npm - @govuk-pay/cli - Versions diffs - 0.0.7 → 0.0.9 - Mend

@govuk-pay/cli 0.0.7 → 0.0.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (18) hide show

package/resources/legacy-ruby-cli/vulnerability_scan/package.json ADDED Viewed

@@ -0,0 +1,15 @@
+{
+  "name": "vulnerability_scan",
+  "version": "1.0.0",
+  "description": "",
+  "main": "generate_vulnerability_report.js",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "keywords": [],
+  "author": "",
+  "license": "MIT",
+  "dependencies": {
+    "csv-stringify": "^6"
+  }
+}

package/resources/legacy-ruby-cli/vulnerability_scan/scan.sh CHANGED Viewed

@@ -11,46 +11,77 @@
 set -euo pipefail
 ACCOUNT="staging"
 ACCOUNT_ID="888564216586"
-REPORTS_FOLDER="cli/vulnerability_scan/reports"
+SOURCE_DIR=$(realpath "$(dirname "${BASH_SOURCE[0]}")")
+REPORTS_FOLDER="$SOURCE_DIR/reports"
+ARCHITECTURE_TO_SCAN="linux/amd64"
 echo "🔍 checking for dependencies..."
-declare -a commands=("aws" "jq" "aws-vault" "docker" "docker scout")
+declare -a commands=("aws" "aws-vault" "docker" "docker scout")
-for i in "${!commands[@]}"; do
-  if ! command -v ${commands[i]} &> /dev/null
+for cmd in "${commands[@]}"; do
+  # shellcheck disable=SC2086
+  if ! command -v $cmd &> /dev/null
   then
-    echo "❌ ${commands[i]}"
+    echo "❌ $cmd"
     exit 1
   else
-    echo "✅ ${commands[i]}"
+    echo "✅ $cmd"
   fi
 done
 # Login to ECR
-echo "Logging into staging ECR"
-aws-vault exec $ACCOUNT -- aws ecr get-login-password --region eu-west-1 | docker login --username AWS --password-stdin "${ACCOUNT_ID}.dkr.ecr.eu-west-1.amazonaws.com"
-# Get list of govukpay repository URIs (ignore postgres, selenium etc)
-REPOSITORIES="$(aws-vault exec $ACCOUNT -- aws ecr describe-repositories --no-paginate | jq -r '.repositories[].repositoryUri' | grep 'govukpay')"
-if [[ -z $REPOSITORIES ]]; then
-  echo "Unable to find ECR repositories"
-  exit 1
-fi
-# For each repository, run scan on the latest image and save to JSON file
-for REPO_URI in $REPOSITORIES
-do
-  SHORT_REPO_NAME=$(echo "$REPO_URI"| cut -d'/' -f 3)
-  LATEST_TAG="$(aws-vault exec $ACCOUNT -- aws ecr describe-images --repository-name "govukpay/$SHORT_REPO_NAME" --query 'sort_by(imageDetails,& imagePushedAt)[-1].imageTags[0]' | tr -d '"')"
-  echo "Scanning latest image in $SHORT_REPO_NAME with tag $LATEST_TAG."
-  docker scout cves --format sarif --output "${REPORTS_FOLDER}/${SHORT_REPO_NAME}-${LATEST_TAG}.json" "${REPO_URI}:${LATEST_TAG}"
+echo "Logging into $ACCOUNT ECR"
+aws-vault exec "$ACCOUNT" -- aws ecr get-login-password --region eu-west-1 | docker login --username AWS --password-stdin "${ACCOUNT_ID}.dkr.ecr.eu-west-1.amazonaws.com"
+IMAGES=""
+# Get a all ECS clusters
+echo "Getting list of ECS clusters"
+CLUSTERS=$(aws-vault exec "$ACCOUNT" -- aws ecs list-clusters --query clusterArns --output text)
+for CLUSTER in $CLUSTERS; do
+  echo "Checking services in cluster $CLUSTER"
+  SERVICES=$(aws-vault exec "$ACCOUNT" -- aws ecs list-services --cluster "$CLUSTER" --query 'serviceArns' --output text | xargs -n1 | sort)
+  for SERVICE in $SERVICES; do
+    echo "Checking for container images in service $SERVICE"
+    TASK_DEFINITION=$(\
+      aws-vault exec "$ACCOUNT" -- \
+        aws ecs describe-services --cluster "$CLUSTER" --service "$SERVICE" --query 'services[].taskDefinition' --output text
+    )
+    CONTAINER_IMAGES=$(aws-vault exec "$ACCOUNT" -- aws ecs describe-task-definition --task-definition "$TASK_DEFINITION" --query 'taskDefinition.containerDefinitions[].image' --output text)
+    for CONTAINER_IMAGE in $CONTAINER_IMAGES; do
+      IMAGES="$IMAGES $CONTAINER_IMAGE"
+    done
+  done
 done
-node ./cli/vulnerability_scan/generate_vulnerability_report.js
+for IMAGE in $(xargs -n1 <<<"$IMAGES" | sort | uniq); do
+  SHORT_REPO_AND_TAG=$(cut -d'/' -f 3 <<<"$IMAGE")
+  SHORT_REPO_NAME=$(cut -f 1 -d ":" <<<"$SHORT_REPO_AND_TAG")
+  IMAGE_TAG=$(cut -f 2 -d ":" <<<"$SHORT_REPO_AND_TAG")
+  echo "Scanning image $IMAGE"
+  docker scout cves --format sarif --platform "$ARCHITECTURE_TO_SCAN" --output "${REPORTS_FOLDER}/${SHORT_REPO_NAME}-${IMAGE_TAG}.json" "$IMAGE"
+done
+pushd "$SOURCE_DIR" >>/dev/null 2>&1
+echo "Installing node dependencies"
+npm install
+echo
+echo "|============================================================================================"
+echo "| Generating vulnerability report"
+echo "|============================================================================================"
+node "${SOURCE_DIR}/generate_vulnerability_report.js"
+echo "|============================================================================================"
+echo
+popd >>/dev/null 2>&1
 # Clean up report JSON files once done
 echo "Removing JSON report files..."

package/resources/legacy-ruby-cli/vulnerability_scan/reports/.gitkeep DELETED Viewed

File without changes