Merge pull request #21 from oracle-devrel/imagescan

sample with image scan

Author: RahulMR42

oci-build-examples/README.md

@@ -5,6 +5,7 @@ All about OCI devops build samples ..
   <summary>Security & Quality - click to expand</summary>
 
 * [Integrate sonarqube with OCI devops build runner.](./oci_buildrunner_with_sonarqube/)
+* [Container image scanning  before deploy.](./oci_imagescan_before_deploy/)
 
 </details>
 

oci-build-examples/oci_buildrunner_with_sonarqube/deploy_spec.yaml

@@ -21,7 +21,7 @@ spec:
       containers:
         - name: graal-polyglot
           # enter the path to your image, be sure to include the correct region prefix
-          image: us-ashburn-1.ocir.io/xxx/xxx/mr-devops/mr-devops-graal-polyglot-app-repo:${BUILDRUN_HASH}
+          image: <OCI Region>-1.ocir.io/namespace/xxx/xx:${BUILDRUN_HASH}
           imagePullPolicy: Always
           ports:
             - containerPort: 3000

oci-build-examples/oci_imagescan_before_deploy/.dockerignore

@@ -0,0 +1,2 @@
+images
+images/*

oci-build-examples/oci_imagescan_before_deploy/.gitignore

@@ -0,0 +1,130 @@
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+pip-wheel-metadata/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.nox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+*.py,cover
+.hypothesis/
+.pytest_cache/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+db.sqlite3
+db.sqlite3-journal
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# IPython
+profile_default/
+ipython_config.py
+
+# pyenv
+.python-version
+
+# pipenv
+#   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
+#   However, in case of collaboration, if having platform-specific dependencies or dependencies
+#   having no cross-platform support, pipenv may install dependencies that don't work, or not
+#   install all needed dependencies.
+#Pipfile.lock
+
+# PEP 582; used by e.g. github.com/David-OConnor/pyflow
+__pypackages__/
+
+# Celery stuff
+celerybeat-schedule
+celerybeat.pid
+
+# SageMath parsed files
+*.sage.py
+
+# Environments
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/
+.dmypy.json
+dmypy.json
+
+# Pyre type checker
+.pyre/
+toremov*

oci-build-examples/oci_imagescan_before_deploy/Dockerfile

@@ -0,0 +1,9 @@
+
+FROM python:3.9
+
+WORKDIR /code
+COPY ./requirements.txt /code/requirements.txt
+RUN pip install --no-cache-dir --upgrade -r /code/requirements.txt
+COPY ./main.py /code/
+CMD ["uvicorn", "main:app", "--host", "0.0.0.0", "--port", "80"]
+

oci-build-examples/oci_imagescan_before_deploy/README.md

@@ -0,0 +1,141 @@
+A sample illustration of build with a container image vulnerability validation,before the deployment invoke.
+------
+
+![](images/global_view.png)
+
+Objective
+---
+
+- Create an OCI devops build pipeline to build a container image for OKEdeployment.
+
+- Use an OCI Vulnerability scanner and scan the image.
+
+- If the image is valid proceed for deployment.
+
+* Specific instruction to clone only this example.
+
+   ```
+   $ git init oci_imagescan_before_deploy
+   $ cd oci_imagescan_before_deploy
+   $ git remote add origin <url to this git repo>
+   $ git config core.sparsecheckout true
+   $ echo "oci-build-examples/oci_imagescan_before_deploy/*">>.git/info/sparse-checkout
+   $ git pull --depth=1 origin main
+
+   ```
+
+Procedure to use the illustration
+
+-------
+
+- Create OCI devops project / necessary policies - https://docs.oracle.com/en-us/iaas/Content/devops/using/home.htm.
+
+- Set the policies for Build /Deploy / Connection policies.
+
+
+![](images/oci_project.png)
+
+- Create an OCI Build pipeline (with no stages for now)
+
+![](images/oci_buildpipeline.png)
+
+- Create an OCI Artifact repo (For container)
+
+  - https://docs.oracle.com/en-us/iaas/Content/Registry/home.htm
+
+
+![](images/oci_container_repo.png)
+
+- Create a policy (identity) to enable vulnerable scanning for repo.
+
+  - Refer to below for the policy statement.
+
+```
+allow service vulnerability-scanning-service to read repos in compartment  <COMPARTMENT Name>
+allow service vulnerability-scanning-service to read compartments in compartment <COMPARTMENT Name>
+```
+
+- Create an Artifact with the container repo URL (POSTFIX with a BUILDHASH VARIABLE)
+
+
+![](images/oci_artifact.png)
+
+- Add a manage build stage to the build pipeline.
+
+  - https://docs.oracle.com/en-us/iaas/Content/devops/using/managing_build_pipelines.htm
+
+
+![](images/build_stage.png)
+
+- You may use the GITHUB repo or OCI Code repo to hold the code base (clone this repo and use accordingly).
+
+- Add another upload artifact stage by using the artifact created.
+
+![](images/upload_artifact.png)
+
+- Add a scanner to the OCI Container repo that we had created.
+
+![](images/repo_scanner.png)
+
+      - https://docs.oracle.com/en-us/iaas/scanning/using/scanning-images.htm#scanning_images 
+
+- The scan may take a while, so add a waiting stage to the build pipeline.
+
+![](images/wait_stage.png)
+
+- Add another manage build stage but with a custom yaml path as scan_check.yaml.
+
+- You can use the same repo (Github or OCI code repo) but with the custom yaml file.
+
+
+![](images/scan_check.png)
+
+- Set the below values as build params.
+
+```
+SCAN_CHECK_BASELINE - None
+
+REPO_NAME - Container Repo name
+
+COMPARTMENT_ID - Compartment OCID
+
+```
+
+![](images/build_param.png)
+
+
+All set for test...
+
+-----
+
+- If your docker images are safe they will follow the build pipeline and invoke the deployment.
+
+![](images/build_ok.png)
+
+
+
+- If not it will fail and won't proceed for deployment.
+
+![](images/scan_failed.png)
+
+Tail end
+
+-----
+
+- To complete the flow, and create a deployment pipeline, you can use the reference spec file (deployment_spec mentioned here) - https://docs.oracle.com/en-us/iaas/Content/devops/using/deployment_pipelines.htm.You may declare the artifacts and build parameters as variables.
+
+- You may add OCI CLI Steps to delete the image from the repo if found invalid.
+
+Contributors
+===========
+
+- Author: Rahul M R.
+- Collaborators: NA
+- Last release: June 2022
+
+### Back to examples.
+----
+
+- 🍿 [Back to OCI Devops Build sample](./../README.md)
+- 🏝️ [Back to OCI Devops sample](./../../README.md)
+

oci-build-examples/oci_imagescan_before_deploy/build_spec.yaml

@@ -0,0 +1,50 @@
+version: 0.1
+component: build
+timeoutInSeconds: 6000
+runAs: root
+shell: bash
+env:
+  # these are local variables to the build config
+  variables:
+    key: "value"
+
+  # the value of a vaultVariable is the secret-id (in OCI ID format) stored in the OCI Vault service
+  # you can then access the value of that secret in your build_spec.yaml commands
+  vaultVariables:
+  #  EXAMPLE_SECRET: "YOUR-SECRET-OCID"
+  
+  # exportedVariables are made available to use as parameters in sucessor Build Pipeline stages
+  # For this Build to run, the Build Pipeline needs to have a BUILDRUN_HASH parameter set
+  exportedVariables:
+    - BUILDRUN_HASH
+
+steps:
+  - type: Command
+    name: "Define unique image tag"
+    timeoutInSeconds: 40
+    command: |
+      export BUILDRUN_HASH=`echo ${OCI_BUILD_RUN_ID} | rev | cut -c 1-7`
+      echo "BUILDRUN_HASH: " $BUILDRUN_HASH
+
+  - type: Command
+    timeoutInSeconds: 600
+    name: "Build the app"
+    command: |
+      cd ${OCI_PRIMARY_SOURCE_DIR}
+      docker build --pull --rm -t sample_python_fastap_image .
+    
+    onFailure:
+      - type: Command
+        command: |
+          echo "Handling Failure"
+          echo "Failure successfully handled"
+        timeoutInSeconds: 40
+        runAs: root
+  
+     
+outputArtifacts:
+  - name: sample_python_fastap_image
+    type: DOCKER_IMAGE
+    # this location tag doesn't effect the tag used to deliver the container image
+    # to the Container Registry
+    location: sample_python_fastap_image:latest