Skip to content

Commit

Permalink
Merge branch 'master' into update-plugin-links-v0.158.2
Browse files Browse the repository at this point in the history
  • Loading branch information
ilyabcodin authored Dec 24, 2023
2 parents e05393a + e618e99 commit b1c985e
Show file tree
Hide file tree
Showing 2 changed files with 73 additions and 70 deletions.
16 changes: 8 additions & 8 deletions .github/workflows/pr-merged.yml
Original file line number Diff line number Diff line change
Expand Up @@ -35,18 +35,18 @@ jobs:
docker tag aquasec/aqua-scanner:${{ env.new_version }}-arm64 aquasec/aqua-scanner:latest-arm64
docker push aquasec/aqua-scanner:latest-arm64
#docker pull aquasec/aqua-scanner:${{ env.new_version }}-amd64-limited
#docker tag aquasec/aqua-scanner:${{ env.new_version }}-amd64-limited aquasec/aqua-scanner:latest-amd64-limited
#docker push aquasec/aqua-scanner:latest-amd64-limited
docker pull aquasec/aqua-scanner:${{ env.new_version }}-amd64-limited
docker tag aquasec/aqua-scanner:${{ env.new_version }}-amd64-limited aquasec/aqua-scanner:latest-amd64-limited
docker push aquasec/aqua-scanner:latest-amd64-limited
#docker pull aquasec/aqua-scanner:${{ env.new_version }}-arm64-limited
#docker tag aquasec/aqua-scanner:${{ env.new_version }}-arm64-limited aquasec/aqua-scanner:latest-arm64-limited
#docker push aquasec/aqua-scanner:latest-arm64-limited
docker pull aquasec/aqua-scanner:${{ env.new_version }}-arm64-limited
docker tag aquasec/aqua-scanner:${{ env.new_version }}-arm64-limited aquasec/aqua-scanner:latest-arm64-limited
docker push aquasec/aqua-scanner:latest-arm64-limited
docker manifest create aquasec/aqua-scanner:latest aquasec/aqua-scanner:latest-amd64 aquasec/aqua-scanner:latest-arm64
docker manifest push aquasec/aqua-scanner:latest
#docker manifest create aquasec/aqua-scanner:latest-limited aquasec/aqua-scanner:latest-amd64-limited aquasec/aqua-scanner:latest-arm64-limited
#docker manifest push aquasec/aqua-scanner:latest-limited
docker manifest create aquasec/aqua-scanner:latest-limited aquasec/aqua-scanner:latest-amd64-limited aquasec/aqua-scanner:latest-arm64-limited
docker manifest push aquasec/aqua-scanner:latest-limited
- name: DockerHub description update
uses: peter-evans/dockerhub-description@v3
with:
Expand Down
127 changes: 65 additions & 62 deletions README-dockerhub.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ The **Aqua Security Trivy Plugin** is a premium offering designed to enhance the

## Features

- **Enhanced Security Scans**: Aqua Security customers benefit from advanced features including Better Secret Scanning, SAST (Static application security testing), and Reachability Checks.
- **Enhanced Security Scans**: Aqua Security customers benefit from advanced features including Enhenced Secret Scanning engine, SAST (Static application security testing), Reachability Checks, and more.

- **Better Secret Scanning**: Detect sensitive information such as API keys and passwords within your codebase and configuration files to prevent potential leaks.

Expand All @@ -21,29 +21,26 @@ The **Aqua Security Trivy Plugin** is a premium offering designed to enhance the
- **CI/CD Pipeline Integration**: Seamlessly incorporate into your CI/CD pipelines to ensure stringent security checks throughout your software development lifecycle.

## Get Started
To begin leveraging the Aqua Security Trivy Integration to protect your code repositories, reach out to our sales or support team to learn more about the benefits and access.

To begin leveraging the Aqua Security Trivy Integration to protect your code repositories, reach out to our sales or support team to learn more about the benefits and access.

## Environment Variables

### Required

The only explicitly required environment variables are

| Variable | Purpose |
|:------------|:--------------------------------------------------------------|
| AQUA_KEY | Generated through CSPM UI |
| AQUA_SECRET | Generated through CSPM UI |

| Variable | Purpose |
| :---------- | :------------------------ |
| AQUA_KEY | Generated through CSPM UI |
| AQUA_SECRET | Generated through CSPM UI |

### Optional

| Variable | Purpose |
|:------------|:--------------------------------------------------------------|
| CSPM_URL | Aqua CSPM URL (default: us-east-1 CSPM) |
| AQUA_URL | Aqua platform URL (default: us-east-1 Aqua platform) |


| Variable | Purpose |
| :------- | :--------------------------------------------------- |
| CSPM_URL | Aqua CSPM URL (default: us-east-1 CSPM) |
| AQUA_URL | Aqua platform URL (default: us-east-1 Aqua platform) |

Trivy will attempt to resolve the following details from the available environment variables;

Expand All @@ -53,40 +50,42 @@ Trivy will attempt to resolve the following details from the available environme
- committing user
- build system

There are some env vars for overriding this data;

| Variable | Purpose |
| :------------------- | :------------------------------------------------------------------------------------- |
| OVERRIDE_REPOSITORY | Use this environment variable to explicitly specify the repository used by Trivy |
| FALLBACK_REPOSITORY | Use this environment variable as a backup if no other repository env vars can be found |
| OVERRIDE_BRANCH | Use this environment variable to explicitly specify the branch used by Trivy |
| FALLBACK_BRANCH | Use this environment variable as a backup if no other branch env vars can be found |
| OVERRIDE_BUILDSYSTEM | Use this environment variable to explicitly specify the build system |
| OVERRIDE_SCMID | Use this environment variable to explicitly specify the scm id |
| IGNORE_PANIC | Use this environment variable to return exit code 0 on cli panic |
| OVERRIDE_REPOSITORY_URL | Use this environment variable to explicitly specify the repository link used by Trivy (For result's web link) |
| OVERRIDE_REPOSITORY_SOURCE | Use this environment variable to explicitly specify the repository source used by Trivy |
| HTTP_PROXY/HTTPS_PROXY | Use these environment variable for proxy configuration |
| CA-CRET | Use this environment variable to set path to CA certificate |
| XDG_DATA_HOME | use this environment variable to designate the base directory for storing user-specific data |
| XDG_CACHE_HOME | use this environment variable for setting the cache directory |


There are some environments variables for overriding default values and behaviors;

| Variable | Purpose |
| :------------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| OVERRIDE_REPOSITORY | Use this environment variable to explicitly specify the repository name used by Trivy |
| FALLBACK_REPOSITORY | Use this environment variable as a backup if no other repository env vars can be found |
| OVERRIDE_BRANCH | Use this environment variable to explicitly specify the branch used by Trivy |
| FALLBACK_BRANCH | Use this environment variable as a backup if no other branch env vars can be found |
| OVERRIDE_BUILDSYSTEM | Use this environment variable to explicitly specify the build system |
| IGNORE_PANIC | Use this environment variable to return exit code 0 on cli panic error |
| OVERRIDE_REPOSITORY_URL | Use this environment variable to explicitly specify the repository link used by Trivy (For result's web link) |
| OVERRIDE_REPOSITORY_SOURCE | Use this environment variable to explicitly specify the repository source used by Trivy |
| HTTP_PROXY/HTTPS_PROXY | Use these environment variable for proxy configuration |
| XDG_DATA_HOME | use this environment variable to designate the base directory for storing user-specific data |
| XDG_CACHE_HOME | use this environment variable for setting the cache directory |
| SAST_LOGS | use this environment variable with true value for writing sast logs to a file (The file name is: ${REPOSITORY_NAME}-sast-logs.txt under the SAST_LOGS_DIR directory) |
| SAST_LOGS_DIR | use this environment variable to explicitly specify the location where the log file should be written (Default is /tmp/.trivy/plugins/aqua) |
| TRIVY_QUIET | Disable trivy output report in log |
| AQUA_ASSURANCE_EXPORT | The path to export policies results (JSON) |
| OVERRIDE_AUTHOR | Use this environment variable to override the author of the scan (commit pusher by default) |
| OVERRIDE_RUN_ID | Use this environment variable to override the run id (default to SCM run build number) |
| OVERRIDE_BUILD_ID | Use this environment variable to override the job/build id (default to SCM build id) |
## Command Line Arguments

| Argument | Purpose | Example Usage |
| ---------------- | ------------------------------------------ | --------------------------------------------- |
| `--debug` | Get more detailed output as Trivy runs. | `--debug` |
| `--severities` | The Severities that you are interested in. | `--severities CRITICAL,HIGH,UNKNOWN` |
| `--skip-pipelines` | Skip scan repository pipeline files. | `--skip-pipelines` |
| `--sast` | To enable SAST scanning. | `--sast` |
| `--reachability` | To enable reachability scanning. | `--reachability` |
| `--package-json` | Scan package.json files without lock files | `--package-json` / `PACKAGE_JSON=1 trivy ...` |
| `--dotnet-proj` | Scan dotnet proj files without lock files | `--dotnet-proj` / `DOTNET_PROJ=1 trivy ...` |




| Argument | Environment variable | Purpose | Example Usage |
| ------------------------- | --------------------------- | ------------------------------------------------------------ | ---------------------------------------------------------------------------- |
| `--debug` | DEBUG | Get more detailed output as Trivy runs. | `--debug` / DEBUG=true |
| `--severities` | TRIVY_SEVERITY | The Severities that you are interested in. | `--severities CRITICAL,HIGH,UNKNOWN` / TRIVY_SEVERITY= CRITICAL,HIGH,UNKNOWN |
| `--skip-pipelines` | SKIP_PIPELINES | Skip scan repository pipeline files. | `--skip-pipelines` / SKIP_PIPELINES=true |
| `--sast` | SAST | To enable SAST scanning. | `--sast` / SAST=true |
| `--reachability` | REACHABILITY | To enable reachability scanning. | `--reachability` / REACHABILITY=true |
| `--package-json` | PACKAGE_JSON | Scan package.json files without lock files | `--package-json` / `PACKAGE_JSON=true` |
| `--dotnet-proj` | DOTNET_PROJ | Scan dotnet proj files without lock files | `--dotnet-proj` / `DOTNET_PROJ=true` |
| `--skip-policies` | TRIVY_SKIP_POLICIES | Skip policies checks | `--skip-policies` / `TRIVY_SKIP_POLICIES=true` |
| `--skip-result-upload` | TRIVY_SKIP_RESULT_UPLOAD | Disable uploading scan results to aqua platform | `--skip-result-upload` / `TRIVY_SKIP_RESULT_UPLOAD=true` |
| `--skip-policy-exit-code` | TRIVY_SKIP_POLICY_EXIT_CODE | Prevent non-zero exit code if an assurance policy has failed | `--skip-policy-exit-code` / `TRIVY_SKIP_POLICY_EXIT_CODE=true` |

## GitHub Action Integration Example

Expand All @@ -104,11 +103,11 @@ on:
jobs:
security_scan:
runs-on: ubuntu-latest

steps:
- name: Checkout code
uses: actions/checkout@v2

- name: Run Aqua scanner
uses: docker://aquasec/aqua-scanner
with:
Expand All @@ -117,19 +116,18 @@ jobs:
AQUA_KEY: ${{ secrets.AQUA_KEY }}
AQUA_SECRET: ${{ secrets.AQUA_SECRET }}
GITHUB_TOKEN: ${{ github.token }}
TRIVY_RUN_AS_PLUGIN: 'aqua'
# For proxy configuration add env vars: HTTP_PROXY/HTTPS_PROXY, CA-CRET (path to CA certificate)
TRIVY_RUN_AS_PLUGIN: "aqua"
# Use here any other environment variable
```

### Usage for running manually using docker command

```bash
docker run -it aquasec/aqua-scanner trivy fs --scanners config,vuln,secret .
AQUA_KEY=${AQUA_KEY} AQUA_SECRET=${AQUA_SECRET} TRIVY_RUN_AS_PLUGIN=aqua docker run -it -e AQUA_KEY -e AQUA_SECRET -e TRIVY_RUN_AS_PLUGIN -e INPUT_WORKING_DIRECTORY=/scanning -v "${YOUR_WORKSPACE}":"/scanning" aquasec/aqua-scanner trivy fs --scanners config,vuln,secret .
```

## Usage with Podman


```bash
podman run --rm \
-e AQUA_KEY=${AQUA_KEY} \
Expand All @@ -145,36 +143,41 @@ podman run --rm \

When working within CI environment, it's important to include the Source Code Management (SCM) tokens for pull requests. You can find additional guidance and details on this matter within our platform for your reference about each SCM.

# aqua-scanner limited Tag
# aqua-scanner limited Tag (Beta)

We now provide a dedicated limited permission tag, for running the aqua-scanner on a non-root user.

We provide a dedicated limited tag, for running the aqua-scanner on a non-root user.
Tag name: `latest-limited`
Support for: linux/amd64, linux/arm64

## Running limited tag on Azure DevOps pipeline

To use this tag effectively in Azure DevOps Pipelines, follow the steps below ([Azure documentation](https://learn.microsoft.com/en-us/azure/devops/pipelines/process/container-phases?view=azure-devops&tabs=yaml#linux-based-containers)), consider the following Azure DevOps pipeline example (with the -u 0 option):
To use the limited tag effectively on Azure DevOps Pipelines, follow the steps below ([Azure documentation](https://learn.microsoft.com/en-us/azure/devops/pipelines/process/container-phases?view=azure-devops&tabs=yaml#linux-based-containers)), consider the following Azure DevOps pipeline example (with the -u 0 option):

```yaml
trigger:
- main

container:
image: aquasec/aqua-scanner:limited
image: aquasec/aqua-scanner:latest-limited
options: -u 0
env:
AQUA_KEY: $(AQUA_KEY)
AQUA_SECRET: $(AQUA_SECRET)
AZURE_TOKEN: $(AZURE_TOKEN)
TRIVY_RUN_AS_PLUGIN: aqua
steps:
- checkout: self
fetchDepth: 0
- script: |
trivy fs --scanners config,vuln,secret .
displayName: Aqua scanner
- checkout: self
fetchDepth: 0
- script: |
trivy fs --scanners config,vuln,secret .
displayName: Aqua scanner
```
## Compatibility
The plugin is designed for Docker environments and is compatible with Linux containers.
The plugin is designed for Docker environments and is compatible with Linux containers.
## License
This GitHub repository is licensed under the [Apache License 2.0](https://www.apache.org/licenses/LICENSE-2.0). It is exclusively available for Aqua Security customers and is not open source. Please contact Aqua Security for licensing details.
This GitHub repository is licensed under the [Apache License 2.0](https://www.apache.org/licenses/LICENSE-2.0). It is exclusively available for Aqua Security customers and is not open source. Please contact Aqua Security for licensing details.

0 comments on commit b1c985e

Please sign in to comment.