DEVOPS-61 scan dockerofkrishnadhas docker images with trivy

Author: githubofkrishnadhas

.github/dependabot.yml

@@ -0,0 +1,31 @@
+version: 2
+updates:
+  - package-ecosystem: "pip"
+    directory: /
+    schedule:
+      interval: "weekly"
+      day: saturday
+      time: "09:00"
+      timezone: Asia/Kolkata
+    # Assignees to set on pull requests
+    assignees:
+      - "githubofkrishnadhas"
+    # prefix specifies a prefix for all commit messages. When you specify a prefix for commit messages,
+    # GitHub will automatically add a colon between the defined prefix and the commit message provided the
+    # defined prefix ends with a letter, number, closing parenthesis, or closing bracket.
+    commit-message:
+      prefix: "dependabot python package"
+    # Use reviewers to specify individual reviewers or teams of reviewers for all pull requests raised for a package manager.
+    reviewers:
+      - "devwithkrishna/admin"
+    # Raise pull requests for version updates to pip against the `main` branch
+    target-branch: "main"
+    # Labels on pull requests for version updates only
+    labels:
+      - "pip dependencies"
+    # Increase the version requirements for Composer only when required
+    versioning-strategy: increase-if-necessary
+    # Dependabot opens a maximum of five pull requests for version updates. Once there are five open pull requests from Dependabot,
+    # Dependabot will not open any new requests until some of those open requests are merged or closed.
+    # Use open-pull-requests-limit to change this limit.
+    open-pull-requests-limit: 10

.github/workflows/scan-docker-images-using-trivy.yaml

@@ -0,0 +1,53 @@
+name: scan-docker-images-using-trivy
+on:
+  schedule:
+    - cron: '0 0 * * 0' # weekly once
+  workflow_dispatch:
+    inputs:
+      dockerhub_username:
+        description: 'Dockerhub username'
+        required: true
+        type: string
+        default: 'dockerofkrishnadhas'
+
+run-name: scan-docker-images-using-trivy-from-dockerofkrishnadhas-dockerhub
+jobs:
+  scan-docker-images-using-trivy-from-dockerofkrishnadhas-dockerhub:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Check out the repo
+      uses: actions/checkout@v4
+    - name: set up python 3.11
+      uses: actions/setup-python@v4
+      with:
+        python-version: '3.11'
+    - name: package installations
+      run: |
+        pip install pipenv
+        pipenv install
+    - name: execute python program
+      run: |
+          pipenv run python3 get_all_docker_image_tags.py --account_name ${{ inputs.dockerhub_username }}
+    - name: check files
+      run: |
+        ls -la
+    - name: set up docker and scan docker image  for vulnerabilities
+      uses: docker-practice/actions-setup-docker@master
+    -  run: |
+        set -x
+        docker version
+        images=$(cat docker_images_details_dockerofkrishnadhas.json | jq -r '.[]')
+        for image in $images
+          do
+            docker pull $image
+            start_time=$(date +%s)
+            echo "Scanning started for image: $image at $(date)"
+            docker run -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy image $image
+            end_time=$(date +%s)
+            duration=$((end_time - start_time))
+            echo "Scanning ended for image: $image at $(date)"
+            echo "Duration for image $image: $duration seconds"
+          done
+    - name: Completed
+      run: |
+        echo "program completed successfully"

.gitignore

@@ -157,4 +157,5 @@ cython_debug/
 #  be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore
 #  and can be added to the global gitignore or merged into this file.  For a more nuclear
 #  option (not recommended) you can uncomment the following to ignore the entire idea folder.
-#.idea/
+.idea/
+*.json

Pipfile

@@ -0,0 +1,13 @@
+[[source]]
+url = "https://pypi.org/simple"
+verify_ssl = true
+name = "pypi"
+
+[packages]
+requests = "=2.31.0"
+argparse = "=1.4.0"
+python-dotenv = "=1.0.1"
+
+
+[requires]
+python_version = "3"

Pipfile.lock

@@ -0,0 +1,105 @@
+import requests
+import argparse
+import json
+from datetime import datetime
+
+
+def get_all_images_from_dockerhub(account_name:str):
+    """
+    function to retrieve docker images list
+    :param account_name: docker hub acccount name. default dockerofkrishnadhas
+    :return:
+    """
+    api_endpoint = f'https://hub.docker.com/v2/repositories/{account_name}/'
+    # print(api_endpoint)
+    # Define pagination parameters
+    per_page = 50  # Number of records per page
+    page = 1  # Initial page number
+    docker_image_names_list = []
+    while True:
+        params = {
+            'per_page': per_page,  # Number of results per page
+            'page': page # Page number
+        }
+        # API call
+        response = requests.get(url=api_endpoint, params=params)
+        response_json = response.json() ## Github repo details
+
+        # Checking the API status code
+        if response.status_code == 200:
+            print(f"API request successful on {api_endpoint}")
+            # print(response_json)
+        else:
+            print(f"API request failed with status code {response.status_code}:")
+            # print(response_json)
+            break
+
+        for images in response_json['results']:
+            docker_image_names_list.append(images['name'])
+
+        page += 1  # Move to the next page
+        file_name = f'docker_images_tags_{account_name}_results.json'
+        with open(file_name, 'w') as json_file:
+            json.dump(response_json['results'], json_file, indent=4)
+        # Break the loop if no more pages
+        if len(response_json['results']) < per_page:
+            break
+    print(f'Total number of images under {account_name} is : {len(docker_image_names_list)}')
+
+    return docker_image_names_list
+
+def get_image_tags_from_repository(account_name: str):
+    """
+    get the tags from a docker image
+    :param account_name:
+    :return:
+    """
+    docker_image_names_list = get_all_images_from_dockerhub(account_name=account_name)
+    docker_image_tag_list = []
+    for image in docker_image_names_list:
+        tag_endpoint = f'https://hub.docker.com/v2/namespaces/{account_name}/repositories/{image}/tags'
+        # print(tag_endpoint)
+        response = requests.get(tag_endpoint)
+        # Checking the API status code
+        if response.status_code == 200:
+            print(f"API request successful on {tag_endpoint}")
+            # print(response_json)
+        else:
+            print(f"API request failed with status code {response.status_code}:")
+            # print(response_json)
+            break
+        response_json = response.json()
+        response_json_results = response_json['results']
+        tag_count = response_json['count']
+        print(f'Number of tags of {account_name}/{image} is : {tag_count}')
+        for item in response_json_results:
+            tag = item['name']
+            docker_image_tag_list.append(f'{account_name}/{image}:{tag}')
+    file_name = f'docker_images_details_{account_name}.json'
+    with open(file_name, 'w') as json_file:
+        json.dump(docker_image_tag_list, json_file, indent=4)
+    return docker_image_tag_list
+
+def date_time():
+    """ Simple function to print time """
+    now = datetime.now()
+    current_time = now.strftime("%B %d %Y - %H:%M:%S")
+    return current_time
+
+
+def main():
+    """ To test the code"""
+    parser = argparse.ArgumentParser("Retrieve Docker images and tags from dockerhub registry using python")
+    parser.add_argument("--account_name", help="dockerhub user name", required=True, type=str)
+
+    args = parser.parse_args()
+    account_name = args.account_name
+    starting_time = date_time()
+    print(f"Proccess to retrieve Docker images and tags from dockerhub registry started at {starting_time} IST......")
+    docker_image_tag_list = get_image_tags_from_repository(account_name)
+    print(docker_image_tag_list)
+    ending_time = date_time()
+    print(f"Proccess to retrieve Docker images and tags from dockerhub registry completed at {ending_time} IST......")
+
+if __name__ == "__main__":
+    main()