Skip to content

khulnasoft/tunnel-pipe

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Tunnel Pipe

Bitbucket Pipeline for Tunnel

Usage

Workflow

image: 
    name: atlassian/default-image:2

pipelines:
  default:
    - step:
        service:
          docker
        script:
        - pipe: khulnasoft/tunnel-pipe:latest
          variables:
            imageRef: 'docker.io/my-organization/my-app:${{ github.sha }}'
            format: 'table'
            exitCode: '1'
            ignoreUnfixed: true
            vulnType: 'os,library'
            severity: 'CRITICAL,HIGH'

Using Tunnel to scan your Git repo

It's also possible to scan your git repos with Tunnel's built-in repo scan. This can be handy if you want to run Tunnel as a build time check on each PR that gets opened in your repo. This helps you identify potential vulnerablites that might get introduced with each PR.

image: 
    name: atlassian/default-image:2

pipelines:
  default:
    - step:
        service:
          docker
        script:
          - pipe: khulnasoft/tunnel-pipe:latest
            variables:
              scanType: 'fs'
              ignoreUnfixed: true
              format: 'template'
              template: '@/contrib/sarif.tpl'
              output: 'tunnel-results.sarif'
              severity: 'CRITICAL'

Using Tunnel to scan Infrastucture as Code

It's also possible to scan your IaC repos with Tunnel's built-in repo scan. This can be handy if you want to run Tunnel as a build time check on each PR that gets opened in your repo. This helps you identify potential vulnerablites that might get introduced with each PR.

image:
  name: atlassian/default-image:2

pipelines:
  default:
    - step:
        services:
          - docker
        script:
          - pipe: khulnasoft/tunnel-pipe:latest
            variables:
              scanType: "config"
              hideProgress: "false"
              format: "table"
              exitCode: 1
              ignoreUnfixed: "true"
              severity: "CRITICAL,HIGH"

Using Tunnel to scan your private registry

It's also possible to scan your private registry with Tunnel's built-in image scan. All you have to do is set ENV vars.

Docker Hub registry

Docker Hub needs TUNNEL_USERNAME and TUNNEL_PASSWORD. You don't need to set ENV vars when downloading from a public repository.

image:
  name: atlassian/default-image:2

pipelines:
  default:
    - step:
        services:
          - docker
        script:
          - pipe: khulnasoft/tunnel-pipe:latest
            variables:
              imageRef: 'docker.io/my-organization/my-app:${{ github.sha }}'
              format: 'template'
              template: '@/contrib/sarif.tpl'
              output: 'tunnel-results.sarif'
              TUNNEL_USERNAME: Username
              TUNNEL_PASSWORD: Password  

AWS ECR (Elastic Container Registry)

Tunnel uses AWS SDK. You don't need to install aws CLI tool. You can use AWS CLI's ENV Vars.

image: 
    name: atlassian/default-image:2

pipelines:
  default:
    - step:
        services:
          - docker
        script:
          - pipe: khulnasoft/tunnel-pipe:latest
            variables:
              imageRef: 'aws_account_id.dkr.ecr.region.amazonaws.com/imageName:${{ github.sha }}'
              format: 'template'
              template: '@/contrib/sarif.tpl'
              output: 'tunnel-results.sarif'
              AWS_ACCESS_KEY_ID: key_id
              AWS_SECRET_ACCESS_KEY: access_key
              AWS_DEFAULT_REGION: us-west-2

GCR (Google Container Registry)

Tunnel uses Google Cloud SDK. You don't need to install gcloud command.

If you want to use target project's repository, you can set it via GOOGLE_APPLICATION_CREDENTIAL.

image: 
    name: atlassian/default-image:2

pipelines:
  default:
    - step:
        services:
          - docker
        script:
          - pipe: khulnasoft/tunnel-pipe:latest
            variables:
              imageRef: 'docker.io/my-organization/my-app:${{ github.sha }}'
              format: 'template'
              template: '@/contrib/sarif.tpl'
              output: 'tunnel-results.sarif'
              GOOGLE_APPLICATION_CREDENTIAL: /path/to/credential.json

Self-Hosted

BasicAuth server needs TUNNEL_USERNAME and TUNNEL_PASSWORD. if you want to use 80 port, use NonSSL TUNNEL_NON_SSL=true

image: 
    name: atlassian/default-image:2

pipelines:
  default:
    - step:
        services:
          - docker
        script:
          - pipe: khulnasoft/tunnel-pipe:latest
            variables:
              imageRef: 'docker.io/my-organization/my-app:${{ github.sha }}'
              format: 'template'
              template: '@/contrib/sarif.tpl'
              output: 'tunnel-results.sarif'
              TUNNEL_USERNAME: Username
              TUNNEL_PASSWORD: Password   

Customizing

inputs

Following inputs can be used as step.with keys:

Name Type Default Description
scanType String image Scan type, e.g. image or fs
input String Tar reference, e.g. alpine-latest.tar
imageRef String Image reference, e.g. alpine:3.10.2
scanRef String Scan reference, e.g. .
format String table Output format (table, json, template)
template String Output template (@/contrib/sarif.tpl, @/contrib/gitlab.tpl, @/contrib/junit.tpl)
output String Save results to a file
exitCode String 0 Exit code when specified vulnerabilities are found
ignoreUnfixed Boolean false Ignore unpatched/unfixed vulnerabilities
vulnType String os,library Vulnerability types (os,library)
severity String UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL Severities of vulnerabilities to scanned for and displayed
skipDirs String Comma separated list of directories where traversal is skipped
cacheDir String Cache directory
timeout String 2m0s Scan timeout duration
ignorePolicy String Filter vulnerabilities with OPA rego language

About

No description, website, or topics provided.

Resources

License

Code of conduct

Security policy

Stars

Watchers

Forks

Releases

No releases published

Packages