edersonbrilhante / vilicus Goto Github PK

Vilicus is an open source tool that orchestrates security scans of container images(docker/oci) and centralizes all results into a database for further analysis and metrics.

Home Page: https://vilicus.edersonbrilhante.com.br/

License: MIT License

Go 18.66% Dockerfile 1.61% Shell 4.34% Makefile 1.82% Smarty 3.01% HTML 0.54% JavaScript 22.09% SCSS 47.72% CSS 0.23%

golang docker security-tools security-scanner security-vulnerability security cicd oci docker-scanner oci-scanner

vilicus's Introduction

Vilicus

Overview
- How does it work?
Architecture
Development
- Run deployment manually
Usage
- Example of analysis

Overview

Vilicus is an open source tool that orchestrates security scans of container images(docker/oci) and centralizes all results into a database for further analysis and metrics. It can perform using Anchore, Clair and Trivy.

How does it work?

There many tools to scan container images, but sometimes the results can be diferent in each one them. So the main goal of this project is to help development teams improve the quality of their container images by finding vulnerabilities and thus addressing them with anagnostic sight from vendors.

Here you can find articles comparing the scanning tools:

Architecture

Development

Run deployment manually

docker-compose -f deployments/docker-compose.yaml up -d

Usage

Requirements

Disk Space ~30GB:
- Docker System:
  - Images ~14GB
  - Containers ~11GB
  - Local Volumes ~200MB
Docker
Docker Compose
Bash
Wget

Using vilicus client

Run these following commands:

export TEMPLATE=<template>
export OUTPUT=<output>
export IMAGE=<public_image>|<vilicus_local_image>
wget -O run-job.sh https://raw.githubusercontent.com/edersonbrilhante/vilicus/main/scripts/run-job.sh
chmod +x ./run-job.sh
./run-job.sh

The result will be stored in into the file set by the environment variable OUTPUT.

Templates and Outputs

Gitlab
Template: /opt/vilicus/contrib/gitlab.tpl
Output: /artifacts/gl-container-scanning-report.json

Sarif
Template: /opt/vilicus/contrib/sarif.tpl
Output: /artifacts/result.sarif

Public image and Local images

Vilicus provides support images hosted in public repository and local builds. Public image is an image hosted in public repository such as DockerHub. To scan images in self-hosted registry or local build you must tag the image to the vilicus local registry.

Self-hosted registry docker tag <self-hosted-registry>/<image:tag> localhost:5000/<image:tag>

Local build docker build -t localhost:5000/<image:tag> -f <Dockerfile> <context>

Free Online Service

Vilicus also provides a free online service.

How it works?

This service is a serverless full-stack application with backend workers and database only using git and ci/cd runners.

The Frontend is hosted in GitHub Pages. This frontend is a landing page with a free service to scan or display the vulnerabilities in container images.

The results of container image scans are stored in a GitLab Repository.

When the user asks to show the results from an image, the frontend consumes the GitLab API to retrieve the file with vulns from this image. In case this image is not scanned yet, the user has the option to schedule a scan using a google form.

When this form is filled, the data is sent to a Google Spreadsheet.

A GitHub Workflow runs every 5 minutes to check if there are new answers in this Spreadsheet. For each new image in the Spreadsheet, this workflow triggers another Workflow to scan the image and save the result in the GitLab Repository.

vilicus's People

Contributors

Stargazers

Watchers

Forkers

whrp victorfonseca syllogy igoritos22 srinivaskandukuri luis-sousa-pinto deltared1a

{
  "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
  "version": "2.1.0",
  "runs": [
    {
      "tool": {
        "driver": {
          "name": "Vilicus",
          "informationUri": "https://github.com/edersonbrilhante/vilicus",
          "fullName": "Vilicus",
          "semanticVersion": "v0.0.3",
          "version": "0.0.3",
          "rules": [
          ]
        }
      },
      "automationDetails": {
        "description": {
          "text": "This is the run  localregistry.vilicus.svc:5000/local-image:tag1"
        },
        "id": "a905e00b-0549-4186-bbff-a1865b8de6ee",
        "guid": "a905e00b-0549-4186-bbff-a1865b8de6ee",
        "properties": {
          "tags": [
            "vulnerability",
            "vilicus",
            "localregistry.vilicus.svc:5000/local-image:tag1"
          ]
        }
      },
      "results":[
      ],
      "columnKind": "utf16CodeUnits"
    }
  ]
}

used command:

TEMPLATE=$TEMPLATE OUTPUT="/artifacts/results.sarif" IMAGE=$IMAGE ./run-job.sh

output:

Download Docker Compose
--2021-05-05 18:54:22--  https://raw.githubusercontent.com/edersonbrilhante/vilicus/main/deployments/docker-compose.yml
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.110.133, 185.199.111.133, 185.199.108.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.110.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3795 (3.7K) [text/plain]
Saving to: ‘docker-compose.yml’

docker-compose.yml                          100%[========================================================================================>]   3.71K  --.-KB/s    in 0s      

2021-05-05 18:54:22 (50.8 MB/s) - ‘docker-compose.yml’ saved [3795/3795]

Run Docker Compose
clairdb is up-to-date
vilicusdb is up-to-date
registry is up-to-date
anchoredb is up-to-date
trivydb is up-to-date
clair is up-to-date
anchore_engine is up-to-date
trivy is up-to-date
vilicus is up-to-date
Push Image
Run Scan
2021/05/05 18:54:23 Waiting for: http://vilicus:8080/healthz
2021/05/05 18:54:23 Received 200 from http://vilicus:8080/healthz
2021/05/05 18:55:23 Command finished successfully.

I don't know why no vulnerability shows up in result.sarif file