search

jenkinsci / amazon-inspector-image-scanner-plugin

Apache License 2.0
0 stars 1 forks source link

How to use ECR login for Amazon Inspector Jenkins plugin ? #58

Closed spu-xb01 closed 4 months ago

spu-xb01 commented 5 months ago

Describe your use-case which is not covered by existing documentation.

https://docs.aws.amazon.com/inspector/latest/user/cicd-jenkins.html

pipeline {
    agent {
        label 'ARM64'
    }
    environment {
        AWS_REGION = 'us-east-1'
        ECR_REPO = 'arm64-base'
        ID = 'xxxxxxxxxx'
        URL_REGISTRY = "xxxxxxxxxx.dkr.ecr.us-east-1.amazonaws.com"
    }

    stages {
        stage ('amazon-inspector-image-scanner') {
            steps {
                script {
                    step ([
                        $class: 'com.amazon.inspector.jenkins.amazoninspectorbuildstep.AmazonInspectorBuilder',
                        sbomgenSource: 'linuxArm64',
                        archivePath: '${URL_REGISTRY}/arm64-base:base-image',
                        awsRegion: 'us-east-1',
                        iamRole: 'arn:aws:iam::${ID}:role/dev-ecr-role',
                        credentialId: '',
                        isThresholdEnabled: 'false',
                        countCritical: 0, 
                        countHigh: 0, 
                        countLow: 10, 
                        countMedium: 5,
                    ])
                }
            }
        }
    }
}

I have a test pipeline, I'm trying to execute it and when doing so I encounter an authorization error

Automatic SBOMGen Sourcing selected, downloading now... No credential provided, running without. Making downloaded SBOMGen executable... Running command... [/tmp/sbomgen17977388499391807084/inspector_sbomgen/inspector-sbomgen-1.1.1/linux/arm64/inspector-sbomgen, container, --image, xxxxxxx.dkr.ecr.us-east-1.amazonaws.com/arm64-base:base-image] Plugin execution ran into an error and is being aborted! Exception:com.amazon.inspector.jenkins.amazoninspectorbuildstep.exception.MalformedScanOutputException: Sbom scanning output formatted incorrectly. Sbom Content: time="2024-05-20T14:51:47Z" level=info msg="Amazon Inspector SBOM Generator v1.1.1 - linux arm64 - Copyright 2024 Amazon.com, Inc. or its affiliates. All Rights Reserved" time="2024-05-20T14:51:47Z" level=info msg="[/tmp/sbomgen17977388499391807084/inspector_sbomgen/inspector-sbomgen-1.1.1/linux/arm64/inspector-sbomgen container --image xxxxxxx.dkr.ecr.us-east-1.amazonaws.com/arm64-base:base-image]" time="2024-05-20T14:51:47Z" level=info msg="writing log file to: /var/jenkins_home/.inspector-sbomgen/logs/inspector-sbomgen-log_2024-05-20_14-51-47.txt" time="2024-05-20 14:51:47" level=info msg="initializing target artifact" file="coreV1.go:34:" time="2024-05-20 14:51:47" level=info msg="created temporary staging directory: /var/jenkins_home/.inspector-sbomgen/artifact-cache373923406" file="stagingdir.go:60:" time="2024-05-20 14:51:47" level=info msg="checking if image is a tarball" file="imageInit.go:28:" time="2024-05-20 14:51:47" level=info msg="checking if image exists in the local Docker daemon" file="imageInit.go:37:" time="2024-05-20 14:51:47" level=info msg="checking if image can be downloaded from a remote registry" file="imageInit.go:46:" time="2024-05-20 14:51:47" level=info msg="downloading remote container image: xxxxxxx.dkr.ecr.us-east-1.amazonaws.com/cdmnext-arm64-base:cdmnext-base-node-image" file="imageInit.go:153:" 2024/05/20 14:51:47 GET https://xxxxxxx.dkr.ecr.us-east-1.amazonaws.com/v2/arm64-base/manifests/base-image: unexpected status code 401 Unauthorized: Not Authorized null

but the command for authorization in the ecr looks like aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin ххххххххх.dkr.ecr.us-east-1.amazonaws.com If I use this command in the previous steps, the command works as expected but there is no access to the image

How to integrate ECR login for this plugin using the IAM role? I didn't find anything in the documentation

Reference any relevant documentation, other materials or issues/pull requests that can be used for inspiration.

No response

Are you interested in contributing to the documentation?

No response

cjbaco commented 4 months ago

ECR authentication can be added in a stage prior to the Inspector stage, see example below:

stage('ecr auth') {
    steps {
        sh '/usr/local/bin/aws ecr get-login-password --region us-east-1 | /usr/local/bin/docker login --username AWS --password-stdin xxxxxxxxxx.dkr.ecr.us-east-1.amazonaws.com'
    }
}
spu-xb01 commented 4 months ago

@cjbaco this does not work

As far as I understand, you need to somehow record the execution of this command in

credentialId: ''

waltwilo commented 4 months ago

credentialId only applies to image repositories where you can authenticate via username and passwords, like dockerhub. For ECR, you authenticate via the command cjbaco posted. Here's a full declarative script that I ran to test this, keep in mind I've changed some sensitive information so youll have to edit it to suit your use case.

pipeline {
  agent any
  stages {
      stage('Docker Auth') {
            steps {
                 sh '/usr/local/bin/aws ecr get-login-password --region us-east-1 | /usr/local/bin/docker login --username AWS --password-stdin USERID.dkr.ecr.us-east-1.amazonaws.com'
            }
        }
      stage('amazon-inspector-image-scanner') {
          steps {
              script {
                  step([
                  $class: 'com.amazon.inspector.jenkins.amazoninspectorbuildstep.AmazonInspectorBuilder',
                  sbomgenPath: '/Users/user/Downloads/inspector-sbomgen',
                  artifactPath: 'USERID.dkr.ecr.us-east-1.amazonaws.com/test:latest',
                  archiveType: 'container',
                  awsRegion: 'us-east-1',
                  credentialId: null,
                  awsCredentialId: 'CREDENTAIL_ID',
                  iamRole: 'arn:aws:iam::USERID:role/CICDScan',
                  oicdCredentialId: '',
                  awsProfileName: 'default',
                  isThresholdEnabled: false,
                  countCritical: 0,
                  countHigh: 0,
                  countLow: 10,
                  countMedium: 5,
                  ])
          }
        }
      }
  }
}

And here's the output when I ran the above script:

Started by user unknown or anonymous
[Pipeline] Start of Pipeline (hide)
[Pipeline] node
Running on Jenkins in /Users/user/.jenkins/workspace/Declarative
[Pipeline] {
[Pipeline] stage
[Pipeline] { (Docker Auth)
[Pipeline] sh
+ /usr/local/bin/aws ecr get-login-password --region us-east-1
+ /usr/local/bin/docker login --username AWS --password-stdin USERID.dkr.ecr.us-east-1.amazonaws.com
WARNING! Your password will be stored unencrypted in /Users/user/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[Pipeline] }
[Pipeline] // stage
[Pipeline] stage
[Pipeline] { (amazon-inspector-image-scanner)
[Pipeline] script
[Pipeline] {
[Pipeline] step
WARNING: Unknown parameter(s) found for class type 'com.amazon.inspector.jenkins.amazoninspectorbuildstep.AmazonInspectorBuilder': oicdCredentialId
Credential ID is null, this is not normal, please check your config. Continuing without docker credentials.
No credential provided, running without.
Making downloaded SBOMGen executable...
Running command...
[/Users/user/Downloads/inspector-sbomgen, container, --image, USERID.dkr.ecr.us-east-1.amazonaws.com/test:latest]
Sending SBOM to Inspector for validation with info: credential:credentialid, role:arn:aws:iam::USERID:role/CICDScan, profile:default
Authenticating to STS via a role and default credential provider chain.
Converting SBOM Results to CSV.
Build Artifacts: http://localhost:8080/job/Declarative/75/display/redirect?page=artifacts
Results: Critical: 0, High: 1, Medium: 4, Low: 0, Other: 3
Ignoring results due to thresholds being disabled.
Does Build Pass: true
[Pipeline] }
[Pipeline] // script
[Pipeline] }
[Pipeline] // stage
[Pipeline] }
[Pipeline] // node
[Pipeline] End of Pipeline
Finished: SUCCESS

Additionally, keep in mind that jenkins doesn't know where docker and aws are so you'll have to provide absolute paths to their binaries.

spu-xb01 commented 4 months ago

@waltwilo thanks for the help