feature Hadolint (#80)

* restarted from main as was still having api/ arango issues and vm crashed 3 times. this works, but need to adjust fomating as the / is causing arrango/ api greif. * changed api to graphql-api in make kind-push all * fixed extra s * changed hadolint results to be array of results rather than dictionary with filepath as key (I think / was causing issues, but could have been connection issue, now that this works, will go back and try previous way.) * removed extra lines/ commented out extra console.logs, cleaned up a bit. * cleaned out commented out lines * fixed error message * Updated anyArrayNonEmpty to work with new format of results. * changed 127.0.0.1 to 0.0.0.0 to work with kubernetes env as well. * added hadolint to docs
PHACDataHub · Dec 8, 2023 · 999cacb · 999cacb
1 parent 3dc4a09
commit 999cacb
Show file tree

Hide file tree

Showing 12 changed files with 518 additions and 41 deletions.
diff --git a/Makefile b/Makefile
@@ -41,7 +41,7 @@ build-graph-updater:
 	$(CONTAINER_RUNTIME) build ./graph-updater/ -t localhost/$(APP_NAME)-graph-updater:$(APP_VERSION)
 
 kind-push-all: 
-	kind load docker-image localhost/$(APP_NAME)-api:$(APP_VERSION)
+	kind load docker-image localhost/$(APP_NAME)-graphql-api:$(APP_VERSION)
 	kind load docker-image localhost/$(APP_NAME)-web-endpoint-scanner:$(APP_VERSION)
 	kind load docker-image localhost/$(APP_NAME)-cloned-repo-scanner:$(APP_VERSION)
 	kind load docker-image localhost/$(APP_NAME)-octokit-scanner:$(APP_VERSION)

diff --git a/api/src/.env.example b/api/src/.env.example
@@ -1,4 +1,4 @@
-GRAPHQL_HOST="127.0.0.1"
+GRAPHQL_HOST="0.0.0.0"
 GRAPHQL_PORT="4000"
 
 DB_HOST="http://example-simple-single-ea:8529"

diff --git a/api/src/graphql_types/input_types.py b/api/src/graphql_types/input_types.py
@@ -32,7 +32,8 @@ class GithubEndpointInput:
     branch_protection: Optional[CheckPassesInput] = None
     has_security_md: Optional[CheckPassesInput] = None
     has_dependabot_yaml: Optional[CheckPassesInput] = None
-    gitleaks: Optional[CheckPassesInput] = None                                      
+    gitleaks: Optional[CheckPassesInput] = None  
+    hadolint: Optional[CheckPassesInput] = None                                        
 
 
 @strawberry.input

diff --git a/api/src/graphql_types/typedef.py b/api/src/graphql_types/typedef.py
@@ -42,6 +42,7 @@ class GithubEndpoint(Endpoint):
     has_security_md: CheckPasses
     has_dependabot_yaml: CheckPasses
     gitleaks: CheckPasses
+    hadolint: CheckPasses
 
 @strawberry.type
 class Accessibility:

diff --git a/docs/scanners.md b/docs/scanners.md
@@ -115,7 +115,48 @@ For preventative protection, consider using 'gitleaks protect' [pre-commit]((htt
 
 ### Hadolint `Dockerfile`
 
-[`hadolint`](https://github.com/hadolint/hadolint) performs a series of lint checks on each `Dockerfile` found in the repository.
+[`Hadolint`](https://github.com/hadolint/hadolint) is a linter for Dockerfiles. This scanner analyzes the Dockerfiles in the source code repository, and flags any best practices rules that have been broken. 
+
+**Remediation**
+
+Follow the guidelines outlined in results message to update the Dockerfiles.  If your team has decided to not follow a particular rule in certain cases, you can clear the warning in this scanner by including an [inline ignore tag](https://github.com/hadolint/hadolint#inline-ignores) at the Dockerfile location where you would like to by-passed the rule check.  
+
+
+**Data Example**
+```jsonc
+{
+    // ...
+   hadolint: {
+      checkPasses: false
+      metadata: [
+        {
+          Dockerfile: "ui/Dockerfile",
+          RulesViolated: [
+            {
+                code: "DL1000",
+                level: "error",
+                line: 41,
+                message: "unexpected '#'\nexpecting a new line followed by the next instruction"
+            }
+          ]
+        },
+        {
+          Dockerfile: "scanners/web-endpoint-checks/Dockerfile",
+          RulesViolated: [
+            {
+                code: "DL3008",
+                level: "warning",
+                line: 11,
+                message: "Pin versions in apt get install. Instead of `apt-get install <package>` use `apt-get install <package>=<version>`"
+            },
+        // ...
+          ]
+        }
+      ]
+      // ...
+    }
+
+```
 
 > TODO
 

diff --git a/scanners/github-cloned-repo-checks/Dockerfile b/scanners/github-cloned-repo-checks/Dockerfile
@@ -14,6 +14,11 @@ RUN curl -LO https://github.com/zricethezav/gitleaks/releases/download/v8.18.0/g
     chmod +x /usr/local/bin/gitleaks && \
     rm gitleaks_8.18.0_linux_x64.tar.gz
 
+# Install hadolint
+RUN wget https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64 && \
+    mv hadolint-Linux-x86_64 /usr/local/bin/hadolint && \
+    chmod +x /usr/local/bin/hadolint
+
 COPY package*.json ./
 
 RUN npm ci

diff --git a/scanners/github-cloned-repo-checks/index.js b/scanners/github-cloned-repo-checks/index.js
@@ -46,18 +46,15 @@ process.on('SIGINT', () => process.exit(0))
 
             // Clone repository
             const repoPath = await cloneRepository(gitHubEventPayload.endpoint, repoName)
-            console.log ('repoPath', repoPath)
+            console.log ('repoPath', repoPath, '\n')
 
             // Instantiate and do the check(s)
             const checkName = 'allChecks'
-            // const checkName = 'gitleaks'
             const check = await initializeChecker(checkName, repoName, repoPath)
             const results = await check.doRepoCheck()
 
-            console.log('Scan Results:',results)
-            console.log('gitleaks metadata',results.gitleaks.metadata)
-            console.log('gitleaks stingified metadata',JSON.stringify(results.gitleaks.metadata))
-
+            // console.log('Scan Results:',results)
+
             // Mutation to add a graph for the new endpoints
             // TODO: refactor this into a testable query builder function
             const mutation = gql`
@@ -79,26 +76,34 @@ process.on('SIGINT', () => process.exit(0))
                         gitleaks: {
                             checkPasses: ${JSON.stringify(results.gitleaks.checkPasses, null, 4).replace(/"([^"]+)":/g, '$1:')}
                             metadata: ${JSON.stringify(results.gitleaks.metadata, null, 4).replace(/"([^"]+)":/g, '$1:')}
+                        },
+                        hadolint: {
+                            checkPasses: ${results.hadolint.checkPasses}
+                            metadata: ${JSON.stringify(results.hadolint.metadata, null, 4).replace(/"([^"]+)":/g, '$1:')}
                         }
                     }
                 )
             }
             `;
             console.log('*************************\n',mutation,'\n*************************\n')
             // New GraphQL client - TODO: remove hard-coded URL
-            const graphqlClient = new GraphQLClient(GRAPHQL_URL);
-            // Write mutation to GraphQL API
-            const mutationResponse = await graphqlClient.request(mutation);
-            console.log('*************************\n',mutationResponse,'\n*************************\n')
+            try {
+                const graphqlClient = new GraphQLClient(GRAPHQL_URL);
+
+                // Write mutation to GraphQL API
+                const mutationResponse = await graphqlClient.request(mutation);
 
-            console.log('saved to database!')
+                console.log('Scan results saved to database.')
+
+            } catch (error) {
+                console.error("An error occurred - unable to save to the database.", error);
+            }
 
             // Remove temp repository
             await removeClonedRepository(repoPath)
-
         }
     })();
 
 await nc.closed();
 
-// nats pub "EventsScanner.githubEndpoints" "{\"endpoint\":\"https://github.com/PHACDataHub/ruok-service-autochecker\"}"
+// nats pub "EventsScanner.githubEndpoints" "{\"endpoint\":\"https://github.com/PHACDataHub/ruok-service-autochecker\"}"