snyk
diff --git a/‎package.json‎
Lines changed: 2 additions & 2 deletions b/‎package.json‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎test/helpers/deployment.ts‎
Lines changed: 0 additions & 114 deletions b/‎test/helpers/deployment.ts‎
Lines changed: 0 additions & 114 deletions
diff --git a/‎test/unit/deployment-files.spec.ts‎
Lines changed: 108 additions & 0 deletions b/‎test/unit/deployment-files.spec.ts‎
Lines changed: 108 additions & 0 deletions
diff --git a/‎test/unit/deployment-files.test.ts‎
Lines changed: 0 additions & 29 deletions b/‎test/unit/deployment-files.test.ts‎
Lines changed: 0 additions & 29 deletions
diff --git a/‎test/unit/scanner/image-registry-credentials.spec.ts‎
Lines changed: 35 additions & 0 deletions b/‎test/unit/scanner/image-registry-credentials.spec.ts‎
Lines changed: 35 additions & 0 deletions
diff --git a/‎test/unit/scanner/image-registry-credentials.test.ts‎
Lines changed: 0 additions & 35 deletions b/‎test/unit/scanner/image-registry-credentials.test.ts‎
Lines changed: 0 additions & 35 deletions
@@ -12,8 +12,8 @@
   "scripts": {
     "pretest": "./scripts/docker/build-image.sh",
     "test": "npm run lint && npm run build && npm run test:unit:tap && npm run test:unit:jest && npm run test:integration:kind:helm",
-    "test:unit:tap": "NODE_ENV=test tap test/unit/*.test.ts test/unit/**/*.test.ts --timeout=300",
-    "test:unit:jest": "jest --logHeapUsage --ci test/unit",
+    "test:unit:tap": "NODE_ENV=test tap test/unit/**/*.test.ts --timeout=300",
+    "test:unit:jest": "jest --logHeapUsage --ci --bail --forceExit test/unit",
     "test:system": "jest --logHeapUsage --ci --maxWorkers=1 test/system",
     "test:integration:kind:yaml": "DEPLOYMENT_TYPE=YAML TEST_PLATFORM=kind CREATE_CLUSTER=true jest --logHeapUsage --ci --maxWorkers=1 test/integration/kubernetes.spec.ts",
     "test:integration:kind:helm": "DEPLOYMENT_TYPE=Helm TEST_PLATFORM=kind CREATE_CLUSTER=true jest --logHeapUsage --ci --maxWorkers=1 test/integration/kubernetes.spec.ts",
 
@@ -0,0 +1,108 @@
+import { parse } from 'yaml';
+import { readFileSync } from 'fs';
+import { V1Deployment } from '@kubernetes/client-node';
+import { config } from '../../src/common/config';
+
+/**
+ * Note that these checks are also performed at runtime on the deployed snyk-monitor, see the integration tests.
+ */
+
+test('ensure the security properties of the deployment files are unchanged', async () => {
+  expect(config.IMAGE_STORAGE_ROOT).toEqual('/var/tmp');
+
+  const deploymentFiles = ['./snyk-monitor-deployment.yaml'];
+
+  for (const filePath of deploymentFiles) {
+    const fileContent = readFileSync(filePath, 'utf8');
+    const deployment: V1Deployment = parse(fileContent);
+
+    validateSecureConfiguration(deployment);
+    validateVolumeMounts(deployment);
+    validateEnvironmentVariables(deployment);
+  }
+});
+
+export function validateEnvironmentVariables(deployment: V1Deployment) {
+  if (
+    !deployment.spec ||
+    !deployment.spec.template.spec ||
+    !deployment.spec.template.spec.containers ||
+    deployment.spec.template.spec.containers.length === 0 ||
+    !deployment.spec.template.spec.containers[0].env
+  ) {
+    fail('bad container spec or missing env');
+  }
+
+  const env = deployment.spec.template.spec.containers[0].env;
+
+  const envHasHomeEntry = env.some(
+    (entry) => entry.name === 'HOME' && entry.value === '/srv/app',
+  );
+  expect(envHasHomeEntry).toBeTruthy();
+}
+
+export function validateSecureConfiguration(deployment: V1Deployment) {
+  if (
+    !deployment.spec ||
+    !deployment.spec.template.spec ||
+    !deployment.spec.template.spec.containers ||
+    deployment.spec.template.spec.containers.length === 0 ||
+    !deployment.spec.template.spec.containers[0].securityContext
+  ) {
+    fail('bad container spec or missing securityContext');
+  }
+
+  const securityContext =
+    deployment.spec.template.spec.containers[0].securityContext;
+
+  if (!securityContext.capabilities) {
+    fail('missing capabilities section in pod securityContext');
+  }
+
+  expect(securityContext.capabilities.drop).toEqual(['ALL']);
+
+  if (securityContext.capabilities.add) {
+    expect(securityContext.capabilities.add.includes('SYS_ADMIN')).toEqual(
+      false,
+    );
+  }
+
+  expect(securityContext.readOnlyRootFilesystem).toEqual(true);
+
+  expect(securityContext.allowPrivilegeEscalation).toEqual(false);
+  expect(securityContext.privileged).toEqual(false);
+  expect(securityContext.runAsNonRoot).toEqual(true);
+}
+
+export function validateVolumeMounts(deployment: V1Deployment) {
+  if (
+    !deployment.spec ||
+    !deployment.spec.template.spec ||
+    !deployment.spec.template.spec.containers ||
+    deployment.spec.template.spec.containers.length === 0 ||
+    !deployment.spec.template.spec.containers[0].volumeMounts
+  ) {
+    fail('bad container spec or missing volumeMounts');
+  }
+
+  const volumeMounts = deployment.spec.template.spec.containers[0].volumeMounts;
+
+  const temporaryStorageMount = volumeMounts.find(
+    (mount) => mount.name === 'temporary-storage',
+  );
+  if (!temporaryStorageMount) {
+    fail('missing deployment mount "temporary-storage"');
+  }
+
+  expect(temporaryStorageMount.mountPath).toEqual('/var/tmp');
+
+  const dockerConfigMount = volumeMounts.find(
+    (mount) => mount.name === 'docker-config',
+  );
+  if (!dockerConfigMount) {
+    fail('missing deployment mount "docker-config"');
+  }
+
+  expect(dockerConfigMount.readOnly).toEqual(true);
+  expect(dockerConfigMount.mountPath).toEqual('/srv/app/.docker');
+}
@@ -0,0 +1,35 @@
+import * as credentials from '../../../src/scanner/images/credentials';
+
+describe('ECR image parsing tests', () => {
+  test('ecrRegionFromFullImageName()', async () => {
+    const imageFullNameTemplate = 'aws_account_id.dkr.ecr.region.amazonaws.com/my-web-app:latest';
+    const ecrRegionTemplate = credentials.ecrRegionFromFullImageName(imageFullNameTemplate);
+    expect(ecrRegionTemplate).toEqual('region');
+
+    const imageFullName = '291964488713.dkr.ecr.us-east-2.amazonaws.com/snyk/debian:10';
+    const ecrRegion = credentials.ecrRegionFromFullImageName(imageFullName);
+    expect(ecrRegion).toEqual('us-east-2');
+
+    expect(() => {credentials.ecrRegionFromFullImageName('');}).toThrow();
+    expect(() => {credentials.ecrRegionFromFullImageName('dkr.ecr.region.amazonaws.com/my-web-app:latest');}).toThrow();
+    expect(() => {credentials.ecrRegionFromFullImageName('aws_account_id.dkr.ecr.amazonaws.com/my-web-app:latest');}).toThrow();
+    expect(() => {credentials.ecrRegionFromFullImageName('aws_account_id.dkr.ecr.region.amazonaws.com');}).toThrow();
+  });
+
+  test('isEcrSource()', async () => {
+    const sourceCredentialsForRandomImageName = credentials.isEcrSource('derka');
+    expect(sourceCredentialsForRandomImageName).toEqual(false);
+
+    const sourceCredentialsForInvalidEcrImage = credentials.isEcrSource('derka.ecr.derka');
+    expect(sourceCredentialsForInvalidEcrImage).toEqual(false);
+
+    const sourceCredentialsForEcrImage = credentials.isEcrSource('aws_account_id.dkr.ecr.region.amazonaws.com/my-web-app:latest');
+    expect(sourceCredentialsForEcrImage).toEqual(true);
+
+    const sourceCredentialsForEcrImageWithRepo = credentials.isEcrSource('a291964488713.dkr.ecr.us-east-2.amazonaws.com/snyk/debian:10');
+    expect(sourceCredentialsForEcrImageWithRepo).toEqual(true);
+
+    const sourceCredentialsForEcrImageMixedCase = credentials.isEcrSource('aws_account_id.dKr.ecR.region.amazonAWS.cOm/my-web-app:latest');
+    expect(sourceCredentialsForEcrImageMixedCase).toEqual(true);
+  });
+});