Finch on Ash

[Shubhranshu153]

I am from finch team and have a few people reached out to me on how to use ash with finch on windows. So want to understand the ash arch better.

From the readme it appears ash runs from inside the wsl environment. If it calls the finch command from inside the wsl i would assume it to fail as its not installed inside that environment rather its installed on windows environment. So i am not sure how ash achieves this communication, lets say with docker even. As docker also is installed in windows environment. Any pointers are helpful

Thank You

[scrthq]

hey @Shubhranshu153 -- thank you for raising this! We need to update our documentation to reflect recent changes in ASH which allow it to work as expected within Windows environments. We have a newer helper script which will help abstract the OCI runtime CLI calls underneath with PowerShell support, making the only notion of WSL in the context of running ASH be as a prerequisite to run most Linux container engines on Windows.

I am going to keep this open to track the need for documentation updates, but anyone in the meantime can be directed here temporarily:

Running ASH on Windows

1. Install your preferred Linux container engine such as Finch
2. Open PowerShell
3. Clone the ASH repository to your preferred location: git clone https://github.com/awslabs/automated-security-helper.git
4. Run the ash_helpers.ps1 script from the utils directory in this repository to load the Invoke-ASH helper function into your current PowerShell session: . ./automated-security-helper/utils/ash_helpers.ps1
5. Validate that you have the function available by viewing the help details for the function Get-Help Invoke-ASH -Full:

$ Get-Help Invoke-ASH -Full

NAME
    Invoke-ASH

SYNOPSIS
    Provides a PowerShell entrypoint to build and invoke ASH as a container executable.

SYNTAX
    Invoke-ASH [[-SourceDir] <String>] [-OutputDir <String>] [[-AshArgs] <String>] [-OCIRunner <String>] [-AshImageName <String>] [-NoBuild] [-NoRun]
    [<CommonParameters>]

DESCRIPTION
    Provides a PowerShell entrypoint to build and invoke ASH as a container executable.

PARAMETERS
    -SourceDir <String>
        The source directory to scan with ASH.

        Defaults to the current working directory.

        Required?                    false
        Position?                    1
        Default value                $PWD.Path
        Accept pipeline input?       false
        Accept wildcard characters?  false

    -OutputDir <String>
        The output directory for ASH results to be stored in.

        Defaults to `ash_output` within the current working directory.

        Required?                    false
        Position?                    named
        Default value                $(Join-Path $PWD.Path 'ash_output')
        Accept pipeline input?       false
        Accept wildcard characters?  false

    -AshArgs <String>
        Additional arguments to pass to ASH.

        Required?                    false
        Position?                    2
        Default value
        Accept pipeline input?       false
        Accept wildcard characters?  false

    -OCIRunner <String>
        Preferred OCI runner CLI tool to use, e.g. `docker`, `finch`, `nerdctl`, or `podman`.

        Supports tab-completion of common OCI runner CLI tools or overriding to provide
        something else entirely.

        Defaults to `$env:ASH_OCI_RUNNER` if set, otherwise attempts to resolve based on the
        first found executable in PATH.

        Required?                    false
        Position?                    named
        Default value                $env:ASH_OCI_RUNNER
        Accept pipeline input?       false
        Accept wildcard characters?  false

    -AshImageName <String>

        Required?                    false
        Position?                    named
        Default value                $(if ($null -ne $env:ASH_IMAGE_NAME) {
                    $env:ASH_IMAGE_NAME
                } else {
                    "automated-security-helper:local"
                })
        Accept pipeline input?       false
        Accept wildcard characters?  false

    -NoBuild [<SwitchParameter>]
        If $true, skips the `OCI_RUNNER build ...` call.

        Requires target image tag to be present on the host already, either through a previous
        build or by pulling from a registry.

        Required?                    false
        Position?                    named
        Default value                False
        Accept pipeline input?       false
        Accept wildcard characters?  false

    -NoRun [<SwitchParameter>]
        If $true, skips the `OCI_RUNNER run ...` call.

        Used primarily when a rebuild is needed during development of ASH, but a re-run of
        the ASH scan is not needed after build.

        Required?                    false
        Position?                    named
        Default value                False
        Accept pipeline input?       false
        Accept wildcard characters?  false

    <CommonParameters>
        This cmdlet supports the common parameters: Verbose, Debug,
        ErrorAction, ErrorVariable, WarningAction, WarningVariable,
        OutBuffer, PipelineVariable, and OutVariable. For more information, see
        about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).

INPUTS

OUTPUTS

    -------------------------- EXAMPLE 1 --------------------------

    PS > Invoke-ASH -SourceDir ./dummy_files -OCIRunner finch -AshArgs '--quiet --force' -Verbose

    -------------------------- EXAMPLE 2 --------------------------

    PS > Get-Help Invoke-ASH

RELATED LINKS

[climbertjh2]

Yes, the documentation indicating the use of WSL for running ASH is now out-dated. It was written before the latest over-haul of how ASH makes use of containers to run.

[KyleBooth]

I am trying to get ASH working on Windows using Docker. When I follow the above instructions, the image builds fine in Docker but I end up with the following error: exec /ash/ash: no such file or directory

If I include the -NoRun tag, everything works fine.

[scrthq]

hey @KyleBooth - Thanks for working with me on this earlier today. I was able to reproduce the issue locally on my PC, CRLF line endings ended up in the repo and subsequently into the build container when building on Windows, resulting in syntax errors once ash was attempting to be invoked within the container. I've opened up PR #98 to address your issue and have confirmed I'm able to build and scan locally as well.

Note: This particular issue was not Finch specific and this issue is remaining open to update docs. We are keeping this issue open, but have updated steps due to this issue that we will document and ultimately close this issue out as well.