From 68feb144d82610e864d262cc93129b7684a65692 Mon Sep 17 00:00:00 2001 From: tzurielw Date: Wed, 20 Sep 2023 14:33:17 +0300 Subject: [PATCH 1/5] add non root option to pr-merged and to docs --- .github/workflows/pr-merged.yml | 13 +++++++++++++ README-dockerhub.md | 29 +++++++++++++++++++++++++++++ 2 files changed, 42 insertions(+) diff --git a/.github/workflows/pr-merged.yml b/.github/workflows/pr-merged.yml index b5c96224..062971a6 100644 --- a/.github/workflows/pr-merged.yml +++ b/.github/workflows/pr-merged.yml @@ -35,8 +35,21 @@ jobs: docker tag aquasec/aqua-scanner:${{ env.new_version }}-arm64 aquasec/aqua-scanner:latest-arm64 docker push aquasec/aqua-scanner:latest-arm64 + docker pull aquasec/aqua-scanner:${{ env.new_version }}-amd64-nonroot + docker tag aquasec/aqua-scanner:${{ env.new_version }}-amd64-nonroot aquasec/aqua-scanner:latest-amd64-nonroot + docker push aquasec/aqua-scanner:latest-amd64-nonroot + + docker pull aquasec/aqua-scanner:${{ env.new_version }}-arm64-nonroot + docker tag aquasec/aqua-scanner:${{ env.new_version }}-arm64-nonroot aquasec/aqua-scanner:latest-arm64-nonroot + docker push aquasec/aqua-scanner:latest-arm64-nonroot + + + docker manifest create aquasec/aqua-scanner:latest aquasec/aqua-scanner:latest-amd64 aquasec/aqua-scanner:latest-arm64 docker manifest push aquasec/aqua-scanner:latest + + docker manifest create aquasec/aqua-scanner:latest-nonroot aquasec/aqua-scanner:latest-amd64-nonroot aquasec/aqua-scanner:latest-arm64-nonroot + docker manifest push aquasec/aqua-scanner:latest-nonroot - name: DockerHub description update uses: peter-evans/dockerhub-description@v3 with: diff --git a/README-dockerhub.md b/README-dockerhub.md index 152e52a7..3136c9a0 100644 --- a/README-dockerhub.md +++ b/README-dockerhub.md @@ -145,6 +145,35 @@ podman run --rm \ When working within CI environment, it's important to include the Source Code Management (SCM) tokens for pull requests. You can find additional guidance and details on this matter within our platform for your reference about each SCM. +# aqua-scanner nonroot Tag + +We provide a dedicated nonroot tag, for running the aqua-scanner on a nonroot user. + +## Running nonroot tag on Azure DevOps pipeline + +To use this tag effectively in Azure DevOps Pipelines, follow the steps below ([Azure documentation](This README provides guidance on how to use the Docker Hub nonroot User Tag in Azure DevOps Pipelines to run containers with reduced privileges.)). + +## Add user 0 option to the container options +```shell +trigger: + - main + +container: + image: aquasec/aqua-scanner:nonroot + options: -u 0 + env: + AQUA_KEY: $(AQUA_KEY) + AQUA_SECRET: $(AQUA_SECRET) + AZURE_TOKEN: $(AZURE_TOKEN) + TRIVY_RUN_AS_PLUGIN: aqua +steps: +- checkout: self + fetchDepth: 0 +- script: | + trivy fs --scanners config,vuln,secret . + displayName: Aqua scanner +``` + ## Compatibility The plugin is designed for Docker environments and is compatible with Linux containers. From f2257cfc376213b0a63c41972836c105183b476a Mon Sep 17 00:00:00 2001 From: tzurielw Date: Wed, 20 Sep 2023 17:04:14 +0300 Subject: [PATCH 2/5] change nonroot to limited --- .github/workflows/pr-merged.yml | 16 ++++++++-------- README-dockerhub.md | 10 +++++----- 2 files changed, 13 insertions(+), 13 deletions(-) diff --git a/.github/workflows/pr-merged.yml b/.github/workflows/pr-merged.yml index 062971a6..dba62db5 100644 --- a/.github/workflows/pr-merged.yml +++ b/.github/workflows/pr-merged.yml @@ -35,21 +35,21 @@ jobs: docker tag aquasec/aqua-scanner:${{ env.new_version }}-arm64 aquasec/aqua-scanner:latest-arm64 docker push aquasec/aqua-scanner:latest-arm64 - docker pull aquasec/aqua-scanner:${{ env.new_version }}-amd64-nonroot - docker tag aquasec/aqua-scanner:${{ env.new_version }}-amd64-nonroot aquasec/aqua-scanner:latest-amd64-nonroot - docker push aquasec/aqua-scanner:latest-amd64-nonroot + docker pull aquasec/aqua-scanner:${{ env.new_version }}-amd64-limited + docker tag aquasec/aqua-scanner:${{ env.new_version }}-amd64-limited aquasec/aqua-scanner:latest-amd64-limited + docker push aquasec/aqua-scanner:latest-amd64-limited - docker pull aquasec/aqua-scanner:${{ env.new_version }}-arm64-nonroot - docker tag aquasec/aqua-scanner:${{ env.new_version }}-arm64-nonroot aquasec/aqua-scanner:latest-arm64-nonroot - docker push aquasec/aqua-scanner:latest-arm64-nonroot + docker pull aquasec/aqua-scanner:${{ env.new_version }}-arm64-limited + docker tag aquasec/aqua-scanner:${{ env.new_version }}-arm64-limited aquasec/aqua-scanner:latest-arm64-limited + docker push aquasec/aqua-scanner:latest-arm64-limited docker manifest create aquasec/aqua-scanner:latest aquasec/aqua-scanner:latest-amd64 aquasec/aqua-scanner:latest-arm64 docker manifest push aquasec/aqua-scanner:latest - docker manifest create aquasec/aqua-scanner:latest-nonroot aquasec/aqua-scanner:latest-amd64-nonroot aquasec/aqua-scanner:latest-arm64-nonroot - docker manifest push aquasec/aqua-scanner:latest-nonroot + docker manifest create aquasec/aqua-scanner:latest-limited aquasec/aqua-scanner:latest-amd64-limited aquasec/aqua-scanner:latest-arm64-limited + docker manifest push aquasec/aqua-scanner:latest-limited - name: DockerHub description update uses: peter-evans/dockerhub-description@v3 with: diff --git a/README-dockerhub.md b/README-dockerhub.md index 3136c9a0..e6c0b86f 100644 --- a/README-dockerhub.md +++ b/README-dockerhub.md @@ -145,13 +145,13 @@ podman run --rm \ When working within CI environment, it's important to include the Source Code Management (SCM) tokens for pull requests. You can find additional guidance and details on this matter within our platform for your reference about each SCM. -# aqua-scanner nonroot Tag +# aqua-scanner limited Tag -We provide a dedicated nonroot tag, for running the aqua-scanner on a nonroot user. +We provide a dedicated limited tag, for running the aqua-scanner on a limited user. -## Running nonroot tag on Azure DevOps pipeline +## Running limited tag on Azure DevOps pipeline -To use this tag effectively in Azure DevOps Pipelines, follow the steps below ([Azure documentation](This README provides guidance on how to use the Docker Hub nonroot User Tag in Azure DevOps Pipelines to run containers with reduced privileges.)). +To use this tag effectively in Azure DevOps Pipelines, follow the steps below ([Azure documentation](This README provides guidance on how to use the Docker Hub limited User Tag in Azure DevOps Pipelines to run containers with reduced privileges.)). ## Add user 0 option to the container options ```shell @@ -159,7 +159,7 @@ trigger: - main container: - image: aquasec/aqua-scanner:nonroot + image: aquasec/aqua-scanner:limited options: -u 0 env: AQUA_KEY: $(AQUA_KEY) From 9c7ac0ce50783e0e87f1652410b191f729ebb3ec Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=80=AATzuriel=20Weisberg=E2=80=AC=E2=80=8F?= Date: Wed, 20 Sep 2023 17:12:03 +0300 Subject: [PATCH 3/5] Update .github/workflows/pr-merged.yml --- .github/workflows/pr-merged.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/workflows/pr-merged.yml b/.github/workflows/pr-merged.yml index dba62db5..4d86efe5 100644 --- a/.github/workflows/pr-merged.yml +++ b/.github/workflows/pr-merged.yml @@ -42,9 +42,6 @@ jobs: docker pull aquasec/aqua-scanner:${{ env.new_version }}-arm64-limited docker tag aquasec/aqua-scanner:${{ env.new_version }}-arm64-limited aquasec/aqua-scanner:latest-arm64-limited docker push aquasec/aqua-scanner:latest-arm64-limited - - - docker manifest create aquasec/aqua-scanner:latest aquasec/aqua-scanner:latest-amd64 aquasec/aqua-scanner:latest-arm64 docker manifest push aquasec/aqua-scanner:latest From 5411c004aac554895e36243d797ed422cfe7c920 Mon Sep 17 00:00:00 2001 From: tzurielw Date: Wed, 20 Sep 2023 17:18:39 +0300 Subject: [PATCH 4/5] change to limited --- README-dockerhub.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/README-dockerhub.md b/README-dockerhub.md index e6c0b86f..cd9f7c2a 100644 --- a/README-dockerhub.md +++ b/README-dockerhub.md @@ -151,10 +151,9 @@ We provide a dedicated limited tag, for running the aqua-scanner on a limited us ## Running limited tag on Azure DevOps pipeline -To use this tag effectively in Azure DevOps Pipelines, follow the steps below ([Azure documentation](This README provides guidance on how to use the Docker Hub limited User Tag in Azure DevOps Pipelines to run containers with reduced privileges.)). +To use this tag effectively in Azure DevOps Pipelines, follow the steps below ([Azure documentation](This README provides guidance on how to use the Docker Hub limited User Tag in Azure DevOps Pipelines to run containers with reduced privileges.)), consider the following Azure DevOps pipeline example (with the -u 0 option): -## Add user 0 option to the container options -```shell +```yaml trigger: - main From bb8a3b1730ed9f917db70fdc4f8b0b5d818241cd Mon Sep 17 00:00:00 2001 From: tzurielw Date: Wed, 20 Sep 2023 17:28:23 +0300 Subject: [PATCH 5/5] fix link --- README-dockerhub.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README-dockerhub.md b/README-dockerhub.md index cd9f7c2a..2f2dbecb 100644 --- a/README-dockerhub.md +++ b/README-dockerhub.md @@ -151,7 +151,7 @@ We provide a dedicated limited tag, for running the aqua-scanner on a limited us ## Running limited tag on Azure DevOps pipeline -To use this tag effectively in Azure DevOps Pipelines, follow the steps below ([Azure documentation](This README provides guidance on how to use the Docker Hub limited User Tag in Azure DevOps Pipelines to run containers with reduced privileges.)), consider the following Azure DevOps pipeline example (with the -u 0 option): +To use this tag effectively in Azure DevOps Pipelines, follow the steps below ([Azure documentation](https://learn.microsoft.com/en-us/azure/devops/pipelines/process/container-phases?view=azure-devops&tabs=yaml#linux-based-containers)), consider the following Azure DevOps pipeline example (with the -u 0 option): ```yaml trigger: