https://github.com/khulnasoft/tunnel-pipe
https://github.com/khulnasoft/tunnel-pipe
Last synced: 7 months ago
JSON representation
- Host: GitHub
- URL: https://github.com/khulnasoft/tunnel-pipe
- Owner: khulnasoft
- License: apache-2.0
- Created: 2023-11-22T11:13:42.000Z (almost 2 years ago)
- Default Branch: main
- Last Pushed: 2023-11-22T11:26:54.000Z (almost 2 years ago)
- Last Synced: 2025-02-01T02:16:57.894Z (8 months ago)
- Language: Shell
- Size: 20.5 KB
- Stars: 0
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# Tunnel Pipe
> [Bitbucket Pipeline](https://bitbucket.org/product/features/pipelines/) for [Tunnel](https://github.com/khulnasoft/tunnel)
## Usage
### Workflow
```yaml
image:
name: atlassian/default-image:2
pipelines:
default:
- step:
service:
docker
script:
- pipe: khulnasoft/tunnel-pipe:latest
variables:
imageRef: 'docker.io/my-organization/my-app:${{ github.sha }}'
format: 'table'
exitCode: '1'
ignoreUnfixed: true
vulnType: 'os,library'
severity: 'CRITICAL,HIGH'
```
### Using Tunnel to scan your Git repo
It's also possible to scan your git repos with Tunnel's built-in repo scan. This can be handy if you want to run Tunnel as a build time check on each PR that gets opened in your repo. This helps you identify potential vulnerablites that might get introduced with each PR.
```yaml
image:
name: atlassian/default-image:2
pipelines:
default:
- step:
service:
docker
script:
- pipe: khulnasoft/tunnel-pipe:latest
variables:
scanType: 'fs'
ignoreUnfixed: true
format: 'template'
template: '@/contrib/sarif.tpl'
output: 'tunnel-results.sarif'
severity: 'CRITICAL'
```
### Using Tunnel to scan Infrastucture as Code
It's also possible to scan your IaC repos with Tunnel's built-in repo scan. This can be handy if you want to run Tunnel as a build time check on each PR that gets opened in your repo. This helps you identify potential vulnerablites that might get introduced with each PR.
```yaml
image:
name: atlassian/default-image:2
pipelines:
default:
- step:
services:
- docker
script:
- pipe: khulnasoft/tunnel-pipe:latest
variables:
scanType: "config"
hideProgress: "false"
format: "table"
exitCode: 1
ignoreUnfixed: "true"
severity: "CRITICAL,HIGH"
```
### Using Tunnel to scan your private registry
It's also possible to scan your private registry with Tunnel's built-in image scan. All you have to do is set ENV vars.
#### Docker Hub registry
Docker Hub needs `TUNNEL_USERNAME` and `TUNNEL_PASSWORD`.
You don't need to set ENV vars when downloading from a public repository.
```yaml
image:
name: atlassian/default-image:2
pipelines:
default:
- step:
services:
- docker
script:
- pipe: khulnasoft/tunnel-pipe:latest
variables:
imageRef: 'docker.io/my-organization/my-app:${{ github.sha }}'
format: 'template'
template: '@/contrib/sarif.tpl'
output: 'tunnel-results.sarif'
TUNNEL_USERNAME: Username
TUNNEL_PASSWORD: Password
```
#### AWS ECR (Elastic Container Registry)
Tunnel uses AWS SDK. You don't need to install `aws` CLI tool.
You can use [AWS CLI's ENV Vars][env-var].
[env-var]: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html
```yaml
image:
name: atlassian/default-image:2
pipelines:
default:
- step:
services:
- docker
script:
- pipe: khulnasoft/tunnel-pipe:latest
variables:
imageRef: 'aws_account_id.dkr.ecr.region.amazonaws.com/imageName:${{ github.sha }}'
format: 'template'
template: '@/contrib/sarif.tpl'
output: 'tunnel-results.sarif'
AWS_ACCESS_KEY_ID: key_id
AWS_SECRET_ACCESS_KEY: access_key
AWS_DEFAULT_REGION: us-west-2
```
#### GCR (Google Container Registry)
Tunnel uses Google Cloud SDK. You don't need to install `gcloud` command.
If you want to use target project's repository, you can set it via `GOOGLE_APPLICATION_CREDENTIAL`.
```yaml
image:
name: atlassian/default-image:2
pipelines:
default:
- step:
services:
- docker
script:
- pipe: khulnasoft/tunnel-pipe:latest
variables:
imageRef: 'docker.io/my-organization/my-app:${{ github.sha }}'
format: 'template'
template: '@/contrib/sarif.tpl'
output: 'tunnel-results.sarif'
GOOGLE_APPLICATION_CREDENTIAL: /path/to/credential.json
```
#### Self-Hosted
BasicAuth server needs `TUNNEL_USERNAME` and `TUNNEL_PASSWORD`.
if you want to use 80 port, use NonSSL `TUNNEL_NON_SSL=true`
```yaml
image:
name: atlassian/default-image:2
pipelines:
default:
- step:
services:
- docker
script:
- pipe: khulnasoft/tunnel-pipe:latest
variables:
imageRef: 'docker.io/my-organization/my-app:${{ github.sha }}'
format: 'template'
template: '@/contrib/sarif.tpl'
output: 'tunnel-results.sarif'
TUNNEL_USERNAME: Username
TUNNEL_PASSWORD: Password
```
## Customizing
### inputs
Following inputs can be used as `step.with` keys:
| Name | Type | Default | Description |
|------------------|---------|------------------------------------|-----------------------------------------------|
| `scanType` | String | `image` | Scan type, e.g. `image` or `fs`|
| `input` | String | | Tar reference, e.g. `alpine-latest.tar` |
| `imageRef` | String | | Image reference, e.g. `alpine:3.10.2` |
| `scanRef` | String | | Scan reference, e.g. `.`|
| `format` | String | `table` | Output format (`table`, `json`, `template`) |
| `template` | String | | Output template (`@/contrib/sarif.tpl`, `@/contrib/gitlab.tpl`, `@/contrib/junit.tpl`)|
| `output` | String | | Save results to a file |
| `exitCode` | String | `0` | Exit code when specified vulnerabilities are found |
| `ignoreUnfixed` | Boolean | false | Ignore unpatched/unfixed vulnerabilities |
| `vulnType` | String | `os,library` | Vulnerability types (os,library) |
| `severity` | String | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | Severities of vulnerabilities to scanned for and displayed |
| `skipDirs` | String | | Comma separated list of directories where traversal is skipped |
| `cacheDir` | String | | Cache directory |
| `timeout` | String | `2m0s` | Scan timeout duration |
| `ignorePolicy` | String | | Filter vulnerabilities with OPA rego language |
[license]: https://github.com/khulnasoft/tunnel-pipe/blob/master/LICENSE
[license-img]: https://img.shields.io/github/license/khulnasoft/tunnel-pipe