Compare commits
3 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| f88893748a | |||
| b6dfca1cf2 | |||
| a3c723cc32 |
@@ -9,12 +9,14 @@ inputs:
|
|||||||
description: "what level of issues to show (all|fatal)"
|
description: "what level of issues to show (all|fatal)"
|
||||||
required: false
|
required: false
|
||||||
default: "all"
|
default: "all"
|
||||||
outputs:
|
fail:
|
||||||
report:
|
description: "determines whether or not the workflow fails upon finding fatal issues (yes(default)|no)"
|
||||||
description: "results of the scan"
|
required: false
|
||||||
|
default: "yes"
|
||||||
runs:
|
runs:
|
||||||
using: docker
|
using: docker
|
||||||
image: Dockerfile
|
image: Dockerfile
|
||||||
env:
|
env:
|
||||||
COMPOSE_FILE_PATH: ${{ inputs.path }}
|
COMPOSE_FILE_PATH: ${{ inputs.path }}
|
||||||
LOG_LEVEL: ${{ inputs.show }}
|
LOG_LEVEL: ${{ inputs.show }}
|
||||||
|
FAIL_ON_FATAL: ${{ inputs.fail }}
|
||||||
|
|||||||
18
main.go
18
main.go
@@ -21,7 +21,7 @@ const (
|
|||||||
ROOT_USER = "1000"
|
ROOT_USER = "1000"
|
||||||
ROOT_GROUP = "1000"
|
ROOT_GROUP = "1000"
|
||||||
//this is an insane regex to detect IP:PORT:PORT in port configuration but also supports the ability to detect secrets.* and vars.* from workflows
|
//this is an insane regex to detect IP:PORT:PORT in port configuration but also supports the ability to detect secrets.* and vars.* from workflows
|
||||||
IM_SO_SORRY = `^(\${{\s*(vars|secrets)\.[[:alnum:]]+\s*}}|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}){1}:(\${{\s*(vars|secrets)\.[[:alnum:]]+\s*}}|[0-9]+){1}:(\${{\s*(vars|secrets)\.[[:alnum:]]+\s*}}|[0-9]+){1}$`
|
IM_SO_SORRY = `^(\${\s*\w+\s*}|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}){1}:(\${\s*\w+\s*}|[0-9]+){1}:(\${\s*\w+\s*}|[0-9]+){1}$`
|
||||||
)
|
)
|
||||||
|
|
||||||
func main() {
|
func main() {
|
||||||
@@ -98,11 +98,15 @@ func main() {
|
|||||||
|
|
||||||
//this is better printing, it should probably group up the port issues in a better printing. Not sure how
|
//this is better printing, it should probably group up the port issues in a better printing. Not sure how
|
||||||
lvl := os.Getenv("LOG_LEVEL")
|
lvl := os.Getenv("LOG_LEVEL")
|
||||||
|
fatalCount := 0
|
||||||
for _, p := range issues {
|
for _, p := range issues {
|
||||||
fmt.Println()
|
fmt.Println()
|
||||||
fmt.Println("----------------------------------------------------------------------------")
|
fmt.Println("----------------------------------------------------------------------------")
|
||||||
fmt.Println(p.Name)
|
fmt.Println(p.Name)
|
||||||
for _, x := range p.Issues {
|
for _, x := range p.Issues {
|
||||||
|
if x.Level == issue.FATAL {
|
||||||
|
fatalCount++
|
||||||
|
}
|
||||||
if lvl == "all" {
|
if lvl == "all" {
|
||||||
fmt.Printf("\tsafe: %t\n\tlevel: %s\n\tMessages:\n\t\t%s\n\n", x.Safe, x.Level, strings.Join(x.Messages, "\n\t\t"))
|
fmt.Printf("\tsafe: %t\n\tlevel: %s\n\tMessages:\n\t\t%s\n\n", x.Safe, x.Level, strings.Join(x.Messages, "\n\t\t"))
|
||||||
} else if lvl == "fatal" {
|
} else if lvl == "fatal" {
|
||||||
@@ -112,6 +116,10 @@ func main() {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if strings.EqualFold(os.Getenv("FAIL_ON_FATAL"), "yes") {
|
||||||
|
os.Exit(fatalCount)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// ensure cpus and mem_limit are set on the service
|
// ensure cpus and mem_limit are set on the service
|
||||||
@@ -132,6 +140,10 @@ func ResourceCheck(srv compose.ServiceConfig) *issue.Issue {
|
|||||||
i.Messages = append(i.Messages, "there are no resource limits set for the service")
|
i.Messages = append(i.Messages, "there are no resource limits set for the service")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if len(i.Messages) > 0 {
|
||||||
|
return i
|
||||||
|
}
|
||||||
|
|
||||||
i.Passed()
|
i.Passed()
|
||||||
i.Messages = append(i.Messages, "resource limits configuration is safe")
|
i.Messages = append(i.Messages, "resource limits configuration is safe")
|
||||||
return i
|
return i
|
||||||
@@ -169,7 +181,7 @@ func SecurityOptCheck(srv compose.ServiceConfig) *issue.Issue {
|
|||||||
for _, opt := range *srv.SecOpts {
|
for _, opt := range *srv.SecOpts {
|
||||||
if strings.EqualFold(opt, PRIVILEGE_OPT) {
|
if strings.EqualFold(opt, PRIVILEGE_OPT) {
|
||||||
i.Passed()
|
i.Passed()
|
||||||
i.Messages = append(i.Messages, "security option are safe")
|
i.Messages = append(i.Messages, "security options are safe")
|
||||||
return i
|
return i
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -204,7 +216,7 @@ func PortCheck(srv compose.ServiceConfig) ([]*issue.Issue, error) {
|
|||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
|
|
||||||
ms, err := regexp.Match(`^\${{\s*(vars|secrets)\.[[:alnum:]]+\s*}}{1}:\${{\s*(vars|secrets)\.[[:alnum:]]+\s*}}{1}$`, []byte(prt))
|
ms, err := regexp.Match(`^\${\s*\w+\s*}{1}:\${\s*\w+\s*}{1}$`, []byte(prt))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Fatal(err)
|
log.Fatal(err)
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user