Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Aqua (#418) #419

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Aqua (#418) #419

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
2d635c7
Aqua (#418)
matthewchungcodefresh Aug 16, 2022
4f33d6f
Merge branch 'main' into mc-aqua
lrochette Aug 31, 2022
fd67ce5
Remove comingsoo for aqua
lrochette Aug 31, 2022
88fb8d5
Fix naming spelling
lrochette Aug 31, 2022
630c776
Merge branch 'main' into mc-aqua
lrochette Aug 31, 2022
a1e6da4
Merge branch 'main' into mc-aqua
lrochette Sep 20, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 0 additions & 8 deletions coming-soon/aqua/icon.svg
View file
Open in desktop

This file was deleted.

11 changes: 0 additions & 11 deletions coming-soon/aqua/workflowTemplate.yaml
View file
Open in desktop

This file was deleted.

9 changes: 9 additions & 0 deletions workflows/aqua/CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
# Changelog

## v0.0.1 7/2/2022

Initial Aqua template.

Template includes:

* Aqua Security scan
60 changes: 60 additions & 0 deletions workflows/aqua/assets/icon.svg
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
18 changes: 18 additions & 0 deletions workflows/aqua/versions/0.0.1/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
# Starting-Template

## Summary

Execute an Aqua container security scan.

## Templates


1. [Aqua Security Scan](https://github.com/codefresh-io/argo-hub/blob/main/workflows/aqua/versions/0.0.1/docs/aqua-security-scan.md)



## Security

Minimal required permissions

[Full rbac permissions list](https://github.com/codefresh-io/argo-hub/blob/main/workflows/aqua/versions/0.0.1/rbac.yaml)
63 changes: 63 additions & 0 deletions workflows/aqua/versions/0.0.1/docs/aqua-security-scan.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
# aqua-security-scan

## Summary
Execute an Aqua container security scan.

## Inputs/Outputs

### Inputs
* AQUA_HOST (required) - Aqua Host URI including protocol ex. https://aqua.mydomain.com
* AQUA_SECRET (required) - The Kubernetes secret with Aqua log in credentials
* AQUA_PASSWORD (optional) - The key in the Kubernetes secret with the Aqua password. Default is 'password'
* AQUA_USERNAME (optional) - The key in the Kubernetes secret with the Aqua username. Default is 'username'
* AQUA_TOKEN (optional) - The key in the Kubernetes secret with the Aqua scanner token. A unique token generated for each scanner while adding a scanner daemon from the Administration > Scanners page. Default is 'token'
* IMAGE (required) - Image Name
* REGISTRY (required) - Name of registry that holds the image
* TAG (optional) - Image Tag. Default is 'latest'

### Secrets
* Aqua Secret - in order for this template to work a secret named `aqua-secret` must exist with aqua token.
```
apiVersion: v1
kind: Secret
metadata:
name: aqua-secret
type: Opaque
data:
token: echo -n 'aqua scanner token' | base64
username: echo -n 'aqua username' | base64
password: echo -n 'aqua password' | base64
```

### Outputs
no outputs

## Examples

### task Example
```
apiVersion: argoproj.io/v1alpha1
kind: Workflow
metadata:
generateName: aqua-security-scan-
spec:
entrypoint: main
templates:
- name: main
dag:
tasks:
- name: aqua-security-scan
templateRef:
name: argo-hub.aqua.0.0.1
template: aqua-security-scan
arguments:
parameters:
- name: AQUA_HOST
value: 'https://aqua.mydomain.com'
- name: AQUA_SECRET
value: 'aqua-secret'
- name: IMAGE
value: 'image'
- name: REGISTRY
value: 'dockerhub'
```
43 changes: 43 additions & 0 deletions workflows/aqua/versions/0.0.1/rbac.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: argo-hub.aqua.0.0.1
annotations:
argo-hub/version: '0.0.1'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: argo-hub.aqua.0.0.1
annotations:
argo-hub/version: '0.0.1'
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- watch
- patch
- apiGroups:
- ""
resources:
- pods/log
verbs:
- get
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: argo-hub.aqua.0.0.1
annotations:
argo-hub/version: '0.0.1'
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: argo-hub.aqua.0.0.1
subjects:
- kind: ServiceAccount
name: argo-hub.aqua.0.0.1
82 changes: 82 additions & 0 deletions workflows/aqua/versions/0.0.1/workflowTemplate.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,82 @@
apiVersion: argoproj.io/v1alpha1
kind: WorkflowTemplate
metadata:
name: argo-hub.aqua.0.0.1
annotations:
argo-hub/version: '0.0.1'
argo-hub/description: 'Aqua template'
argo-hub/categories: 'utilities'
argo-hub/license: 'MIT'
argo-hub/owner_name: 'Matthew Chung'
argo-hub/owner_email: 'matthew.chung@codefresh.io'
argo-hub/owner_avatar: 'https://github.com/matthewchungcodefresh.png'
argo-hub/owner_url: 'https://github.com/matthewchungcodefresh'
argo-hub/icon_url: "https://cdn.jsdelivr.net/gh/codefresh-io/argo-hub@main/workflows/aqua/assets/icon.svg"
argo-hub/icon_background: "#f4f4f4"

spec:
templates:
- name: aqua-security-scan
serviceAccountName: argo-hub.aqua.0.0.1
metadata:
annotations:
argo-hub-template/description: 'Execute an Aqua container security scan'
argo-hub-template/icon_url: "https://cdn.jsdelivr.net/gh/codefresh-io/argo-hub@main/workflows/aqua/assets/icon.svg"
argo-hub-template/icon_background: "#f4f4f4"
retryStrategy:
limit: "3"
retryPolicy: "Always"
backoff:
duration: "5s"
inputs:
parameters:
# required
- name: AQUA_HOST
- name: AQUA_SECRET
- name: IMAGE
# optional
- name: AQUA_PASSWORD
default: password
- name: AQUA_USERNAME
default: username
- name: AQUA_TOKEN
default: token
- name: REGISTRY
default: ""
- name: TAG
default: latest
script:
imagePullPolicy: Always
image: node:15.2
env:
- name: AQUA_PASSWORD
valueFrom:
secretKeyRef:
name: '{{ inputs.parameters.AQUA_SECRET }}'
key: '{{ inputs.parameters.AQUA_PASSWORD }}'
- name: AQUA_USERNAME
valueFrom:
secretKeyRef:
name: '{{ inputs.parameters.AQUA_SECRET }}'
key: '{{ inputs.parameters.AQUA_USERNAME }}'
- name: AQUA_TOKEN
valueFrom:
secretKeyRef:
name: '{{ inputs.parameters.AQUA_SECRET }}'
key: '{{ inputs.parameters.AQUA_TOKEN }}'
- name: AQUA_HOST
value: '{{ inputs.parameters.AQUA_HOST }}'
- name: IMAGE
value: '{{ inputs.parameters.IMAGE }}'
- name: TAG
value: '{{ inputs.parameters.TAG }}'
- name: REGISTRY
value: '{{ inputs.parameters.REGISTRY }}'
command: [sh]
source: |
docker login registry.aquasec.com -u $AQUA_USERNAME -p $AQUA_PASSWORD
docker pull registry.aquasec.com/scanner:6.5
docker run -it --rm -v /var/run/docker.sock:/var/run/docker.sock registry.aquasec.com/scanner:6.5 scan -H $AQUA_HOST --token $AQUA_TOKEN --registry $REGISTRY $IMAGE:$TAG