com/lacework/lacework-vulnerability-scanner/releases/latest/download/lw-scanner-linux-amd64 -o "$SCANNER"

24
  chmod +x "$SCANNER"

25
fi

26


27
OCI_TOOL="$BIN/oci-tool"

28
OCI_TOOL_VERSION="0.2.0"

29
if [ ! -f "$OCI_TOOL" ]; then

30
  curl -fsSL https://github.com/csweichel/oci-tool/releases/download/v${OCI_TOOL_VERSION}/oci-tool_${OCI_TOOL_VERSION}_linux_amd64.tar.gz | tar xz -C "$(dirname "$OCI_TOOL")" && chmod +x "$OCI_TOOL"

31
fi

32


33
echo "=== Gathering list of _all_ images for $VERSION"

34
INSTALLER="$TMP/installer"

35
"$OCI_TOOL" fetch file -o "$INSTALLER" --platform=linux-amd64 "eu.gcr.io/gitpod-core-dev/build/installer:${VERSION}" app/installer

36
echo ""

37
chmod +x "$INSTALLER"

38
# Extract list of images

39
echo "apiVersion: v1" > "$TMP/config.yaml"

40
"$INSTALLER" mirror list --domain example.com --repository example.com -c "$TMP/config.yaml" | yq4 '.[] | .original' > "$TMP/images.txt"

41
# Remove empty lines

42
sed -i '/^\s*$/d' "$TMP/images.txt"

43


44
# shellcheck disable=SC2002

45
TOTAL_IMAGES=$(cat "$TMP/images.txt" | wc -l)

46
echo "=== Found $TOTAL_IMAGES images to scan"

47


48
# Scan all images, and push the result to Lacework

49
# There, we can see the results in the "Vulnerabilities" tab, by searching for the Gitpod version

50
# Note: Does not fail on CVEs!

51
COUNTER=0

52
FAILED=0

53
while IFS= read -r IMAGE_REF; do

54
  ((COUNTER=COUNTER+1))

55


56
  # Removing `docker.io/` and `docker.io/library/` prefix because otherwise lacework cannot pull image in a GitHub workflow for some reason.

57
  NAME=$(echo "$IMAGE_REF" | cut -d ":" -f 1 | sed -e "s|^docker.io/||" | sed -e "s|^library/||")

58
  TAG=$(echo "$IMAGE_REF" | cut -d ":" -f 2)

59
  echo "= Scanning $NAME : $TAG [$COUNTER / $TOTAL_IMAGES]"

60
  "$SCANNER" image evaluate "$NAME" "$TAG" \

61
    --account-name gitpod \

62
    --access-token "$LW_ACCESS_TOKEN" \

63
    --build-id "$VERSION" \

64
    --ci-build=true \

65
    --disable-library-package-scanning=false \

66
    --save=true \

67
    --tags version="$VERSION" > /dev/null || ((FAILED=FAILED+1))

68
  echo ""

69
done < "$TMP/images.txt"

70


71
echo "number of failed image scans: $FAILED of $COUNTER"

72
if (( FAILED > 0 )); then

73
  exit 1

74
fi

75


76