search

theredguild / DevSecOps-toolkit

Curation of DevSecOps tools that all work together inside the minimum amount of containers. Just run make exec and read the How To!
https://theredguild.org
2 stars 0 forks source link

Create a docker compose to add clair, falco, and sast-scan separately #26

Open mattaereal opened 1 week ago

mattaereal commented 1 week ago

clair, falco and sast-scan are the three tools that make the most sense to have separately. Given their complexity or their nature, they need to be run locally or separately.

In the case of falco and clair, they need to be able to interact with the host os. And sast-scan has a LOT of tools similar to the ones that we have on the main container, even some overlap, so it's like a bonus.

mattaereal commented 1 week ago

I couldn't make clair work with any test case. I can't manage to get a working config.yaml file. It appears its schema has been updated and some keys deprecated. We'll have to create our own container with test cases and a working version of it.

mattaereal commented 1 week ago

This is the current documentation I created at README.md:

clair (WIP - NOT WORKING)

GitHub

The documentation for clair is currently incomplete. The provided config.yaml file from their documentation side is not longer being accepted by clair and requires manual modification.

Clair is an open source project for the static analysis of vulnerabilities in application containers (currently including OCI and docker).

Since clair scans containers, it is best to run it separately.

docker pull quay.io/projectquay/clair:4.7.4
# Alternatively you can try and pull latest but it did not work out for me
docker pull quay.io/projectquay/clair
# Download sample config
wget -q https://github.com/quay/clair/blob/main/config.yaml.sample \
--output-document /tmp/clair/config.yaml
# Run clair
docker run -p 6060:6060 -p 6061:6061 \
-v /tmp/clair:/clair/config \
quay.io/projectquay/clair:4.7.4 -conf /clair/config/config.yaml -mode combo

One liner if you don't want a container:

sudo wget -qO /usr/local/bin/clair https://github.com/quay/clair/releases/download/v4.7.4/clairctl-linux-$(dpkg --print-architecture) \
&& sudo chmod +x /usr/local/bin/clair
reynico commented 1 week ago

I just did a POC using docker-compose to deploy the Falco suite (Engine, webui, sidekick, redis) and integrate it with our toolbox. https://github.com/theredguild/container-sec-tools/pull/28

image

reynico commented 4 days ago

clair is now working from within the container

wanderer@9973394f367e /workspace $ clair report ubuntu
ubuntu found libgcrypt20 1.10.3-2build1    CVE-2024-2236 on Ubuntu 24.04 LTS (noble) - medium
ubuntu found libssl3t64  3.0.13-0ubuntu3.4 CVE-2024-41996 on Ubuntu 24.04 LTS (noble) - low
ubuntu found coreutils   9.4-3ubuntu6      CVE-2016-2781 on Ubuntu 24.04 LTS (noble) - low
ubuntu found gpgv        2.4.4-2ubuntu17   CVE-2022-3219 on Ubuntu 24.04 LTS (noble) - low
ubuntu found libc-bin    2.39-0ubuntu8.3   CVE-2016-20013 on Ubuntu 24.04 LTS (noble) - negligible
ubuntu found libc6       2.39-0ubuntu8.3   CVE-2016-20013 on Ubuntu 24.04 LTS (noble) - negligible