Merge pull request #165 from Digital-Engineering/development

Development

.github/workflows/build-deploy-dev.yml

@@ -39,6 +39,75 @@ jobs:
           az login --service-principal -u $ACR_SP_USER -p $ACR_SP_PASSWORD --tenant $ACR_SP_TENANT
           az account set --subscription $ACR_SUBSCRIPTION
           az acr build -r $ACR_REGISTRY -f $GITHUB_WORKSPACE/deeplynx/Dockerfile -t $ACR_PATH:$GITHUB_SHA-dev .
+
+  scan-deeplynx-dev:
+    runs-on: [ self-hosted ]
+    environment: Development
+    needs: build-deeplynx-dev
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          path: deeplynx
+          ref: development
+      - shell: bash
+        name: ACR Get Scan
+        env:
+          ACR_REGISTRY: ${{ secrets.CI_REGISTRY }}
+          ACR_PATH: ${{ secrets.CI_REGISTRY_PATH }}
+          SHORT_SHA: ${{ steps.vars.outputs.sha_short }}
+        run: |
+          imageDigest=$(az acr repository show -n $ACR_REGISTRY -t $ACR_PATH:$GITHUB_SHA-dev | jq --raw-output '.digest')
+          healthquery="securityresources
+          | where type == 'microsoft.security/assessments/subassessments'
+          | where id matches regex  '(.+?)/providers/Microsoft.ContainerRegistry/registries/(.+)/providers/Microsoft.Security/assessments/dbd0cb49-b563-45e7-9724-889e799fa648/'
+          | extend registryResourceId = tostring(split(id, '/providers/Microsoft.Security/assessments/')[0])
+          | extend registryResourceName = tostring(split(registryResourceId, '/providers/Microsoft.ContainerRegistry/registries/')[1])
+          | extend imageDigest = tostring(properties.additionalData.imageDigest)
+          | extend repository = tostring(properties.additionalData.repositoryName)
+          | extend scanFindingSeverity = tostring(properties.status.severity), scanStatus = tostring(properties.status.code)
+          | summarize scanFindingSeverityCount = count() by scanFindingSeverity, scanStatus, registryResourceId, registryResourceName, repository, imageDigest
+          | summarize  severitySummary = make_bag(pack(scanFindingSeverity, scanFindingSeverityCount)) by registryResourceId, registryResourceName, repository, imageDigest, scanStatus
+          | where imageDigest contains '$imageDigest'"
+          query="SecurityResources
+          | where type == 'microsoft.security/assessments'
+          | where properties.displayName contains 'Container registry images should have vulnerability findings resolved'
+          | summarize by assessmentKey=name //the ID of the assessment
+          | join kind=inner (securityresources | where type == 'microsoft.security/assessments/subassessments' | extend assessmentKey = extract('.*assessments/(.+?)/.*',1,  id)) on assessmentKey
+          | project parse_json(properties)
+          | extend description = properties.description,displayName = properties.displayName,resourceId = properties.resourceDetails.id,resourceSource = properties.resourceDetails.source,category = properties.category,severity = properties.status.severity,code = properties.status.code,timeGenerated = properties.timeGenerated,remediation = properties.remediation,impact = properties.impact,vulnId = properties.id,additionalData = properties.additionalData
+          | where resourceId contains '$imageDigest'"
+          az config set extension.use_dynamic_install=yes_without_prompt
+          count=1
+          querycount=1
+          until false; do
+              scanhealth=$(az graph query -q "$healthquery" | jq --raw-output '.data[] | .scanStatus')
+              if [[ $scanhealth = 'Healthy' ]]; then
+                  echo 'Scan returned health'
+                  break
+              elif [[ $scanhealth = 'Unhealthy' ]]; then
+                  echo "Building report with findings"
+                  rm -f scanreport.tsv
+                  echo -e 'severity\tid\tpatchable\tpublished\tregistryhost\treponame\tos\tdisplayname\tdescription\timpact\tcvetitle\tcvelink\tvendorrefrencetitle\tvendorerefrencelink\tscanner\ttype\timagedigest' >>scanreport.tsv
+                  az graph query -q "$query" | jq --raw-output '.data[] | [.severity, .properties.id, .properties.additionalData.patchable, .properties.additionalData.publishedTime, .properties.additionalData.registryHost, .properties.additionalData.repositoryName, .additionalData.imageDetails.osDetails, .displayName, '.description', .impact, .properties.additionalData.cve[].title, .properties.additionalData.cve[].link,.properties.additionalData.vendorReferences[].title, .properties.additionalData.vendorReferences[].link, .properties.additionalData.scanner,.properties.additionalData.type , .additionalData.imageDigest] | @tsv' >>scanreport.tsv
+                  break
+              elif [[ $count -eq 10 ]]; then
+                  echo "Image scan not found exiting"
+                  break
+              else
+                  echo "Scan not complete... waiting $count"
+                  sleep 30
+                  count="$((count + 1))"
+              fi
+          done
+          echo -e "run:\nreg add "HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Spreadsheet\Microsoft Excel\Capabilities\FileAssociations" /v ".tsv" /t REG_SZ /d "Excel.SLK" /f\nto associate .tsv with excel. You should only need to do this once." >> SCAN_READ_ME.txt
+      - uses: actions/upload-artifact@v3
+        with:
+          name: Azure_Container_Scan_Result
+          path: |
+            scanreport.tsv
+            SCAN_READ_ME.txt
+
   deploy-deeplynx-dev:
       runs-on: [ self-hosted ]
       environment: development
@@ -103,8 +172,8 @@ jobs:
         run: |
           cd $GITHUB_WORKSPACE/kubernetes/deeplynx/manifests
           envsubst < development.yml > development_final.yml
-      - uses: azure/setup-kubectl@v3
-      - uses: azure/k8s-set-context@v3
+      - uses: Azure/setup-kubectl@v3.1
+      - uses: Azure/k8s-set-context@v3.0
         with:
           method: kubeconfig
           kubeconfig: ${{ secrets.KUBE_CONFIG }}