Recipe book for dependency scanning (#262)

Co-authored-by: Robert Ball <[email protected]>

Author: stefaniuk

practices/security-repository.md

@@ -47,6 +47,7 @@ Depending on your use case, you may want to create additional teams (e.g. a read
 ## Code security
 
 - Enable, at a minimum, [Dependabot](https://github.blog/2020-06-01-keep-all-your-packages-up-to-date-with-dependabot/) alerts for vulnerabilities and respond to them appropriately.
+- Generate [SBOM (Software Bill of Materials)](../tools/dependency-scan/README.md) for your repository content and all the artefacts that are build as part of the CI/CD process
 - Disable ability to push to the default branch for everyone, admins included (`applies-to-admin` option).
 - Refer to [Quality Checks](../quality-checks.md) for further code security practices.
 

tools/dependency-scan/.gitignore

@@ -0,0 +1,2 @@
+sbom*.json
+sbom*.xml

tools/dependency-scan/Design - Dependency Scan v1.drawio.png

@@ -0,0 +1 @@
+<mxfile host="Electron" modified="2022-07-14T07:40:33.241Z" agent="5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) draw.io/19.0.3 Chrome/102.0.5005.63 Electron/19.0.3 Safari/537.36" etag="udLpUFjxY4F_XWO8Zi_o" version="19.0.3" type="device"><diagram name="Dependency Scan v1" id="MA9I2CS_o0D6G25iCx2h">7VtZc6M4EP41qdp9GBeHAfPo2Dnm2hxOZTL7MiVAxloDYoR87a/fFocNiDi2x1dl1lOTQOvA6u/rptWtXOi9cH7DUDz6Sj0cXGiKN7/Q+xeapuu6Br+EZJFJVFvtZBKfES+XrQQD8i/OhUounRAPJ5WOnNKAk7gqdGkUYZdXZIgxOqt2G9Kg+tQY+VgSDFwUyNJvxOOjXKqa9qrhFhN/lD+6o1lZQ4iKzvlKkhHy6Kwk0q8u9B6jlGdX4byHA6G9Qi94Ft5QK5rZ6Oll/PxwO3l+nn7IJrveZshyCQxHfOepp99mP/vUQr3HTw9m9+qfWTeZ5UOUKQomub7ytfJFoUBGJ5GHxSTKhX45GxGOBzFyResMOAOyEQ8DuFPhckiCoEcDytKx+tAQ/4ScRrwkzz4gTzijY1xqMdMPtHgoGaVPVfObe8Q5ZlEq0ZQ2SDdUS66+KWYcz0ukyNV0g2mIOVtAl7y13c7VUnC+YMBsRSCt6DMqcccshCgnrb+cewUMXOTYbEEBTcLpckLAEl4HS90aLA/hztBtBMXtYGd4QI1rdY2bssaXsrLGO4dSuC4pvI9jDLqNXJjcDOD5lw6DK19cJS6K3gsW7c65YdGWsHjCCX8v+ra0c9O3Ien7BkeYIY5BOri8+7pX1Q+H2HQbVe9ZtqMoR6S6Zp9a9aak+kHqWpTpJBAQOCQgnEA89U4RMNqnRsB6OyKC10BXRKZw5wYoSYhbVW81YsJzwl/yFnH9XchbRn7Xn5e69RfFTQRLeSnflEaJ29Ww9K4Ytx1MCZ0wF6/ply+dI+bjdfPlL0vsVUJxGfQSqEYDpoWM4QBxMq0G8E1A50+4pwSWu+SUodesuh6VZevOR5Uj5vpE9TehXZsoU4w0Ucq75bJ3p2LnfyrWKfYmFdtnRUXdtFt26dOpElPdkZhtW1k/0YGJaR+KmCsyfi/RtJmYJyKYcVYE25uvs4zqRLp5XEoVDN4jp5aOa+WrvldcVbPjSmClvHhORCP8S1wb/+w/qvj6JZqzHz91Y9HrOXdF1uVNrpnnxTWrxjVj1/dqfaIjv1dVOZtyghfrnv2XKXNqgbufPt8/K9MPD1RlffbSR1HBvTPlVFvfkVMdpbaR0I3jckpOUpyAU2cSrLVlLjb6Qe2suGir64I11bZbbVVZfTq7EdU2a85PObLzk7M7RT5zpBb5zHKuUykyEGrRD5676loIPTItRAMUxoHIFcUkxgGJxOWUJBMUkAQAolELBE8jkojvKn4g+D8kTOT0FMJFpgk6wTUdChaNxHgPJ8SPUi4AFWCIuAYVAWGzvpwKJs1B4KWD0oldFGcpk0XRIySc+FkmK5uYkWRcfdRgEseBGNAbISKmRpwjd9wqLb+0WMnKOXyJql1X0yp5SFHOweSiJEYuiXwQGKu7JxqD4IP2WvGFTjEbBqlTGREPMJMcyXbGvXnuRq0S2dKEn6knb9pKg8GCKRmvW+em6ZvYDMdD+77/cmnEz44ROH8nfkNBq/cRJur1U5BwLOfuPTwEinopnZYc+Ot2IEZcRT60YSZQ0ZRrhkI8o2wsT4IKGjvw3JhlFj8EcGFCjMKkoN8kwRJhlpUuARadcGExvWU1VKlyCWzIFzUwF8DEwJ3LADk4uKcJSe2g1CCAJC4KvtQ6cEGoZWs3n8+hnNNQ0G6EYvHFwrkvKsKtGXYC6tOk5YPhTZxDkcmsVYA6MpUsQ2aStQcerQuTyjnw20H3QuTqTXBvAon0p3ATz1cNrEIcOagB7UK/7gJw9jDT307XOpk5f3GWAnBHfmrkdxldCkeTVd9VQ87xYtUzsNWU47VNS0fmIQscNWgbc7xag5vYR4533f6rnGWnQz6DlS/RjZxE/Lok6Wzp2+ErvDYYQUEio/2HqIr8KWOd6ro4dqDV3go1QxNO3B3B3rPlUXcSAgjaK9TIYVZamnHE1Hy7CHHfSs2b5j68+7qAsQRcq9WS1L5VLQSU7xFQXZ8wcLiZi8Qo4QfUrH3Kil+jXjfYvGx1DGSNUs+n8FqHwdKtxgBGxqGebt0bDnJs/hnDt+vuMcgsAogAD3lDHBBCDCke0ohwlQPiTM8g/0qbHlH6dZCUJpDUTgNK2qFQkou096uNThZkniFcB0PIqpuR1oSQfUyENijiHsifnbCWLpmKeXJ/JlcwK5mF7NiU4oijbNkWC/Ya7vj3Nh/z9OazQX3vQOZzwm2KZD72yc2noSh2NReHYJEYynCeiP2tzcU+qrl8Ij9uHtkP45bfOTq+RdFLx1suorSd5AgUB7IuQLVI0lzkI04mARdXH0WGBrZ6kS8ChmvKQsSb9pTdx4/XJ91USrBsiujGm0rTUmXwDrepbIRPPuor6Xy7yk1TBXn3Ew616sgeyzS5Qt8s0yjNkJ6oQmgrdSZsXHeulV7adY+wv9JLI9H2XiJ8/ajC4UjTUGd+3Sm+B9LUpjLqpx52Jg3crv54KOu++hss/eo/</diagram></mxfile>

tools/dependency-scan/Design.drawio

@@ -0,0 +1,19 @@
+generate-sbom: ### Run SBOM generator - mandatory: SCHEME=[file|directory|image|registry]; optional: ARGS=[syft args]
+	docker run --interactive --tty --rm \
+		--volume $(PWD):/project \
+		--env "DOCKER_CONFIG=/config" \
+		--workdir /project \
+		anchore/syft:latest $(SCHEME) $(ARGS)
+
+scan-vulnerabilities: ### Run vulnerability scanner - mandatory: SCHEME=[sbom|file|directory|image|registry]; optional: ARGS=[grype args]
+	docker run --interactive --tty --rm \
+		--volume /tmp/grype/db:/tmp/grype/db \
+		--volume $(PWD):/project \
+		--env "DOCKER_CONFIG=/config" \
+		--env "XDG_CACHE_HOME=/tmp/grype/db" \
+		--workdir /project \
+		anchore/grype:latest $(SCHEME) $(ARGS)
+
+.SILENT: \
+	generate-sbom \
+	scan-vulnerabilities

tools/dependency-scan/Makefile

@@ -0,0 +1,18 @@
+# TODO: Example
+
+ignore:
+  # This is the full set of supported rule fields:
+  - vulnerability: CVE-2008-4318
+    fix-state: unknown
+    package:
+      name: libcurl
+      version: 1.5.1
+      type: npm
+      location: "/usr/local/lib/node_modules/**"
+
+  # We can make rules to match just by vulnerability ID:
+  - vulnerability: CVE-2017-41432
+
+  # ...or just by a single package field:
+  - package:
+      type: gem

tools/dependency-scan/README.md

@@ -0,0 +1,220 @@
+# TODO: Example
+
+# the output format(s) of the SBOM report (options: table, text, json, spdx, ...)
+# same as -o, --output, and SYFT_OUTPUT env var
+# to specify multiple output files in differing formats, use a list:
+# output:
+#   - "json=<syft-json-output-file>"
+#   - "spdx-json=<spdx-json-output-file>"
+output: "table"
+
+# suppress all output (except for the SBOM report)
+# same as -q ; SYFT_QUIET env var
+quiet: false
+
+# same as --file; write output report to a file (default is to write to stdout)
+file: ""
+
+# enable/disable checking for application updates on startup
+# same as SYFT_CHECK_FOR_APP_UPDATE env var
+check-for-app-update: true
+
+# a list of globs to exclude from scanning. same as --exclude ; for example:
+# exclude:
+#   - "/etc/**"
+#   - "./out/**/*.json"
+exclude: []
+
+# os and/or architecture to use when referencing container images (e.g. "windows/armv6" or "arm64")
+# same as --platform; SYFT_PLATFORM env var
+platform: ""
+
+# set the list of package catalogers to use when generating the SBOM
+# default = empty (cataloger set determined automatically by the source type [image or file/directory])
+# catalogers:
+#   - ruby-gemfile
+#   - ruby-gemspec
+#   - python-index
+#   - python-package
+#   - javascript-lock
+#   - javascript-package
+#   - php-composer-installed
+#   - php-composer-lock
+#   - alpmdb
+#   - dpkgdb
+#   - rpmdb
+#   - java
+#   - apkdb
+#   - go-module-binary
+#   - go-mod-file
+#   - dartlang-lock
+#   - rust
+#   - dotnet-deps
+catalogers:
+
+# cataloging packages is exposed through the packages and power-user subcommands
+package:
+
+  # search within archives that do contain a file index to search against (zip)
+  # note: for now this only applies to the java package cataloger
+  # SYFT_PACKAGE_SEARCH_INDEXED_ARCHIVES env var
+  search-indexed-archives: true
+
+  # search within archives that do not contain a file index to search against (tar, tar.gz, tar.bz2, etc)
+  # note: enabling this may result in a performance impact since all discovered compressed tars will be decompressed
+  # note: for now this only applies to the java package cataloger
+  # SYFT_PACKAGE_SEARCH_UNINDEXED_ARCHIVES env var
+  search-unindexed-archives: false
+
+  cataloger:
+    # enable/disable cataloging of packages
+    # SYFT_PACKAGE_CATALOGER_ENABLED env var
+    enabled: true
+
+    # the search space to look for packages (options: all-layers, squashed)
+    # same as -s ; SYFT_PACKAGE_CATALOGER_SCOPE env var
+    scope: "squashed"
+
+# cataloging file classifications is exposed through the power-user subcommand
+file-classification:
+  cataloger:
+    # enable/disable cataloging of file classifications
+    # SYFT_FILE_CLASSIFICATION_CATALOGER_ENABLED env var
+    enabled: true
+
+    # the search space to look for file classifications (options: all-layers, squashed)
+    # SYFT_FILE_CLASSIFICATION_CATALOGER_SCOPE env var
+    scope: "squashed"
+
+# cataloging file contents is exposed through the power-user subcommand
+file-contents:
+  cataloger:
+    # enable/disable cataloging of secrets
+    # SYFT_FILE_CONTENTS_CATALOGER_ENABLED env var
+    enabled: true
+
+    # the search space to look for secrets (options: all-layers, squashed)
+    # SYFT_FILE_CONTENTS_CATALOGER_SCOPE env var
+    scope: "squashed"
+
+  # skip searching a file entirely if it is above the given size (default = 1MB; unit = bytes)
+  # SYFT_FILE_CONTENTS_SKIP_FILES_ABOVE_SIZE env var
+  skip-files-above-size: 1048576
+
+  # file globs for the cataloger to match on
+  # SYFT_FILE_CONTENTS_GLOBS env var
+  globs: []
+
+# cataloging file metadata is exposed through the power-user subcommand
+file-metadata:
+  cataloger:
+    # enable/disable cataloging of file metadata
+    # SYFT_FILE_METADATA_CATALOGER_ENABLED env var
+    enabled: true
+
+    # the search space to look for file metadata (options: all-layers, squashed)
+    # SYFT_FILE_METADATA_CATALOGER_SCOPE env var
+    scope: "squashed"
+
+  # the file digest algorithms to use when cataloging files (options: "sha256", "md5", "sha1")
+  # SYFT_FILE_METADATA_DIGESTS env var
+  digests: ["sha256"]
+
+# cataloging secrets is exposed through the power-user subcommand
+secrets:
+  cataloger:
+    # enable/disable cataloging of secrets
+    # SYFT_SECRETS_CATALOGER_ENABLED env var
+    enabled: true
+
+    # the search space to look for secrets (options: all-layers, squashed)
+    # SYFT_SECRETS_CATALOGER_SCOPE env var
+    scope: "all-layers"
+
+  # show extracted secret values in the final JSON report
+  # SYFT_SECRETS_REVEAL_VALUES env var
+  reveal-values: false
+
+  # skip searching a file entirely if it is above the given size (default = 1MB; unit = bytes)
+  # SYFT_SECRETS_SKIP_FILES_ABOVE_SIZE env var
+  skip-files-above-size: 1048576
+
+  # name-regex pairs to consider when searching files for secrets. Note: the regex must match single line patterns
+  # but may also have OPTIONAL multiline capture groups. Regexes with a named capture group of "value" will
+  # use the entire regex to match, but the secret value will be assumed to be entirely contained within the
+  # "value" named capture group.
+  additional-patterns: {}
+
+  # names to exclude from the secrets search, valid values are: "aws-access-key", "aws-secret-key", "pem-private-key",
+  # "docker-config-auth", and "generic-api-key". Note: this does not consider any names introduced in the
+  # "secrets.additional-patterns" config option.
+  # SYFT_SECRETS_EXCLUDE_PATTERN_NAMES env var
+  exclude-pattern-names: []
+
+# options when pulling directly from a registry via the "registry:" scheme
+registry:
+  # skip TLS verification when communicating with the registry
+  # SYFT_REGISTRY_INSECURE_SKIP_TLS_VERIFY env var
+  insecure-skip-tls-verify: false
+  # use http instead of https when connecting to the registry
+  # SYFT_REGISTRY_INSECURE_USE_HTTP env var
+  insecure-use-http: false
+
+  # credentials for specific registries
+  auth:
+      # the URL to the registry (e.g. "docker.io", "localhost:5000", etc.)
+      # SYFT_REGISTRY_AUTH_AUTHORITY env var
+    - authority: ""
+      # SYFT_REGISTRY_AUTH_USERNAME env var
+      username: ""
+      # SYFT_REGISTRY_AUTH_PASSWORD env var
+      password: ""
+      # note: token and username/password are mutually exclusive
+      # SYFT_REGISTRY_AUTH_TOKEN env var
+      token: ""
+      # - ... # note, more credentials can be provided via config file only
+
+# generate an attested SBOM
+attest:
+  # path to the private key file to use for attestation
+  # SYFT_ATTEST_KEY env var
+  key: "cosign.key"
+
+  # password to decrypt to given private key
+  # SYFT_ATTEST_PASSWORD env var, additionally responds to COSIGN_PASSWORD
+  password: ""
+
+log:
+  # use structured logging
+  # same as SYFT_LOG_STRUCTURED env var
+  structured: false
+
+  # the log level; note: detailed logging suppress the ETUI
+  # same as SYFT_LOG_LEVEL env var
+  level: "error"
+
+  # location to write the log file (default is not to have a log file)
+  # same as SYFT_LOG_FILE env var
+  file: ""
+
+# uploading package SBOM is exposed through the packages subcommand
+anchore:
+  # (feature-preview) the Anchore Enterprise Host or URL to upload results to (supported on Enterprise 3.0+)
+  # same as -H ; SYFT_ANCHORE_HOST env var
+  host: ""
+
+  # (feature-preview) the path after the host to the Anchore External API (supported on Enterprise 3.0+)
+  # same as SYFT_ANCHORE_PATH env var
+  path: ""
+
+  # (feature-preview) the username to authenticate against Anchore Enterprise (supported on Enterprise 3.0+)
+  # same as -u ; SYFT_ANCHORE_USERNAME env var
+  username: ""
+
+  # (feature-preview) the password to authenticate against Anchore Enterprise (supported on Enterprise 3.0+)
+  # same as -p ; SYFT_ANCHORE_PASSWORD env var
+  password: ""
+
+  # (feature-preview) path to dockerfile to be uploaded with the syft results to Anchore Enterprise (supported on Enterprise 3.0+)
+  # same as -d ; SYFT_ANCHORE_DOCKERFILE env var
+  dockerfile: ""

tools/dependency-scan/config/.grype.yaml

@@ -0,0 +1,23 @@
+name: "Generate SBOM"
+on:
+  push:
+    branches: [main]
+  pull_request:
+    types: [opened, synchronize, reopened]
+jobs:
+  generate-sbom:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@master
+    - uses: anchore/sbom-action@v0
+      with:
+        path: ./
+        format: cyclonedx-json
+        artifact-name: sbom-repo.cdx.json
+    - uses: anchore/sbom-action@v0
+      with:
+        image: my-registry.com/my/awesome/image
+        registry-username: ${{ secrets.REGISTRY_USERNAME }}
+        registry-password: ${{ secrets.REGISTRY_PASSWORD }}
+        format: cyclonedx-json
+        artifact-name: sbom-image.cdx.json

tools/dependency-scan/config/.syft.yaml

@@ -0,0 +1,22 @@
+name: "Scan vulnerabilities"
+on:
+  push:
+    branches: [main]
+  pull_request:
+    types: [opened, synchronize, reopened]
+jobs:
+  scan-vulnerabilities:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: anchore/scan-action@v3
+      with:
+        sbom: sbom-repo.cdx.json
+        fail-build: true
+        severity-cutoff: critical
+        acs-report-enable: true
+    - uses: anchore/scan-action@v3
+      with:
+        sbom: sbom-image.cdx.json
+        fail-build: true
+        severity-cutoff: critical
+        acs-report-enable: true