feat(COD-6201): Docker approach of running the codesec GHA - unified scanning of both SCA and IaC#244
feat(COD-6201): Docker approach of running the codesec GHA - unified scanning of both SCA and IaC#244baltoiteodor wants to merge 11 commits intomainfrom
Conversation
baltoiteodor
force-pushed
the
COD-6201-unified
branch
4 times, most recently
from
b5a3559 to
ffb930e
Compare
baltoiteodor
changed the title
unified scanner docker image unified scanner docker image debug + erase macOS runner debug... debug testing clean add back the generateUILink clean added env-file to docker for iac added env-file to docker for iac code-scanning-path argument missed
baltoiteodor
force-pushed
the
COD-6201-unified
branch
from
5ba91d4 to
57c7727
Compare
| env: | ||
| LW_ACCOUNT_NAME: ${{ secrets.LW_ACCOUNT_CAT }} | ||
| LW_API_KEY: ${{ secrets.LW_API_KEY_CAT }} | ||
| LW_API_SECRET: ${{ secrets.LW_API_SECRET_CAT }} |
There was a problem hiding this comment.
I think this can be reverted now that I fixed the SCA scan
disable iac scanning for now
| '-e', | ||
| `LW_ACCOUNT=${lwAccount}`, | ||
| '-e', | ||
| `LW_API_KEY=${lwApiKey}`, | ||
| '-e', | ||
| `LW_API_SECRET=${lwApiSecret}`, |
There was a problem hiding this comment.
Why do you need to do this? Are the environment variables inherited when invoking docker?
There was a problem hiding this comment.
Env vars I believe are not inherited and need to be passed to docker.
There was a problem hiding this comment.
This code then re-introduces the "security issue" addressed in #251
| description: 'If a comment was posted, a link to this comment' | ||
| value: ${{ steps.run-analysis.outputs.comment-posted }} | ||
| runs: | ||
| using: 'composite' |
There was a problem hiding this comment.
Could we use
| using: "docker" | |
| image: "docker://lacework/codesec:stable" |
here instead of invoking the docker CLI within the code?
There was a problem hiding this comment.
I think this implies many changes to the docker image. The orchestration logic that currently lives in codesecRun() would need to move into the Docker image's entrypoint and I think some other changes + a redo of this whole PR.
There was a problem hiding this comment.
My understanding is that using this image means that the running environment can access the scan and compare command directly but I am also not super familiar with the GitHub Actions APIs.
There was a problem hiding this comment.
The alternative is to include a Dockerfile which inherits from lacework/codesec:stable but also contains the JavaScript code contained in this repository. This is the approach we will need to follow this approach for GitLab.
There was a problem hiding this comment.
I can have a look at an approach for the docker image inheriting from codesec:stable as this indeed will be what we do for gitlab as well. Two birds with one stone...
2 participants
Linked JIRA issue(s) - Required
https://lacework.atlassian.net/browse/COD-6201
Description
NOTE: At the moment, we launch this with IaC disabled as to make sure we have 1:1 scanning parity for SCA first.
Migrated the GitHub Action from Lacework CLI-based scanner to a Docker-based unified scanner (lacework/codesec:latest).
Changes:
Potential Breaking changes:
Tests and additional notes
Integration tests:
Testing Action on WebGoat, using lacework UEDEMO prod credentials:
PR workflow:
Scenario 1 - Only SCA originated violations: https://github.com/lacework-dev/WebGoat/pull/173
Scenario 2 - Only IaC originated violations: https://github.com/lacework-dev/WebGoat/pull/174
Scenario 3 - Combined violations: https://github.com/lacework-dev/WebGoat/pull/172
Push workflow:
Lacework UI IaC results are under "pipelines" - webgoat repo: https://uedemo.lacework.net/ui/investigation/codesec/iac/assessments/5c2840e6-a3d5-477e-ab34-01799724db40
SCA results not in UI as the scan is not done on main branch.
Notes: