Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/fritterhoff/vulnerability-bot

Small bot to automate vulnerability updates in GitLab
https://github.com/fritterhoff/vulnerability-bot

ci gitlab security

Last synced: 2 months ago
JSON representation

Small bot to automate vulnerability updates in GitLab

Awesome Lists containing this project

README 

          
# Vulnerability Bot for Gitlab

Small bot to automate vulnerability patches in GitLab



Since keeping docker images up-to-date can be quite cumberstone this little bot was developed. It can be integrated into the GitLab CI and creates a merge request in case of some outstanding (automatic) patches.



Therefore, a new image should be built without using cached data. This image can be compared afterwards to an existing image. In case of vulnerabilities in the old image that are fixed in the new image the merge request is created and the provided dockerfile gets automatically patched. This is done by adding a comment after each `FROM` line so the caches get missed.



## Usage



```

Usage:

  vulnerability-bot handle [flags]



Flags:

      --assign string   user to assign the MR to

  -h, --help            help for handle

      --new string      new image (may be path or image spec)

      --old string      old image (may be path or image spec)

      --path string     path to patch

      --source string   source branch of the MR

      --target string   target branch of the MR

  -t, --title string    title of the MR



Global Flags:

      --host string      gitlab host

      --project string   project id or name

      --token string     gitlab token

  -v, --verbose          verbose output

```



## Example



```.yaml

build:

  stage: build

  image:

    name: gcr.io/kaniko-project/executor:debug

    entrypoint: [""]

  rules:

    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && '$CI_PIPELINE_SOURCE == "push"'

  script:

    - mkdir -p /kaniko/.docker

    - echo "{\"auths\":{\"${CI_REGISTRY}\":{\"auth\":\"$(printf "%s:%s" "${CI_REGISTRY_USER}" "${CI_REGISTRY_PASSWORD}" | base64 | tr -d '\n')\"}}}" > /kaniko/.docker/config.json

    - /kaniko/executor --context "${CI_PROJECT_DIR}/" --dockerfile "${CI_PROJECT_DIR}/Dockerfile" --destination "${CI_REGISTRY_IMAGE}:${CI_COMMIT_REF_SLUG}" --destination "${CI_REGISTRY_IMAGE}:latest" --cache=true



build:on-schedule:

  stage: build

  image:

    name: gcr.io/kaniko-project/executor:debug

    entrypoint: [""]

  rules:

    - if: $CI_PIPELINE_SOURCE == "schedule"

  script:

    - mkdir -p $CI_PROJECT_DIR/artifacts

    - /kaniko/executor --force --context "${CI_PROJECT_DIR}" --dockerfile "${CI_PROJECT_DIR}/Dockerfile" --destination=image --tarPath artifacts/image.tar.gz --no-push

  artifacts:

    paths:

      - artifacts/



test_fix:

  stage: test

  image:

    name: ghcr.io/fritterhoff/vulnerability-bot:latest

    entrypoint: [""]

  script:

    - export TRIVY_USERNAME=${CI_REGISTRY_USER}

    - export TRIVY_PASSWORD=${CI_REGISTRY_PASSWORD}

    - /vulnerability-bot --host "$CI_SERVER_URL" 

                        --project $CI_PROJECT_ID 

                        --token "**TOKEN**" 

                        handle 

                        -t "Vulnerability patch" 

                        --old ${CI_REGISTRY_IMAGE}:latest 

                        --new artifacts/image.tar.gz 

                        --path "Dockerfile"

                        --source "fix" --target "main"

  rules:

    - if: $CI_PIPELINE_SOURCE == "schedule"



```