New action: Scan single image

Author: dervoeti

.github/workflows/scan.yaml

@@ -26,4 +26,4 @@ jobs:
         run: poetry install
       - name: Scan all images of the release
         id: scan
-        run: poetry run python stack_scanner/main.py ${{ matrix.release }} ${{ secrets.SECOBSERVE_API_TOKEN }}
+        run: poetry run python stack_scanner/main.py scan-release ${{ secrets.SECOBSERVE_API_TOKEN }} ${{ matrix.release }}

.github/workflows/scan_single_image.yml

@@ -0,0 +1,31 @@
+name: Scan single image
+on:
+  workflow_dispatch:
+    inputs:
+      product_name:
+        description: 'Product name in SecObserve (example: hbase)'
+        required: true
+      product_version:
+        description: 'Product version in SecObserve (example: 2.4.17-stackable24.3.0)'
+        required: true
+      image:
+        description: 'Location of the image (example: oci.stackable.tech/sdp/hbase:2.4.17-stackable24.3.0)'
+        required: true
+
+jobs:
+  scan_image:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: 3.11
+      - name: Run image
+        uses: abatilo/actions-poetry@v2
+        with:
+          poetry-version: 1.7.1
+      - name: Install deps
+        run: poetry install
+      - name: Scan image
+        id: scan
+        run: poetry run python stack_scanner/main.py scan-image ${{ secrets.SECOBSERVE_API_TOKEN }} ${{ github.event.inputs.image }} ${{ github.event.inputs.product_name }} ${{ github.event.inputs.product_version }}

stack_scanner/main.py

@@ -19,83 +19,114 @@
 
 
 def main():
-    if len(sys.argv) < 3:
-        print("Usage: python main.py <release> <secobserve_api_token>")
+    if len(sys.argv) < 4:
+        print(
+            "Usage:\n"
+            "python main.py scan-release <secobserve_api_token> <release>\n"
+            "or\n"
+            "python main.py scan-image <secobserve_api_token> <image> <product_name> <product_version>"
+        )
         sys.exit(1)
 
     os.makedirs("/tmp/stackable", exist_ok=True)
     os.system("rm -rf /tmp/stackable/*")
 
     with tempfile.TemporaryDirectory() as tempdir:
-        release = sys.argv[1]
-        secobserve_api_token = sys.argv[2]
-        # Create a file in the temp dir and download the conf.py from the git tag referring to that version
-        filename = os.path.join(tempdir, f"products-{release}.py")
-        branch = release
-        if release == "0.0.0-dev":
-            branch = "main"
-        url = f"https://raw.githubusercontent.com/stackabletech/docker-images/{branch}/conf.py"
-        oldurl = f"https://raw.githubusercontent.com/stackabletech/docker-images/{branch}/image_tools/conf.py"
-        print(
-            f"Loading product config for version [{release}] from [{url}] (via file [{filename}]"
-        )
-        try:
-            urlretrieve(url, filename)
-        except:
+        # dump argv to console
+        print(sys.argv)
+        if sys.argv[1] == "scan-image":
+            secobserve_api_token = sys.argv[2]
+            image = sys.argv[3]
+            product_name = sys.argv[4]
+            product_version = sys.argv[5]
+            scan_image(secobserve_api_token, image, product_name, product_version)
+            sys.exit(0)
+        else:
+            secobserve_api_token = sys.argv[2]
+            release = sys.argv[3]
+            # Create a file in the temp dir and download the conf.py from the git tag referring to that version
+            filename = os.path.join(tempdir, f"products-{release}.py")
+            branch = release
+            if release == "0.0.0-dev":
+                branch = "main"
+            url = f"https://raw.githubusercontent.com/stackabletech/docker-images/{branch}/conf.py"
+            oldurl = f"https://raw.githubusercontent.com/stackabletech/docker-images/{branch}/image_tools/conf.py"
             print(
-                f"Got 404 for release file, falling back to old file location [{oldurl}]"
+                f"Loading product config for version [{release}] from [{url}] (via file [{filename}]"
             )
             try:
-                urlretrieve(oldurl, filename)
+                urlretrieve(url, filename)
             except:
-                print(f"Unable to retrieve config file for release [{release}]")
-                sys.exit(1)
-
-        operators = ["airflow", "commons", "druid", "hbase", "hdfs", "hello-world", "hive", "kafka", "listener", "nifi", "opa", "secret", "spark-k8s", "superset", "trino", "zookeeper"]
-
-        for operator_name in operators:
-            scan_image(secobserve_api_token, f"{operator_name}-operator", release)
-
-        # Free up space after scanning operators
-        os.system(
-            'docker system prune -f'
-        )
-        os.system(
-            'docker system prune -f -a --filter="label=vendor=Stackable GmbH"'
-        )
-
-        # Load product versions from that file using the image-tools functionality
-        product_versions = load_configuration(filename)
-
-        for product in product_versions.products:
-            product_name: str = product["name"]
-
-            if product_name in excluded_products:
-                continue
-            for version_dict in product.get("versions", []):
-                product_version: str = version_dict["product"]
-
-                scan_image(secobserve_api_token, product_name, f"{product_version}-stackable{release}")
-
-            # Free up space after each product scan
-            os.system(
-                'docker system prune -f'
-            )
-            os.system(
-                'docker system prune -f -a --filter="label=vendor=Stackable GmbH"'
-            )
-
-def scan_image(secobserve_api_token: str, product_name: str, image_tag: str) -> None:
+                print(
+                    f"Got 404 for release file, falling back to old file location [{oldurl}]"
+                )
+                try:
+                    urlretrieve(oldurl, filename)
+                except:
+                    print(f"Unable to retrieve config file for release [{release}]")
+                    sys.exit(1)
+
+            operators = [
+                "airflow",
+                "commons",
+                "druid",
+                "hbase",
+                "hdfs",
+                "hello-world",
+                "hive",
+                "kafka",
+                "listener",
+                "nifi",
+                "opa",
+                "secret",
+                "spark-k8s",
+                "superset",
+                "trino",
+                "zookeeper",
+            ]
+
+            for operator_name in operators:
+                product_name = f"{operator_name}-operator"
+                scan_image(secobserve_api_token, f"{REGISTRY_URL}/stackable/{product_name}:{release}", product_name, release)
+
+            # Free up space after scanning operators
+            os.system("docker system prune -f")
+            os.system('docker system prune -f -a --filter="label=vendor=Stackable GmbH"')
+
+            # Load product versions from that file using the image-tools functionality
+            product_versions = load_configuration(filename)
+
+            for product in product_versions.products:
+                product_name: str = product["name"]
+
+                if product_name in excluded_products:
+                    continue
+                for version_dict in product.get("versions", []):
+                    version: str = version_dict["product"]
+                    product_version = f"{version}-stackable{release}"
+                    scan_image(
+                        secobserve_api_token,
+                        f"{REGISTRY_URL}/stackable/{product_name}:{product_version}",
+                        product_name,
+                        product_version,
+                    )
+
+                # Free up space after each product scan
+                os.system("docker system prune -f")
+                os.system(
+                    'docker system prune -f -a --filter="label=vendor=Stackable GmbH"'
+                )
+
+
+def scan_image(secobserve_api_token: str, image: str, product_name: str, product_version: str) -> None:
     # Run Trivy
     env = {}
-    env["TARGET"] = (
-        f"{REGISTRY_URL}/stackable/{product_name}:{image_tag}"
-    )
+    env["TARGET"] = image
     env["SO_UPLOAD"] = "true"
     env["SO_PRODUCT_NAME"] = product_name
     env["SO_API_BASE_URL"] = "https://secobserve-backend.stackable.tech"
     env["SO_API_TOKEN"] = secobserve_api_token
-    env["SO_BRANCH_NAME"] = image_tag
+    env["SO_BRANCH_NAME"] = product_version
     env["TMPDIR"] = "/tmp"
     env["REPORT_NAME"] = "trivy.json"
 
@@ -146,5 +177,6 @@ def scan_image(secobserve_api_token: str, product_name: str, image_tag: str) ->
 
     subprocess.run(cmd)
 
+
 if __name__ == "__main__":
     main()