forked from some-natalie/image-ingest-script
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathingest.sh
More file actions
92 lines (80 loc) · 3.12 KB
/
Copy pathingest.sh
File metadata and controls
92 lines (80 loc) · 3.12 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
#!/bin/bash
# This script is used within a DMZ to pull images from a private Chainguard registry, then do common ingestion work, and push them to an internal registry.
# image source (upstream)
UPSTREAM_REGISTRY="cgr.dev/some-natalie.dev/"
# image list (name:tag, newline separated)
IMAGE_LIST="image-list.txt"
# image destination (downstream)
DOWNSTREAM_REGISTRY="ghcr.io/some-natalie/chainguard-canned/"
# scan failure threshold (will not fail on vulnerabilities at all if not set, will fail on medium or higher if set to medium, etc.)
# options=[negligible low medium high critical]
SCAN_FAILURE_THRESHOLD=""
# check for requirements (docker, grype, syft, cosign, jq, incert)
requirements=(docker grype syft cosign jq incert)
for requirement in "${requirements[@]}"; do
if ! command -v $requirement &> /dev/null
then
echo "$requirement could not be found in \$PATH, please install it."
exit 1
fi
done
# check for image list
if [ ! -f $IMAGE_LIST ]; then
echo "Image list not found, please create a file named $IMAGE_LIST with a list of images to process."
exit 1
fi
# read image list
declare -a images
while IFS= read -r image; do
images+=("$image")
done < $IMAGE_LIST
# for each image
# pull from private registry
pull_image() {
echo "Pulling $UPSTREAM_REGISTRY$image" >> $image-log.txt
docker pull $UPSTREAM_REGISTRY$image
}
# scan with grype, optionally fail if medium or higher vulnerabilities found
scan_image() {
echo "Scanning $UPSTREAM_REGISTRY$image" >> $image-log.txt
if [ -z $SCAN_FAILURE_THRESHOLD ]; then
grype $UPSTREAM_REGISTRY$image >> $image-log.txt
else
grype --fail-on $SCAN_FAILURE_THRESHOLD $UPSTREAM_REGISTRY$image >> $image-log.txt
fi
}
# verify attestation
verify_attestation() {
echo "Verifying attestation for $UPSTREAM_REGISTRY$image"
echo "The following checks were performed on each of these signatures:"
echo " - The cosign claims were validated"
echo " - Existence of the claims in the transparency log was verified offline"
echo " - The code-signing certificate was verified using trusted certificate authority certificates"
cosign verify \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com \
--certificate-identity=https://github.com/chainguard-images/images-private/.github/workflows/release.yaml@refs/heads/main \
$UPSTREAM_REGISTRY/$image | jq >> $image-log.txt
}
# download SBOM
download_sbom() {
echo "Downloading SBOM for $UPSTREAM_REGISTRY$image"
cosign download attestation $UPSTREAM_REGISTRY$image | jq -r .payload | base64 -d | jq .predicate > $image-sbom.json
}
# add internal CA cert and push
run_incert() {
echo "Adding internal CA cert to $UPSTREAM_REGISTRY$image"
incert \
-ca-certs-file test.crt \
-image-url $UPSTREAM_REGISTRY$image \
-dest-image-url $DOWNSTREAM_REGISTRY$image
}
echo "Processing ${#images[@]} images from $IMAGE_LIST"
for image in "${images[@]}"; do
# pull from private registry
echo "Pulling $UPSTREAM_REGISTRY$image"
pull_image
scan_image
verify_attestation
download_sbom
run_incert
done