Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/googlecloudplatform/aactl

Google Container Analysis data import utility, supports OSS vulnerability scanner reports, SLSA provenance and sigstore attestations.
https://github.com/googlecloudplatform/aactl

artifact attestations build container cosign gcb gcp import predicate sbom sigstore slsa

Last synced: about 1 month ago
JSON representation

Google Container Analysis data import utility, supports OSS vulnerability scanner reports, SLSA provenance and sigstore attestations.

Host: GitHub
URL: https://github.com/googlecloudplatform/aactl
Owner: GoogleCloudPlatform
License: apache-2.0
Created: 2023-03-16T01:13:48.000Z (over 1 year ago)
Default Branch: main
Last Pushed: 2024-05-01T12:36:59.000Z (7 months ago)
Last Synced: 2024-05-02T07:59:02.696Z (7 months ago)
Topics: artifact, attestations, build, container, cosign, gcb, gcp, import, predicate, sbom, sigstore, slsa
Language: Go
Homepage:
Size: 23.6 MB
Stars: 6
Watchers: 18
Forks: 4
Open Issues: 28
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
- Code of conduct: CODE-OF-CONDUCT.md

Awesome Lists containing this project

README

# aactl

Google [Artifact Analysis (AA)](https://cloud.google.com/artifact-analysis/docs/artifact-analysis) service data import utility, supports OSS vulnerability scanner reports, SLSA provenance, and sigstore attestations.

AACTL is a sample tool that shows Google Cloud customers who use Artifact Registry how they can ingest vulnerabilities detected by supported scanning tools into Artifact Analysis. Once ingested, vulnerabilities will be stored & managed alongside vulnerabilities detected by Artifact Analysis. Vulnerabilities are viewable within Artifact Registry UI, SDS Security Insights, gcloud, and Artifact Analysis API (Container Analysis).

AACTL can also ingest SLSA Build Provenance generated by [SLSA GitHub Generator](https://github.com/slsa-framework/slsa-github-generator).

> Detailed installation instruction are available [here](INSTALLATION.md).

## Usage

`aactl` supports imports of two data types: `vulnerability` and `attestation`.

> In addition to CLI, `aactl` can also be used in your CI/CD pipeline as a Google Cloud Build builder ([example](examples/cloud-build/README.md)) or GitHub Actions action ([examples](examples/github-actions/README.md)).

### Vulnerability

To import vulnerabilities output by either [grype](https://github.com/anchore/grype), [snyk](https://github.com/snyk/cli), [trivy](https://github.com/aquasecurity/trivy) scanners, start by exporting the report in JSON format:

* [grype](https://github.com/anchore/grype)

`grype --add-cpes-if-none -s AllLayers -o json --file report.json $image`

* [snyk](https://github.com/snyk/cli)

`snyk container test --app-vulns --json-file-output=report.json $image`

* [trivy](https://github.com/aquasecurity/trivy)

`trivy image --format json --output report.json $image`

Once you have the vulnerability file, importing that file into AA using `aactl`:

```shell
aactl vulnerability --project $project \
--source $image \
--file report.json
```

> The $image variable in the above example is the fully qualified URI of the image including its digest (e.g. `us-docker.pkg.dev/project/repo/image@sha256:397d453...`).

To review the imported vulnerabilities in GCP:

```shell
gcloud artifacts docker images list $repo \
--show-occurrences \
--format json \
--occurrence-filter "kind=\"VULNERABILITY\" AND resource_url=\"https://$image\""
```

You can also navigate to Artifact Registry to view the vulnerabilities there.

![](examples/images/ar-vulns.png)

### Attestation

In addition to vulnerabilities, `aactl` can also import [sigstore](https://github.com/sigstore) attestations:

```shell
aactl attestation --project $project --source $image
```

> The $image variable in the above example is the fully qualified URI of the image including its digest (e.g. `us-docker.pkg.dev/project/repo/image@sha256:397d453...`).

The imported data can be accessed using `gcloud`:

```shell
gcloud artifacts docker images describe $image --show-provenance --format json
```

The resulting JSON will look something like this:

![](examples/images/slsa-console.png)

The data can also be viewed in Software Delivery Shield side panel:

![](examples/images/side-panel.png)

> SLSA level is currently not parsed properly, WIP.

## Contributing

Entirely new samples are not accepted. Bug fixes are welcome, either as pull
requests or as GitHub issues.

See [CONTRIBUTING.md](CONTRIBUTING.md) for details on how to contribute.

## Licensing

Code in this repository is licensed under the Apache 2.0. See [LICENSE](LICENSE).