Initial support for image scanning (#989)

* inital support for image vulnerability scanning * adds: flag for vul scanning and human readable output support * Adds: unit test cases and code refactoring * made vulnerability methods mockable * adds: documentation for vulnerability scanning * adds: support google artifact registry * updates docs * updates flag message * fixes: tf file image extraction and e2e test Co-authored-by: Cesar Rodriguez <cesar@accurics.com>
tenable · Aug 22, 2021 · 01184ad · 01184ad
1 parent 6ae1274
commit 01184ad
Show file tree

Hide file tree

Showing 39 changed files with 3,650 additions and 135 deletions.
diff --git a/README.md b/README.md
@@ -30,6 +30,7 @@ Terrascan is a static code analyzer for Infrastructure as Code. Terrascan allows
 * Scanning of Kubernetes (JSON/YAML), Helm v3, and Kustomize v3
 * Scanning of Dockerfiles
 * Support for AWS, Azure, GCP, Kubernetes, Dockerfiles, and GitHub
+* Integrates with docker image vulnerability scanning for AWS, Azure, GCP container registries.
 
 ## Quick Start
 
@@ -121,6 +122,17 @@ By default, Terrascan downloads policies from Terrascan repositories while scann
 
 Note: The scan command will implicitly run the initialization process if there are no policies found.
 
+## Docker Image Vulnerabilities
+You can use the `--find-vuln` flag to collect vulnerabilities as reported in its registry as part of Terrascan's output. Currently Terrascan supports Elastic Container Registry (ECR), Azure Container Registry, Google Container Registry, and Google Artifact Registry.
+
+The `--find-vuln` flag can be used when scanning IaC files as follows:
+
+```
+$ terrascan scan -i <IaC provider> --find-vuln
+```
+
+For more information and explanation of how to setup your environment to authenticate with the registrie's APIs see the [usage](https://runterrascan.io/docs/usage/command_line_mode/) documentation.
+
 ## Customizing scans
 
 By default, Terrascan scans your entire configuration against all policies. However, Terrascan supports granular configuration of policies and resources.

diff --git a/docs/usage/command_line_mode.md b/docs/usage/command_line_mode.md
@@ -63,11 +63,12 @@ $ terrascan scan
 ```
 
 The `scan` command supports flags to configure the following:
-- Specify a directory to be scanned.
-- Specify a particular IaC file to be scanned.
+- Specify a directory to be scanned
+- Specify a particular IaC file to be scanned
 - Configure IaC provider type
 - Directory path to policies
-- Specify policy type.
+- Specify policy type
+- Retrieve vulnerability scanning results from docker images referenced in IaC
 
 The full list of flags for the scan command can be found by typing
 `terrascan scan -h`
@@ -158,6 +159,7 @@ $ terrascan scan -i kustomize
 This command looks for a `kustomization.yaml` file in the current directory and scans rendered .yaml or .yml template files.
 
 A specific directory to scan can be specified using the `-d` flag. The Kustomize IaC provider does not support scanning of individual files using the `-f` flag.
+
 ### Scanning a Dockerfile
 
 A Dockerfile can be scanned by specifying "docker" on the -i flag as follows:
@@ -170,6 +172,44 @@ This command looks for a `Dockerfile` in the current directory and scans that fi
 
 A specific directory to scan can be specified using the `-d` flag. With the `-d` flag, it will check for all the docker files (named as `Dockerfile`) in the provided directory recursively. A specific dockerfile can be scanned using `-f` flag by providing a path to the file.
 
+### Retrieve Docker Image Vulnerabilities
+
+Terrascan can display vulnerabilities for Docker images present in the IaC files being scanned by specifying the `--find-vuln` flag along with the scan command as follows:
+
+```
+$ terrascan scan -i <IaC Provider> --find-vuln
+```
+
+This command looks for all the Docker images present in the IaC files being scanned and retrieves any vulnerabilities as reported by it's container registry. Supported container registries include: AWS Elastic Container Registry (ECR), Azure Container Registry, Google Container Registry, and Google Artifact Registry.
+
+The following environment variables are required when connecting to the container registries:
+
+#### AWS Elastic Container Registry (ECR)
+
+ECR requires your environment to be configured similar to the requirements of AWS's SDK. For example, the `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_REGION` environment variables can be set when connecting to AWS using API keys for an AWS user. More information [here](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html).
+
+#### Google Container Registry and Artifact Registry
+
+Terrascan requires a service account with access to the Container Analysis and Container Registry permissions. The `GOOGLE_APPLICATION_CREDENTIALS` environment variable can be set to the path of the service account's key when scanning. More information about GCP authentication available [here](https://cloud.google.com/docs/authentication/getting-started).
+
+#### Azure Container Registry
+
+When integrating vulnerability results from Azure, Terrascan requires the `AZURE_AUTH_LOCATION`, and `AZURE_ACR_PASSWORD` environment variables.
+
+The `AZURE_AUTH_LOCATION` should contain the path to your azure authentication json. You can generate this as follows:
+
+ ``` Bash
+ az ad sp create-for-rbac --sdk-auth > azure.auth
+ ```
+
+After generating the file, set the `azure.auth` file path as the `AZURE_AUTH_LOCATION` environment variable. More information about using file based authentication for the Azure SDK available [here](https://docs.microsoft.com/en-us/azure/developer/go/azure-sdk-authorization#use-file-based-authentication).
+
+Terrascan also requires the password to the registry set into the `AZURE_ACR_PASSWORD` environment variable. This can be fetched using the az cli as follows:
+
+``` Bash
+az acr credential show --name RegistryName
+```
+
 ### Resource Config
 While scanning a IaC, Terrascan loads all the IaC files, creates a list of resource configs and then processes this list to report violations. For debugging purposes, you can print this resource configs list as an output by using the `--config-only` flag to the `terrascan scan` command.
 
@@ -216,6 +256,7 @@ aws_ecr_repository:
 | |use-colours |Configure the color for output (**auto**, t, f) |
 |--non-recursive |Use this for non recursive directories and modules scan | By default directory is scanned recursively, if this flag is used then only provided root directory will be scanned|
 |--use-terraform-cache |Use this to refer terraform remote modules from terraform init cache rather than downloading | By default remote module will be downloaded in temporary directory. If this flag is set then modules will be refered from terraform init cache if module is not present in terraform init cache it will be downloaded. Directory will be scanned non recurively if this flag is used.(applicable only with terraform IaC provider)|
+| --find-vuln | find vulnerbilities | Use this to fetch vulnerabilities identified on the registry for docker images present in IaC the files scanned |
 | -v | verbose | Displays violations with all details |
 
 | Global flags | Description | Options |
@@ -242,6 +283,7 @@ Usage:
 Flags:
      --categories strings        list of categories of violations to be reported by terrascan (example: --categories="category1,category2")
       --config-only               will output resource config (should only be used for debugging purposes)
+      --find-vuln                 fetches vulnerabilities identified in Docker images
   -h, --help                      help for scan
   -d, --iac-dir string            path to a directory containing one or more IaC files (default ".")
   -f, --iac-file string           path to a single IaC file

diff --git a/go.mod b/go.mod
@@ -10,15 +10,22 @@ replace (
 )
 
 require (
+	cloud.google.com/go v0.65.0
+	github.com/Azure/azure-sdk-for-go v56.2.0+incompatible
+	github.com/Azure/go-autorest/autorest v0.11.18
+	github.com/Azure/go-autorest/autorest/azure/auth v0.4.2
 	github.com/BurntSushi/toml v0.4.1 // indirect
+	github.com/GoogleCloudPlatform/docker-credential-gcr v2.0.5+incompatible
 	github.com/VerbalExpressions/GoVerbalExpressions v0.0.0-20200410162751-4d76a1099a6e
+	github.com/aws/aws-sdk-go v1.37.0
 	github.com/aws/aws-sdk-go-v2/config v1.5.0
 	github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.3.2
 	github.com/aws/aws-sdk-go-v2/service/s3 v1.11.1
 	github.com/aws/smithy-go v1.6.0
 	github.com/awslabs/goformation/v4 v4.19.1
 	github.com/ghodss/yaml v1.0.0
 	github.com/go-errors/errors v1.0.1
+	github.com/google/go-containerregistry v0.1.2
 	github.com/google/uuid v1.2.0
 	github.com/gorilla/handlers v1.5.1
 	github.com/gorilla/mux v1.8.0
@@ -49,6 +56,8 @@ require (
 	go.uber.org/zap v1.16.0
 	golang.org/x/sys v0.0.0-20210806184541-e5e7981a1069
 	golang.org/x/tools v0.1.5 // indirect
+	google.golang.org/api v0.34.0
+	google.golang.org/genproto v0.0.0-20201110150050-8816d57aaa9a
 	gopkg.in/src-d/go-git.v4 v4.13.1
 	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b
 	helm.sh/helm/v3 v3.6.1