quayio-scanner 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: ac34418a5b842f0d6bbd244f10c3e6ac380dce60
+  data.tar.gz: ea6508ad09cdcf7a9ecf24b08f777a95adb3a3ba
+SHA512:
+  metadata.gz: 2333e2e65f928fc67ec24f3a1f4a3a03bb9178eecee85042c17be5fc3bac042f7a97be69fb9c1e7c33277fc4f2ce9e2a7d44489aa5bca0804321a67086fc4c2f
+  data.tar.gz: eecfcf7e3bd711d82607ad52cd937358b77ec3f45f3b4e5c51424e2f7de36e238f3fc7953690ccc29dc07b8fe71c889c464addf2d3fa6bbbb00cda4e8ae06047

data/.gitignore

@@ -0,0 +1,10 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+/vendor/bundle

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in quayio-scanner.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2017 Benjamin Meichsner
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,28 @@
+# Quayio::Scanner
+
+Scan quay.io for vulnerabilties in running docker containers. Implemented as sensu check.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'quayio-scanner'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install quayio-scanner
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/aboutsource/quayio-scanner.
+
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,2 @@
+require 'bundler/gem_tasks'
+task default: :spec

data/bin/check-container-vulnerabilities.rb

@@ -0,0 +1,49 @@
+#! /usr/bin/env ruby
+#
+#   check-container-vulnerabilities
+#
+# DESCRIPTION:
+#
+#   This plugin attempts to fetch vulnerabilties for all running containers
+#
+# OUTPUT:
+#   plain text
+#
+# PLATFORMS:
+#   Linux
+#
+# DEPENDENCIES:
+#   gem: sensu-plugin
+#   gem: docker-api
+#   gem: rest-client
+#
+# USAGE:
+#   ./check-container-vulnerabilities.rb -d <docker-url> -t <quay-io-oauth-token>
+#
+
+require 'sensu-plugin/check/cli'
+require 'quayio/scanner'
+
+class CheckContainerVulnerabilities < Sensu::Plugin::Check::CLI
+  option :docker_url,
+         description: 'Docker URL',
+         short: '-d URL',
+         long: '--docker-url URL',
+         default: 'unix:///var/run/docker.sock'
+
+  option :quayio_token,
+         description: 'Quay.io oauth token',
+         short: '-t TOKEN',
+         long: '--quayio-token TOKEN'
+
+  def run
+    status, message = Quayio::Scanner::Check.new(config[:docker_url],
+                                        config[:quayio_token]).run
+
+    if status == :ok
+      ok message
+    else
+      critical message
+    end
+  end
+end

data/lib/quayio/scanner/check.rb

@@ -0,0 +1,26 @@
+require 'quayio/scanner/image'
+require 'docker'
+
+module Quayio
+  module Scanner
+    class Check < Struct.new(:docker_url, :quayio_token)
+      def run
+        Docker.url = docker_url
+        containers = Docker::Container.all
+                                      .map { |dc| dc.json['Config']['Image'] }
+                                      .uniq
+
+        vulnerable_images = containers
+                            .map { |container| Image.new(container, quayio_token) }
+                            .select(&:vulnerable?)
+                            .map(&:name)
+
+        if vulnerable_images.empty?
+          [:ok, "#{containers.size} Containers are ok"]
+        else
+          [:critical, "The images are insecure: #{vulnerable_images.join(', ')}"]
+        end
+      end
+    end
+  end
+end

data/lib/quayio/scanner/image.rb

@@ -0,0 +1,68 @@
+require 'rest-client'
+
+module Quayio
+  module Scanner
+    class Image < Struct.new(:name, :quayio_token)
+      RELEVANT_SEVERITIES = %w(High Critical)
+
+      def vulnerable?
+        quayio? && image_exists? && scanned? && high_vulnerabilities_present?
+      end
+
+      private
+
+      def quayio?
+        name.match(%r{^quay.io\/})
+      end
+
+      def image_exists?
+        raw_image
+      end
+
+      def scanned?
+        raw_scan['status'] == 'scanned'
+      end
+
+      def high_vulnerabilities_present?
+        raw_scan['data']['Layer']['Features'].detect do |f|
+          f['Vulnerabilities'] &&
+            f['Vulnerabilities']
+              .detect { |v| RELEVANT_SEVERITIES.include?(v['Severity']) }
+        end
+      end
+
+      def repo
+        name.split(':').first.gsub(%r{quay.io\/}, '')
+      end
+
+      def tag
+        name.split(':').last
+      end
+
+      def raw_image
+        return @raw_image if defined? @raw_image
+
+        @raw_image = begin
+          JSON.parse(
+            RestClient.get("https://quay.io/api/v1/repository/#{repo}/tag/#{tag}/images",
+                           authorization: "Bearer #{quayio_token}", accept: :json)
+          )['images'].first
+        rescue RestClient::ExceptionWithResponse => err
+          return nil if err.http_code == 404 # ignore unknown repos
+          raise err
+        end
+      end
+
+      def raw_scan
+        return @raw_scan if defined? @raw_scan
+
+        @raw_scan = begin
+          JSON.parse(
+            RestClient.get("https://quay.io/api/v1/repository/#{repo}/image/#{raw_image['id']}/security?vulnerabilities=true",
+                           authorization: "Bearer #{quayio_token}", accept: :json)
+          )
+        end
+      end
+    end
+  end
+end

data/lib/quayio/scanner/version.rb

@@ -0,0 +1,5 @@
+module Quayio
+  module Scanner
+    VERSION = '0.1.0'.freeze
+  end
+end

data/lib/quayio/scanner.rb

@@ -0,0 +1,7 @@
+require 'quayio/scanner/version'
+require 'quayio/scanner/check'
+
+module Quayio
+  module Scanner
+  end
+end

data/quayio-scanner.gemspec

@@ -0,0 +1,29 @@
+# coding: utf-8
+
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'quayio/scanner/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'quayio-scanner'
+  spec.version       = Quayio::Scanner::VERSION
+  spec.authors       = ['Benjamin Meichsner']
+  spec.email         = ['benjamin.meichsner@aboutsource.net']
+
+  spec.summary       = 'Scan quay.io for vulnerabilties in running docker containers.'
+  spec.homepage      = 'https://github.com/aboutsource/quayio-scanner'
+  spec.license       = 'MIT'
+
+  spec.files = `git ls-files -z`.split("\x0").reject do |f|
+    f.match(%r{^(test|spec|features)/})
+  end
+  spec.executables   = Dir.glob('bin/**/*.rb').map { |file| File.basename(file) }
+  spec.require_paths = ['lib']
+
+  spec.add_dependency 'sensu-plugin', '~> 2.1'
+  spec.add_dependency 'docker-api', '~> 1.33'
+  spec.add_dependency 'rest-client', '~> 2.0'
+  spec.add_development_dependency 'bundler', '~> 1.14'
+  spec.add_development_dependency 'rake', '~> 10.0'
+  spec.add_development_dependency 'rubocop', '~> 0.49'
+end

metadata

@@ -0,0 +1,140 @@
+--- !ruby/object:Gem::Specification
+name: quayio-scanner
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Benjamin Meichsner
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2017-08-01 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: sensu-plugin
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.1'
+- !ruby/object:Gem::Dependency
+  name: docker-api
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.33'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.33'
+- !ruby/object:Gem::Dependency
+  name: rest-client
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.14'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.14'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.49'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.49'
+description: 
+email:
+- benjamin.meichsner@aboutsource.net
+executables:
+- check-container-vulnerabilities.rb
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- bin/check-container-vulnerabilities.rb
+- lib/quayio/scanner.rb
+- lib/quayio/scanner/check.rb
+- lib/quayio/scanner/image.rb
+- lib/quayio/scanner/version.rb
+- quayio-scanner.gemspec
+homepage: https://github.com/aboutsource/quayio-scanner
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.6.11
+signing_key: 
+specification_version: 4
+summary: Scan quay.io for vulnerabilties in running docker containers.
+test_files: []