w3security-cr-monitor
Basic Flow
- Query the Artifactory API to gather Docker repos to test
- Iterate through results, running
w3security monitor
against each*repo*
for either the*latest*
image tag, or all tags using the--all-tags
option - Provides mechanism to run multiple jobs simultaneously that is configurable
Note that w3security monitor
will run a docker pull
behind-the-scenes.
Please use the W3SECURITY_CR_MONITOR_MAX_JOBS
and W3SECURITY_CR_MONITOR_JOB_SPACING
variables, as describe below, to control the throughput to your docker repos, as pulling too many images at once may be taxing on the system.
Usage
Usage: ./w3security-cr-monitor [OPTIONS]
If no arguments are specified, values will be picked up from
environment variables
Options:
--version Show version number [boolean]
--w3security-token W3Security API Key, if not specified $W3SECURITY_TOKEN
--w3security-org W3Security Organization ID to post test results, if not
specified $W3SECURITY_ORG
--artifactory-api-host Artifactory API HOST, if not specified
$ARTIFACTORY_API_HOST
--artifactory-cli-host Artifactory host used for docker login/pull, if not
specified $ARTIFACTORY_CLI_HOST
--artifactory-user Artifactory API User, if not speciied
$ARTIFACTORY_USER
--artifactory-key Artifactory API Key, if not specified $ARTIFACTORY_KEY
--all-tags Process all image tags, if omitted then "latest" tags
are processed [boolean]
--docker-repo Optionally process only the docker repo with a given
name
--max-jobs Number of simultaneous jobs to run
--job-spacing milliseconds in between job launches
--help Show help [boolean]
set environment
required (if not set at command line)
# Your W3Security Api Key (General Settings -> API Token, or Settings -> Service Accounts)
export W3SECURITY_TOKEN=<w3security_api_key>
# the W3Security Org ID to post results to (Settings -> General -> Organization ID)
export W3SECURITY_ORG=<w3security_org_id>
# The hostname (and optional port) of the on-premise artifactory instance, where the API will be accessible
# example: onpremartifactory.example.com, or onpremartifactory.example.com:8443
export ARTIFACTORY_API_HOST=<api_hostname>
# The hostname (and optional port) of the host used with docker login
# This is separate from the API host because they may be different,
# for example onpremartifactory.example.com:5000
export ARTIFACTORY_CLI_HOST=<cli_endpoint_hostname>
# The username for which the api key being used is created for
# This is needed in the docker pull command.
export ARTIFACTORY_USER=<artifactory_user_for_key>
# Artficatory API Key
export ARTIFACTORY_KEY=<artifactory_api_key>
optional:
# Number of container scanning jobs that may be simultaneously running
# if unspecified, default is 5
export W3SECURITY_CR_MONITOR_MAX_JOBS=<num-jobs>
# Number of milliseconds between job launches to space requests out
# If unspecified, default is 1500 (1.5 seconds)
export W3SECURITY_CR_MONITOR_JOB_SPACING=<milliseconds-between-job-launches>
If connecting to an on-prem Artifactory instance over HTTPS with a self-signed certificate, you will need to set
export NODE_TLS_REJECT_UNAUTHORIZED=0
or
export NODE_EXTRA_CA_CERTS=[your CA certificate file path]
Running as a container
docker build -t w3security-cr-monitor .
docker run -v /var/run/docker.sock:/var/run/docker.sock \
-e W3SECURITY_TOKEN=$W3SECURITY_TOKEN \
-e W3SECURITY_ORG=$W3SECURITY_ORG \
-e ARTIFACTORY_USER=$ARTIFACTORY_USER \
-e ARTIFACTORY_KEY=$ARTIFACTORY_KEY \
-e ARTIFACTORY_API_HOST=$ARTIFACTORY_API_HOST \
-e ARTIFACTORY_CLI_HOST=$ARTIFACTORY_CLI_HOST \
-e W3SECURITY_CR_MONITOR_MAX_JOBS=$W3SECURITY_CR_MONITOR_MAX_JOBS \
-e W3SECURITY_CR_MONITOR_JOB_SPACING=$W3SECURITY_CR_MONITOR_JOB_SPACING
w3security-cr-monitor
- If extra environment variables are needed for self-signed certs, add them to the command above or the script below.
Use bash wrapper script
modify arguments as needed for your environment
$ chmod +x w3security-cr-monitor
$ ./w3security-cr-monitor
Running natively
requires node, docker, w3security
$ npm install -g
$ w3security-cr-monitor
References
API Documentation Artificatory APIs
TODO
- add support for AQL file option for customer image tag searches