diff --git a/docs/integrating-scribe/admission-controller/kyverno.md b/docs/integrating-scribe/admission-controller/kyverno.md index 24ec04eda..6bac4c945 100644 --- a/docs/integrating-scribe/admission-controller/kyverno.md +++ b/docs/integrating-scribe/admission-controller/kyverno.md @@ -127,6 +127,10 @@ spec: attestors: - entries: - certificates: + rekor: + ignoreTlog: true + ctlog: + ignoreSCT: true certChain: |- -----BEGIN CERTIFICATE----- MIIF8jCCA9qgAwIBAgICEjQwDQYJKoZIhvcNAQELBQAwgY0xCzAJBgNVBAYTAklM diff --git a/docs/integrating-scribe/ci-integrations/github/action-bom.md b/docs/integrating-scribe/ci-integrations/github/action-bom.md index 9ffafb99f..d23169dc7 100644 --- a/docs/integrating-scribe/ci-integrations/github/action-bom.md +++ b/docs/integrating-scribe/ci-integrations/github/action-bom.md @@ -173,7 +173,7 @@ To overcome the limitation install tool directly - **[installer](https://github. Containerized action can be used on Linux runners as following ```yaml - name: Generate cyclonedx json SBOM - uses: scribe-security/action-bom@v1.5.18 + uses: scribe-security/action-bom@v1.5.19 with: target: 'busybox:latest' ``` @@ -181,7 +181,7 @@ Containerized action can be used on Linux runners as following Composite Action can be used on Linux or Windows runners as following ```yaml - name: Generate cyclonedx json SBOM - uses: scribe-security/action-bom-cli@v1.5.18 + uses: scribe-security/action-bom-cli@v1.5.19 with: target: 'hello-world:latest' ``` diff --git a/docs/integrating-scribe/ci-integrations/github/action-evidence.md b/docs/integrating-scribe/ci-integrations/github/action-evidence.md index b8157882f..cfe6da83f 100644 --- a/docs/integrating-scribe/ci-integrations/github/action-evidence.md +++ b/docs/integrating-scribe/ci-integrations/github/action-evidence.md @@ -138,7 +138,7 @@ The `valint evidence` action is a versatile action designed to include various t Containerized action can be used on Linux runners as following ```yaml - name: Include evidence derived from a file - uses: scribe-security/action-evidence@v1.5.18 + uses: scribe-security/action-evidence@v1.5.19 with: target: some_file.json ``` @@ -146,7 +146,7 @@ Containerized action can be used on Linux runners as following Composite Action can be used on Linux or Windows runners as following ```yaml - name: Include evidence derived from a file - uses: scribe-security/action-evidence-cli@v1.5.18 + uses: scribe-security/action-evidence-cli@v1.5.19 with: target: some_file.json ``` diff --git a/docs/integrating-scribe/ci-integrations/github/action-slsa.md b/docs/integrating-scribe/ci-integrations/github/action-slsa.md index c125c10c7..d6d392b0e 100644 --- a/docs/integrating-scribe/ci-integrations/github/action-slsa.md +++ b/docs/integrating-scribe/ci-integrations/github/action-slsa.md @@ -157,7 +157,7 @@ To overcome the limitation install tool directly - [installer](https://github.co Containerized action can be used on Linux runners as following ```yaml - name: Generate SLSA provenance - uses: scribe-security/action-slsa@v1.5.18 + uses: scribe-security/action-slsa@v1.5.19 with: target: 'busybox:latest' ``` @@ -165,7 +165,7 @@ Containerized action can be used on Linux runners as following Composite Action can be used on Linux or Windows runners as following ```yaml - name: Generate cyclonedx json SBOM - uses: scribe-security/action-slsa-cli@v1.5.18 + uses: scribe-security/action-slsa-cli@v1.5.19 with: target: 'hello-world:latest' ``` diff --git a/docs/integrating-scribe/ci-integrations/github/action-verify.md b/docs/integrating-scribe/ci-integrations/github/action-verify.md index c1dcb1b5b..badbaca5e 100644 --- a/docs/integrating-scribe/ci-integrations/github/action-verify.md +++ b/docs/integrating-scribe/ci-integrations/github/action-verify.md @@ -169,7 +169,7 @@ Containerized action can be used on Linux runners as following ```yaml - name: valint verify id: valint_verify - uses: scribe-security/action-verify@v1.5.18 + uses: scribe-security/action-verify@v1.5.19 with: target: 'busybox:latest' ``` @@ -177,7 +177,7 @@ Containerized action can be used on Linux runners as following Composite Action can be used on Linux or Windows runners as following ```yaml - name: Generate cyclonedx json SBOM - uses: scribe-security/action-verify-cli@v1.5.18 + uses: scribe-security/action-verify-cli@v1.5.19 with: target: 'hello-world:latest' ``` diff --git a/docs/integrating-scribe/ci-integrations/gitlabci.md b/docs/integrating-scribe/ci-integrations/gitlabci.md index 2204f4e83..3da866867 100644 --- a/docs/integrating-scribe/ci-integrations/gitlabci.md +++ b/docs/integrating-scribe/ci-integrations/gitlabci.md @@ -63,6 +63,40 @@ scribe-gitlab-job: -P $SCRIBE_TOKEN ``` +#### Using custom x509 keys + +Utilizing X509 Keys on Gitlab CI. + +- Prepare the X509 key in PEM format, including the Certificate and CA-chain. + +- Encode the keys using the commands below: + +```yaml +cat my_key.pem | base64 +cat my_cert.pem | base64 +cat my_ca-chain.pem | base64 +``` + +- Store The following Secrets as project variable using **[GitLab project variable](https://docs.gitlab.com/ee/ci/variables/#add-a-cicd-variable-to-a-project)**. + +Signing Variables + +- `ATTEST_KEY_B64` Base64 encoded x509 Private key pem content, make sure to mask the value. +- `ATTEST_CERT_B64` - Base64 encoded x509 Cert pem content. +- `ATTEST_CA_B64` - Base64 encoded x509 CA Chain pem content + +We recommended to base64 encode your PEM files to ensure they can be marked as protected and masked. + +> Explore additional signing options in the [attestations](https://scribe-security.netlify.app/docs/valint/attestations) section. + +Lastly Use the masked environment variables with Valint by decoding them: +```yaml + - export ATTEST_KEY=$(echo $ATTEST_KEY_B64 | base64 -d | tr -d '\r' ) + - export ATTEST_CERT=$(echo $ATTEST_CERT_B64 | base64 -d | tr -d '\r' ) + - export ATTEST_CA=$(echo $ATTEST_CA_B64 | base64 -d | tr -d '\r' ) + - valint bom my_image:latest -o attest +``` + #### Basic example ```yaml diff --git a/docs/integrating-scribe/ci-integrations/jenkins.md b/docs/integrating-scribe/ci-integrations/jenkins.md index 6026b0b5a..c6ab39d48 100644 --- a/docs/integrating-scribe/ci-integrations/jenkins.md +++ b/docs/integrating-scribe/ci-integrations/jenkins.md @@ -26,10 +26,10 @@ The token is a secret and will not be accessible from the UI after you finalize 3. In the **Global credentials** section, click **+ Add Credentials**. A new **Credentials** form opens. Jenkins Add Credentials -4. Copy the Scribe Hub API Token to the **Password** field and set the username to `SCRIBE_CLIENT_ID`. +4. Copy the Scribe Hub API Token to the **Password**, and **Username** with anything: Jenkins Credentials Username/Password -5. Set **ID** to `scribe-auth-id` (lowercase). +5. Set **ID** to `scribe-auth-id` (lowercase) Jenkins Credentials ID 6. Click **Create**. @@ -80,7 +80,7 @@ pipeline { valint bom busybox:latest \ --context-type jenkins \ --output-directory ./scribe/valint \ - -P $SCRIBE_API_TOKEN + -P $SCRIBE_TOKEN ''' } } diff --git a/docs/platforms/bom.md b/docs/platforms/bom.md index f16fbf621..2f14a0c98 100644 --- a/docs/platforms/bom.md +++ b/docs/platforms/bom.md @@ -16,12 +16,13 @@ This command enables users to generate SBOMs on scale. --> ```bash -usage: platforms [options] bom [-h] [--allow-failures] [--save-scan-plan] [--dry-run] [--monitor.mount MOUNT] [--monitor.threshold THRESHOLD] [--monitor.clean-docker] - [--max-threads MAX_THREADS] [--valint.scribe.client-secret CLIENT_SECRET] [--valint.scribe.enable] [--valint.cache.disable] - [--valint.context-type CONTEXT_TYPE] [--valint.log-level LOG_LEVEL] [--valint.output-directory OUTPUT_DIRECTORY] [--valint.bin BIN] - [--valint.product-key PRODUCT_KEY] [--valint.product-version PRODUCT_VERSION] [--valint.predicate-type PREDICATE_TYPE] [--valint.attest ATTEST] - [--valint.sign] [--valint.components COMPONENTS] [--valint.label LABEL] [--unique] - {gitlab,k8s,dockerhub,github,jfrog,ecr,bitbucket} ... +usage: platforms [options] bom [-h] [--allow-failures] [--save-scan-plan] [--dry-run] [--monitor.mount MOUNT] [--monitor.threshold THRESHOLD] + [--monitor.clean-docker] [--max-threads MAX_THREADS] [--evidence.local.path PATH] [--valint.scribe.client-secret CLIENT_SECRET] + [--valint.cache.disable] [--valint.context-type CONTEXT_TYPE] [--valint.log-level LOG_LEVEL] + [--valint.output-directory OUTPUT_DIRECTORY] [--valint.bin BIN] [--valint.product-key PRODUCT_KEY] + [--valint.product-version PRODUCT_VERSION] [--valint.predicate-type PREDICATE_TYPE] [--valint.attest ATTEST] [--valint.sign] + [--valint.components COMPONENTS] [--valint.label LABEL] [--unique] + {gitlab,k8s,dockerhub,github,jfrog,ecr,bitbucket,azure} ... Export bom data @@ -38,10 +39,10 @@ options: Monitor disk usage - auto clean docker cache (default: False) --max-threads MAX_THREADS Number of threads used to run valint (type: int, default: 10) + --evidence.local.path PATH + Local report export directory path (type: str, default: output) --valint.scribe.client-secret CLIENT_SECRET, --scribe-token CLIENT_SECRET, --scribe-client-secret CLIENT_SECRET Scribe client Secret (type: str, default: ) - --valint.scribe.enable - Enable Scribe client (default: False) --valint.cache.disable Disable Valint local cache (default: False) --valint.context-type CONTEXT_TYPE @@ -56,13 +57,13 @@ options: --valint.product-version PRODUCT_VERSION Evidence product version (type: str, default: ) --valint.predicate-type PREDICATE_TYPE - Evidence predicate type (type: str, default: http://scribesecurity.com/evidence/discovery/v0.1) + Evidence predicate type (type: str, default: ) --valint.attest ATTEST Evidence attest type (type: str, default: x509-env) --valint.sign sign evidence (default: False) --valint.components COMPONENTS components list (type: str, default: ) - --valint.label LABEL Set additional labels (type: at 0x705649776b60>, default: []) + --valint.label LABEL Set additional labels (type: at 0x7ece7edf87c0>, default: []) --unique Allow unique assets (default: False) subcommands: @@ -76,6 +77,7 @@ subcommands: jfrog ecr bitbucket + azure ``` @@ -144,8 +146,9 @@ usage: platforms [options] bom [options] dockerhub [-h] [--instance.instance INS [--default_product_key_strategy {namespace,repository,tag,mapping}] [--default_product_version_strategy {tag,short_image_id,image_id}] [--scope.repository [REPOSITORY ...]] [--scope.repository_tags [REPOSITORY_TAGS ...]] [--scope.image_platform [IMAGE_PLATFORM ...]] - [--exclude.repository [REPOSITORY ...]] [--exclude.repository_tags [REPOSITORY_TAGS ...]] [--scope.namespace [NAMESPACE ...]] - [--image.mapping [MAPPING ...]] + [--exclude.repository [REPOSITORY ...]] [--exclude.repository_tags [REPOSITORY_TAGS ...]] + [--scope.namespace [NAMESPACE ...]] [--image.mapping [MAPPING ...]] [--hook-config [HOOK_CONFIG ...]] + [--hook [HOOK ...]] [--hook.skip] [--image.hook [HOOK ...]] options: -h, --help Show this help message and exit. @@ -173,6 +176,12 @@ options: Dockerhub namespaces (default: ['*']) --image.mapping [MAPPING ...] Image product key mapping in the format of asset::product_key::product_version (type: AssetMappingString, default: []) + --hook-config [HOOK_CONFIG ...] + Paths to YAML files containing custom hook definitions. (type: str, default: []) + --hook [HOOK ...] Specify hook IDs to execute. Available preconfigured hooks are: trivy_image, trivy_iac_and_secrets. (default: []) + --hook.skip Skip hooks (default: False) + --image.hook [HOOK ...] + Inline hook format :::::: (type: ToolHookString, default: []) ``` @@ -219,9 +228,11 @@ Note that the image characterization string is a wildcarded string, with separat ```bash usage: platforms [options] bom [options] k8s [-h] [--instance.instance INSTANCE] [--url URL] [--token TOKEN] [--types {namespace,pod,all}] - [--default_product_key_strategy {namespace,pod,image,mapping}] [--default_product_version_strategy {namespace_hash,pod_hash,image_id}] - [--scope.namespace [NAMESPACE ...]] [--scope.pod [POD ...]] [--scope.image [IMAGE ...]] [--ignore-state] - [--exclude.namespace [NAMESPACE ...]] [--exclude.pod [POD ...]] [--exclude.image [IMAGE ...]] [--image.mapping [MAPPING ...]] + [--default_product_key_strategy {namespace,pod,image,mapping}] + [--default_product_version_strategy {namespace_hash,pod_hash,image_id}] [--scope.namespace [NAMESPACE ...]] + [--scope.pod [POD ...]] [--scope.image [IMAGE ...]] [--ignore-state] [--exclude.namespace [NAMESPACE ...]] + [--exclude.pod [POD ...]] [--exclude.image [IMAGE ...]] [--image.mapping [MAPPING ...]] + [--hook-config [HOOK_CONFIG ...]] [--hook [HOOK ...]] [--hook.skip] [--image.hook [HOOK ...]] options: -h, --help Show this help message and exit. @@ -249,8 +260,14 @@ options: --exclude.image [IMAGE ...] Images to exclude from discovery process (default: []) --image.mapping [MAPPING ...] - K8s namespace;pod;image to product_key:product_version mappinge.g. my-namespace::my-pod::my-image::product_key::product_version (type: K8sImageMappingString, - default: []) + K8s namespace;pod;image to product_key:product_version mappinge.g. my-namespace::my-pod::my-image::product_key::product_version (type: + K8sImageMappingString, default: []) + --hook-config [HOOK_CONFIG ...] + Paths to YAML files containing custom hook definitions. (type: str, default: []) + --hook [HOOK ...] Specify hook IDs to execute. Available preconfigured hooks are: trivy_k8s_image, trivy_iac_and_secrets. (default: []) + --hook.skip Skip hooks (default: False) + --image.hook [HOOK ...] + Inline hook format :::::: (type: ToolHookString, default: []) ``` @@ -296,10 +313,12 @@ Note that the image characterization string is a wildcarded string, some useful --> ```bash -usage: platforms [options] bom [options] jfrog [-h] [--instance.instance INSTANCE] [--token TOKEN] [--url URL] [--default_product_key_strategy {jf-repository,repository,tag,mapping}] +usage: platforms [options] bom [options] jfrog [-h] [--instance.instance INSTANCE] [--token TOKEN] [--url URL] + [--default_product_key_strategy {jf-repository,repository,tag,mapping}] [--default_product_version_strategy {tag,short_image_id,image_id}] [--scope.jf-repository [JF_REPOSITORY ...]] - [--scope.repository [REPOSITORY ...]] [--scope.repository_tags [REPOSITORY_TAGS ...]] [--scope.image_platform [IMAGE_PLATFORM ...]] - [--exclude.jf-repository [JF_REPOSITORY ...]] [--exclude.repository [REPOSITORY ...]] [--exclude.repository_tags [REPOSITORY_TAGS ...]] + [--scope.repository [REPOSITORY ...]] [--scope.repository_tags [REPOSITORY_TAGS ...]] + [--scope.image_platform [IMAGE_PLATFORM ...]] [--exclude.jf-repository [JF_REPOSITORY ...]] + [--exclude.repository [REPOSITORY ...]] [--exclude.repository_tags [REPOSITORY_TAGS ...]] [--image.mapping [MAPPING ...]] options: @@ -348,8 +367,9 @@ platforms bom ecr --image.mapping "*.dkr.ecr.*.amazonaws.com/my-image*::my-produ ```bash usage: platforms [options] bom [options] ecr [-h] [--instance.instance INSTANCE] [--default_product_key_strategy {aws-account,repository,tag,mapping}] - [--scope.aws-account [AWS_ACCOUNT ...]] [--scope.repository [REPOSITORY ...]] [--scope.repository_tags [REPOSITORY_TAGS ...]] - [--scope.image_platform [IMAGE_PLATFORM ...]] [--exclude.aws-account [AWS_ACCOUNT ...]] [--exclude.repository [REPOSITORY ...]] + [--scope.aws-account [AWS_ACCOUNT ...]] [--scope.repository [REPOSITORY ...]] + [--scope.repository_tags [REPOSITORY_TAGS ...]] [--scope.image_platform [IMAGE_PLATFORM ...]] + [--exclude.aws-account [AWS_ACCOUNT ...]] [--exclude.repository [REPOSITORY ...]] [--exclude.repository_tags [REPOSITORY_TAGS ...]] [--url URL] [--image.mapping [MAPPING ...]] options: @@ -396,11 +416,12 @@ Note that the image characterization string is a wildcarded string, some useful --> ```bash -usage: platforms [options] bom [options] bitbucket [-h] [--instance.instance INSTANCE] [--app_password APP_PASSWORD] [--username USERNAME] [--workspace_token WORKSPACE_TOKEN] - [--workspace WORKSPACE] [--url URL] [--types {repository,all}] [--scope.workspace [WORKSPACE ...]] [--scope.project [PROJECT ...]] - [--scope.repository [REPOSITORY ...]] [--scope.commit [COMMIT ...]] [--scope.branch [BRANCH ...]] [--scope.webhook [WEBHOOK ...]] - [--commit.skip] [--default_product_key_strategy {mapping}] [--workspace.mapping [MAPPING ...]] [--project.mapping [MAPPING ...]] - [--repository.mapping [MAPPING ...]] +usage: platforms [options] bom [options] bitbucket [-h] [--instance.instance INSTANCE] [--app_password APP_PASSWORD] [--username USERNAME] + [--workspace_token WORKSPACE_TOKEN] [--workspace WORKSPACE] [--url URL] [--types {repository,all}] + [--scope.workspace [WORKSPACE ...]] [--scope.project [PROJECT ...]] [--scope.repository [REPOSITORY ...]] + [--scope.commit [COMMIT ...]] [--scope.branch [BRANCH ...]] [--scope.webhook [WEBHOOK ...]] [--commit.skip] + [--branch-protection.skip] [--default_product_key_strategy {mapping}] [--workspace.mapping [MAPPING ...]] + [--project.mapping [MAPPING ...]] [--repository.mapping [MAPPING ...]] options: -h, --help Show this help message and exit. @@ -419,11 +440,11 @@ options: --scope.workspace [WORKSPACE ...] BitBucket workspace list (default: ['*']) --scope.project [PROJECT ...] - BitBucket projects wildcards. Default is all projects. Note that a project name includes as a prefix its namesapce in the format 'namespace / project_name' - (default: ['*']) - --scope.repository [REPOSITORY ...] - BitBucket repositories wildcards. Default is all projects. Note that a project name includes as a prefix its namesapce in the format 'namespace / + BitBucket projects wildcards. Default is all projects. Note that a project name includes as a prefix its namesapce in the format 'namespace / project_name' (default: ['*']) + --scope.repository [REPOSITORY ...] + BitBucket repositories wildcards. Default is all projects. Note that a project name includes as a prefix its namesapce in the format + 'namespace / project_name' (default: ['*']) --scope.commit [COMMIT ...] BitBucket commit wildcards (default: []) --scope.branch [BRANCH ...] @@ -431,17 +452,19 @@ options: --scope.webhook [WEBHOOK ...] BitBucket webhook wildcards (default: []) --commit.skip Skip commits in discovery/evidence (default: False) + --branch-protection.skip + Skip Branch protection in discovery/evidence (default: False) --default_product_key_strategy {mapping} Deferment product key by mapping. In the future - we shall support by reopsitory name too. (default: mapping) --workspace.mapping [MAPPING ...] - Workspace product key mapping in the format of workspace::product_key::product_version where org is the workspace name, wildcards are supported (type: - AssetMappingString, default: []) + Workspace product key mapping in the format of workspace::product_key::product_version where org is the workspace name, wildcards are + supported (type: AssetMappingString, default: []) --project.mapping [MAPPING ...] - Project product key mapping in the format of project::product_key::product_version where org is the project name, wildcards are supported (type: - AssetMappingString, default: []) + Project product key mapping in the format of project::product_key::product_version where org is the project name, wildcards are supported + (type: AssetMappingString, default: []) --repository.mapping [MAPPING ...] - Repository product key mapping in the format of repo::product_key::product_version where repo is the repository name, wildcards are supported (type: - AssetMappingString, default: []) + Repository product key mapping in the format of repo::product_key::product_version where repo is the repository name, wildcards are supported + (type: AssetMappingString, default: []) ``` @@ -463,9 +486,11 @@ Note that the image characterization string is a wildcarded string, some useful --> ```bash -usage: platforms [options] bom [options] github [-h] [--instance.instance INSTANCE] [--token TOKEN] [--url URL] [--types {repository,all}] [--scope.organization [ORGANIZATION ...]] - [--scope.repository [REPOSITORY ...]] [--scope.branch [BRANCH ...]] [--scope.tag [TAG ...]] [--branch.shallow] [--commit.skip] - [--default_product_key_strategy {mapping}] [--organization.mapping [MAPPING ...]] [--repository.mapping [MAPPING ...]] +usage: platforms [options] bom [options] github [-h] [--instance.instance INSTANCE] [--token TOKEN] [--url URL] [--types {repository,all}] + [--scope.organization [ORGANIZATION ...]] [--scope.repository [REPOSITORY ...]] [--scope.branch [BRANCH ...]] + [--scope.tag [TAG ...]] [--branch.shallow] [--commit.skip] [--default_product_key_strategy {mapping}] + [--organization.mapping [MAPPING ...]] [--repository.mapping [MAPPING ...]] [--hook-config [HOOK_CONFIG ...]] + [--hook [HOOK ...]] [--hook.skip] [--repository.hooks [HOOKS ...]] options: -h, --help Show this help message and exit. @@ -478,8 +503,8 @@ options: --scope.organization [ORGANIZATION ...] Github organization list (default: ['*']) --scope.repository [REPOSITORY ...] - Github repositories wildcards. Default is all projects. Note that a project name includes as a prefix its namesapce in the format 'namespace / project_name' - (default: ['*']) + Github repositories wildcards. Default is all projects. Note that a project name includes as a prefix its namesapce in the format 'namespace + / project_name' (default: ['*']) --scope.branch [BRANCH ...] Github branches wildcards (default: []) --scope.tag [TAG ...] @@ -489,11 +514,17 @@ options: --default_product_key_strategy {mapping} Deferment product key by mapping. In the future - we shall support by reopsitory name too. (default: mapping) --organization.mapping [MAPPING ...] - Organization product key mapping in the format of org::product_key::product_version where org is the organization name, wildcards are supported (type: - AssetMappingString, default: []) + Organization product key mapping in the format of org::product_key::product_version where org is the organization name, wildcards are + supported (type: AssetMappingString, default: []) --repository.mapping [MAPPING ...] - Repository product key mapping in the format of repo::product_key::product_version where repo is the repository name, wildcards are supported (type: - AssetMappingString, default: []) + Repository product key mapping in the format of repo::product_key::product_version where repo is the repository name, wildcards are supported + (type: AssetMappingString, default: []) + --hook-config [HOOK_CONFIG ...] + Paths to YAML files containing custom hook definitions. (type: str, default: []) + --hook [HOOK ...] Specify hook IDs to execute. Available preconfigured hooks are: opengrep, trivy_iac_and_secrets, gitleaks_secrets, kics_scan. (default: []) + --hook.skip Skip hooks (default: False) + --repository.hooks [HOOKS ...] + Inline hook format :::::: (type: ToolHookString, default: []) ``` @@ -515,9 +546,10 @@ Note that the image characterization string is a wildcarded string, some useful --> ```bash -usage: platforms [options] bom [options] gitlab [-h] [--instance.instance INSTANCE] [--token TOKEN] [--url URL] [--types {project,all}] [--scope.organization [ORGANIZATION ...]] - [--scope.project [PROJECT ...]] [--scope.branch [BRANCH ...]] [--scope.tag [TAG ...]] [--commit.skip] [--pipeline.skip] - [--default_product_key_strategy {mapping}] [--organization.mapping [MAPPING ...]] [--project.mapping [MAPPING ...]] +usage: platforms [options] bom [options] gitlab [-h] [--instance.instance INSTANCE] [--token TOKEN] [--url URL] [--types {project,all}] + [--scope.organization [ORGANIZATION ...]] [--scope.project [PROJECT ...]] [--scope.branch [BRANCH ...]] + [--scope.tag [TAG ...]] [--commit.skip] [--pipeline.skip] [--default_product_key_strategy {mapping}] + [--organization.mapping [MAPPING ...]] [--project.mapping [MAPPING ...]] options: -h, --help Show this help message and exit. @@ -530,8 +562,8 @@ options: --scope.organization [ORGANIZATION ...] Gitlab organization list (default: ['*']) --scope.project [PROJECT ...] - Gitlab projects epositories wildcards. Default is all projects. Note that a project name includes as a prefix its namesapce in the format 'namespace / - project_name' (default: ['*']) + Gitlab projects epositories wildcards. Default is all projects. Note that a project name includes as a prefix its namesapce in the format + 'namespace / project_name' (default: ['*']) --scope.branch [BRANCH ...] Gitlab branches wildcards (default: null) --scope.tag [TAG ...] diff --git a/docs/platforms/discover.md b/docs/platforms/discover.md index 3ce0c648f..47571246b 100644 --- a/docs/platforms/discover.md +++ b/docs/platforms/discover.md @@ -22,18 +22,21 @@ The evidence generation process uses Scribe's `valint` tool to upload and option --> ```bash -usage: platforms [options] discover [-h] [--db.local.store_policy {update,replace}] [--db.update_period UPDATE_PERIOD] [--evidence.local.path PATH] [--evidence.local.prefix PREFIX] - [--evidence.local_only] [--max-threads MAX_THREADS] [--thread-timeout THREAD_TIMEOUT] [--rate-limit-retry RATE_LIMIT_RETRY] [--allow-failures] - [--export-partial] [--skip-evidence] [--valint.scribe.client-secret CLIENT_SECRET] [--valint.scribe.enable] [--valint.cache.disable] - [--valint.context-type CONTEXT_TYPE] [--valint.log-level LOG_LEVEL] [--valint.output-directory OUTPUT_DIRECTORY] [--valint.bin BIN] - [--valint.product-key PRODUCT_KEY] [--valint.product-version PRODUCT_VERSION] [--valint.predicate-type PREDICATE_TYPE] [--valint.attest ATTEST] - [--valint.sign] [--valint.components COMPONENTS] [--valint.label LABEL] [--unique] - {gitlab,dockerhub,k8s,github,jfrog,ecr,jenkins,bitbucket} ... +usage: platforms [options] discover [-h] [--check-token-permissions] [--db.local.store_policy {update,replace}] [--db.update_period UPDATE_PERIOD] + [--evidence.local.path PATH] [--evidence.local.prefix PREFIX] [--evidence.local_only] [--max-threads MAX_THREADS] + [--thread-timeout THREAD_TIMEOUT] [--rate-limit-retry RATE_LIMIT_RETRY] [--allow-failures] [--export-partial] [--skip-evidence] + [--valint.scribe.client-secret CLIENT_SECRET] [--valint.cache.disable] [--valint.context-type CONTEXT_TYPE] + [--valint.log-level LOG_LEVEL] [--valint.output-directory OUTPUT_DIRECTORY] [--valint.bin BIN] [--valint.product-key PRODUCT_KEY] + [--valint.product-version PRODUCT_VERSION] [--valint.predicate-type PREDICATE_TYPE] [--valint.attest ATTEST] [--valint.sign] + [--valint.components COMPONENTS] [--valint.label LABEL] [--unique] + {gitlab,dockerhub,k8s,github,jfrog,ecr,jenkins,bitbucket,azure} ... Discover assets and save data to a local store options: -h, --help Show this help message and exit. + --check-token-permissions + Check token permissions (default: False) --db.local.store_policy {update,replace} Policy for local data collection: update or replace (default: update) --db.update_period UPDATE_PERIOD @@ -49,14 +52,12 @@ options: --thread-timeout THREAD_TIMEOUT Thread timeout in seconds (type: float, default: 20.0) --rate-limit-retry RATE_LIMIT_RETRY - Retry on rate limit (type: int, default: 3) + Retry on rate limit (default disabled) (type: int, default: 0) --allow-failures Allow failures without returning an error code (default: False) --export-partial Upload Partial Discover evidence (default: False) --skip-evidence Skip evidence upload (default: False) --valint.scribe.client-secret CLIENT_SECRET, --scribe-token CLIENT_SECRET, --scribe-client-secret CLIENT_SECRET Scribe client Secret (type: str, default: ) - --valint.scribe.enable - Enable Scribe client (default: False) --valint.cache.disable Disable Valint local cache (default: False) --valint.context-type CONTEXT_TYPE @@ -71,13 +72,13 @@ options: --valint.product-version PRODUCT_VERSION Evidence product version (type: str, default: ) --valint.predicate-type PREDICATE_TYPE - Evidence predicate type (type: str, default: http://scribesecurity.com/evidence/discovery/v0.1) + Evidence predicate type (type: str, default: ) --valint.attest ATTEST Evidence attest type (type: str, default: x509-env) --valint.sign sign evidence (default: False) --valint.components COMPONENTS components list (type: str, default: ) - --valint.label LABEL Set additional labels (type: at 0x7697d3755a80>, default: []) + --valint.label LABEL Set additional labels (type: at 0x75bbf48f2ca0>, default: []) --unique Allow unique assets (default: False) subcommands: @@ -92,6 +93,7 @@ subcommands: ecr jenkins bitbucket + azure ``` @@ -140,7 +142,7 @@ usage: platforms [options] discover [options] gitlab [-h] [--instance.instance I [--default_product_key_strategy {mapping}] [--scope.skip_org_members] [--scope.skip_project_members] [--scope.commit.past_days PAST_DAYS] [--scope.pipeline.past_days PAST_DAYS] [--scope.pipeline.analyzed_logs] [--scope.pipeline.reports] [--broad] [--organization.mapping [MAPPING ...]] [--project.mapping [MAPPING ...]] - [--organization.single] [--project.single] + [--organization.single] [--project.single] [--skip-cache] [--cache-ttl CACHE_TTL] [--cache-group CACHE_GROUP] options: -h, --help Show this help message and exit. @@ -155,8 +157,8 @@ options: --scope.organization [ORGANIZATION ...] Gitlab organization list (default: ['*']) --scope.project [PROJECT ...] - Gitlab projects epositories wildcards. Default is all projects. Note that a project name includes as a prefix its namesapce in the format 'namespace / - project_name' (default: ['*']) + Gitlab projects epositories wildcards. Default is all projects. Note that a project name includes as a prefix its namesapce in the format + 'namespace / project_name' (default: ['*']) --scope.branch [BRANCH ...] Gitlab branches wildcards (default: null) --scope.tag [TAG ...] @@ -185,6 +187,11 @@ options: --organization.single Export all organizations in a single evidence (default: False) --project.single Export all projects in a single evidence (default: False) + --skip-cache, -f Skip Scribe Evidence cache lookup (default: False) + --cache-ttl CACHE_TTL + time to live for cache (default: 2d) + --cache-group CACHE_GROUP + Scribe cache group, default to runners pipeline ID, empty to use global context (default: by_pipeline) ``` @@ -240,8 +247,10 @@ usage: platforms [options] discover [options] github [-h] [--instance.instance I [--token TOKEN] [--url URL] [--scope.organization [ORGANIZATION ...]] [--scope.repository [REPOSITORY ...]] [--scope.branch [BRANCH ...]] [--scope.tag [TAG ...]] [--branch.shallow] [--commit.skip] [--default_product_key_strategy {mapping}] [--scope.commit.past_days PAST_DAYS] [--workflow.skip] - [--scope.workflow.past_days PAST_DAYS] [--scope.workflow.analyzed_logs] [--scope.runners] [--scope.sbom] [--broad] - [--organization.mapping [MAPPING ...]] [--repository.mapping [MAPPING ...]] + [--scope.workflow.past_days PAST_DAYS] [--scope.workflow.analyzed_logs] [--scope.runners] [--scope.sbom] + [--broad] [--hook-config [HOOK_CONFIG ...]] [--hook [HOOK ...]] [--hook.skip] [--repository.hooks [HOOKS ...]] + [--organization.mapping [MAPPING ...]] [--repository.mapping [MAPPING ...]] [--skip-cache] + [--cache-ttl CACHE_TTL] [--cache-group CACHE_GROUP] options: -h, --help Show this help message and exit. @@ -256,8 +265,8 @@ options: --scope.organization [ORGANIZATION ...] Github organization list (default: ['*']) --scope.repository [REPOSITORY ...] - Github repositories wildcards. Default is all projects. Note that a project name includes as a prefix its namesapce in the format 'namespace / project_name' - (default: ['*']) + Github repositories wildcards. Default is all projects. Note that a project name includes as a prefix its namesapce in the format 'namespace + / project_name' (default: ['*']) --scope.branch [BRANCH ...] Github branches wildcards (default: []) --scope.tag [TAG ...] @@ -276,12 +285,23 @@ options: --scope.runners Include repository allocated runners in evidence (default: False) --scope.sbom Include repositories SBOM in evidence (default: False) --broad Retrieves limited information (only organizations, repositories and workflows) (default: False) + --hook-config [HOOK_CONFIG ...] + Paths to YAML files containing custom hook definitions. (type: str, default: []) + --hook [HOOK ...] Specify hook IDs to execute. Available preconfigured hooks are: trivy_iac_and_secrets. (default: []) + --hook.skip Skip hooks (default: False) + --repository.hooks [HOOKS ...] + Inline hook format :::::: (type: ToolHookString, default: []) --organization.mapping [MAPPING ...] - Organization product key mapping in the format of org::product_key::product_version where org is the organization name, wildcards are supported (type: - AssetMappingString, default: []) + Organization product key mapping in the format of org::product_key::product_version where org is the organization name, wildcards are + supported (type: AssetMappingString, default: []) --repository.mapping [MAPPING ...] - Repository product key mapping in the format of repo::product_key::product_version where repo is the repository name, wildcards are supported (type: - AssetMappingString, default: []) + Repository product key mapping in the format of repo::product_key::product_version where repo is the repository name, wildcards are supported + (type: AssetMappingString, default: []) + --skip-cache, -f Skip Scribe Evidence cache lookup (default: False) + --cache-ttl CACHE_TTL + time to live for cache (default: 2d) + --cache-group CACHE_GROUP + Scribe cache group, default to runners pipeline ID, empty to use global context (default: by_pipeline) ``` @@ -328,9 +348,10 @@ usage: platforms [options] discover [options] dockerhub [-h] [--instance.instanc [--username USERNAME] [--password PASSWORD] [--token TOKEN] [--url URL] [--scope.repository [REPOSITORY ...]] [--scope.repository_tags [REPOSITORY_TAGS ...]] [--scope.image_platform [IMAGE_PLATFORM ...]] [--exclude.repository [REPOSITORY ...]] [--exclude.repository_tags [REPOSITORY_TAGS ...]] - [--namespace-list [NAMESPACE_LIST ...]] [--scope.past_days PAST_DAYS] [--broad] [--namespace.single] [--repository.single] - [--namespace.mapping [MAPPING ...]] [--repository.mapping [MAPPING ...]] [--instance.mapping [MAPPING ...]] - [--default_product_key_strategy {mapping,mapping,mapping,mapping}] + [--namespace-list [NAMESPACE_LIST ...]] [--scope.past_days PAST_DAYS] [--broad] [--namespace.single] + [--repository.single] [--namespace.mapping [MAPPING ...]] [--repository.mapping [MAPPING ...]] + [--instance.mapping [MAPPING ...]] [--default_product_key_strategy {mapping,mapping,mapping,mapping}] + [--hook-config [HOOK_CONFIG ...]] [--hook [HOOK ...]] [--hook.skip] [--repository.hook [HOOK ...]] options: -h, --help Show this help message and exit. @@ -369,6 +390,12 @@ options: Repository tag product key mapping in the format of asset::product_key::product_version (type: AssetMappingString, default: []) --default_product_key_strategy {mapping,mapping,mapping,mapping} Override product key with namespace, repository or image names (default: mapping) + --hook-config [HOOK_CONFIG ...] + Paths to YAML files containing custom hook definitions. (type: str, default: []) + --hook [HOOK ...] Specify hook IDs to execute. Available preconfigured hooks are: trivy_image, trivy_iac_and_secrets. (default: []) + --hook.skip Skip hooks (default: False) + --repository.hook [HOOK ...] + Inline hook format :::::: (type: ToolHookString, default: []) ``` @@ -405,11 +432,14 @@ platforms discover k8s \ --> ```bash -usage: platforms [options] discover [options] k8s [-h] [--instance.instance INSTANCE] [--types {namespace,pod,secret,deployment,all} [{namespace,pod,secret,deployment,all} ...]] - [--exclude.types {namespace,pod,secret,deployment} [{namespace,pod,secret,deployment} ...]] [--url URL] [--token TOKEN] - [--scope.namespace [NAMESPACE ...]] [--scope.pod [POD ...]] [--scope.image [IMAGE ...]] [--ignore-state] - [--exclude.namespace [NAMESPACE ...]] [--exclude.pod [POD ...]] [--exclude.image [IMAGE ...]] [--secret.skip] [--deployment.skip] - [--broad] [--namespace.single] [--pod.single] [--namespace.mapping [MAPPING ...]] [--pod.mapping [MAPPING ...]] +usage: platforms [options] discover [options] k8s [-h] [--instance.instance INSTANCE] + [--types {namespace,pod,secret,deployment,all} [{namespace,pod,secret,deployment,all} ...]] + [--exclude.types {namespace,pod,secret,deployment} [{namespace,pod,secret,deployment} ...]] [--url URL] + [--token TOKEN] [--scope.namespace [NAMESPACE ...]] [--scope.pod [POD ...]] [--scope.image [IMAGE ...]] + [--ignore-state] [--exclude.namespace [NAMESPACE ...]] [--exclude.pod [POD ...]] [--exclude.image [IMAGE ...]] + [--secret.skip] [--deployment.skip] [--broad] [--namespace.single] [--pod.single] + [--namespace.mapping [MAPPING ...]] [--pod.mapping [MAPPING ...]] [--hook-config [HOOK_CONFIG ...]] + [--hook [HOOK ...]] [--hook.skip] [--namespace.hooks [HOOKS ...]] [--default_product_key_strategy {namespace,pod,image,mapping}] options: @@ -444,6 +474,12 @@ options: Namespace product key mapping in the format of asset::product_key::product_version (type: AssetMappingString, default: []) --pod.mapping [MAPPING ...] Pod product key mapping in the format of asset::product_key::product_version (type: AssetMappingString, default: []) + --hook-config [HOOK_CONFIG ...] + Paths to YAML files containing custom hook definitions. (type: str, default: []) + --hook [HOOK ...] Specify hook IDs to execute. Available preconfigured hooks are: kubescape_cluster, apparmor_namespace. (default: []) + --hook.skip Skip hooks (default: False) + --namespace.hooks [HOOKS ...] + Inline hook format :::::: (type: ToolHookString, default: []) --default_product_key_strategy {namespace,pod,image,mapping} Override product key with namespace, pod or image names (default: mapping) ``` @@ -501,9 +537,10 @@ usage: platforms [options] discover [options] jfrog [-h] [--instance.instance IN [--token TOKEN] [--url URL] [--scope.jf-repository [JF_REPOSITORY ...]] [--scope.repository [REPOSITORY ...]] [--scope.repository_tags [REPOSITORY_TAGS ...]] [--scope.image_platform [IMAGE_PLATFORM ...]] [--exclude.jf-repository [JF_REPOSITORY ...]] [--exclude.repository [REPOSITORY ...]] - [--exclude.repository_tags [REPOSITORY_TAGS ...]] [--scope.past_days PAST_DAYS] [--scope.tag_limit TAG_LIMIT] [--broad] - [--jf-repository.mapping [MAPPING ...]] [--repository.mapping [MAPPING ...]] [--instance.mapping [MAPPING ...]] - [--jf-repository.single] [--repository.single] [--default_product_key_strategy {mapping,mapping,mapping,mapping}] + [--exclude.repository_tags [REPOSITORY_TAGS ...]] [--scope.past_days PAST_DAYS] [--scope.tag_limit TAG_LIMIT] + [--broad] [--jf-repository.mapping [MAPPING ...]] [--repository.mapping [MAPPING ...]] + [--instance.mapping [MAPPING ...]] [--jf-repository.single] [--repository.single] + [--default_product_key_strategy {mapping,mapping,mapping,mapping}] options: -h, --help Show this help message and exit. @@ -532,8 +569,8 @@ options: --scope.past_days PAST_DAYS Ignore tags pushed earlier that previous to this number of days (type: int, default: 30) --scope.tag_limit TAG_LIMIT - Limit the number of recent tags to be discovered. Scoping to tag names is done on the limited tag list. Limit applies also to the past_days filter. 0 for no - limit, default is 10. (type: int, default: 20) + Limit the number of recent tags to be discovered. Scoping to tag names is done on the limited tag list. Limit applies also to the past_days + filter. 0 for no limit, default is 10. (type: int, default: 20) --broad Retrieves limited information (only jf-repositories and repositories) (default: False) --jf-repository.mapping [MAPPING ...] Repository product key mapping in the format of asset::product_key::product_version (type: AssetMappingString, default: []) @@ -593,13 +630,13 @@ platforms discover ecr \ ```bash usage: platforms [options] discover [options] ecr [-h] [--instance.instance INSTANCE] [--types {aws-account,repository,repository_tags,all} [{aws-account,repository,repository_tags,all} ...]] - [--exclude.types {aws-account,repository,repository_tags} [{aws-account,repository,repository_tags} ...]] [--token TOKEN] - [--url URL] [--scope.aws-account [AWS_ACCOUNT ...]] [--scope.repository [REPOSITORY ...]] + [--exclude.types {aws-account,repository,repository_tags} [{aws-account,repository,repository_tags} ...]] + [--token TOKEN] [--url URL] [--scope.aws-account [AWS_ACCOUNT ...]] [--scope.repository [REPOSITORY ...]] [--scope.repository_tags [REPOSITORY_TAGS ...]] [--scope.image_platform [IMAGE_PLATFORM ...]] - [--exclude.aws-account [AWS_ACCOUNT ...]] [--exclude.repository [REPOSITORY ...]] [--exclude.repository_tags [REPOSITORY_TAGS ...]] - [--scope.past_days PAST_DAYS] [--scope.tag_limit TAG_LIMIT] [--broad] [--aws-account.mapping [MAPPING ...]] - [--repository.mapping [MAPPING ...]] [--aws-account.single] [--repository.single] - [--default_product_key_strategy {mapping,mapping,mapping,mapping}] + [--exclude.aws-account [AWS_ACCOUNT ...]] [--exclude.repository [REPOSITORY ...]] + [--exclude.repository_tags [REPOSITORY_TAGS ...]] [--scope.past_days PAST_DAYS] [--scope.tag_limit TAG_LIMIT] + [--broad] [--aws-account.mapping [MAPPING ...]] [--repository.mapping [MAPPING ...]] [--aws-account.single] + [--repository.single] [--default_product_key_strategy {mapping,mapping,mapping,mapping}] options: -h, --help Show this help message and exit. @@ -628,8 +665,8 @@ options: --scope.past_days PAST_DAYS Ignore tags pushed earlier that previous to this number of days (type: int, default: 30) --scope.tag_limit TAG_LIMIT - Limit the number of recent tags to be discovered. Scoping to tag names is done on the limited tag list. Limit applies also to the past_days filter. 0 for no - limit, default is 10. (type: int, default: 10) + Limit the number of recent tags to be discovered. Scoping to tag names is done on the limited tag list. Limit applies also to the past_days + filter. 0 for no limit, default is 10. (type: int, default: 10) --broad Retrieves limited information (only aws-account and repository) (default: False) --aws-account.mapping [MAPPING ...] Repository product key mapping in the format of asset::product_key::product_version (type: AssetMappingString, default: []) @@ -688,11 +725,13 @@ platforms discover bitbucket \ ```bash usage: platforms [options] discover [options] bitbucket [-h] [--instance.instance INSTANCE] [--types {workspace,project,repository,branch,commit,authenticated_user,webhooks,repo_permission,user_permission,branch_protection,token,all} [{workspace,project,repository,branch,commit,authenticated_user,webhooks,repo_permission,user_permission,branch_protection,token,all} ...]] - [--app_password APP_PASSWORD] [--username USERNAME] [--workspace_token WORKSPACE_TOKEN] [--workspace WORKSPACE] [--url URL] - [--scope.workspace [WORKSPACE ...]] [--scope.project [PROJECT ...]] [--scope.repository [REPOSITORY ...]] - [--scope.commit [COMMIT ...]] [--scope.branch [BRANCH ...]] [--scope.webhook [WEBHOOK ...]] [--commit.skip] [--broad] + [--app_password APP_PASSWORD] [--username USERNAME] [--workspace_token WORKSPACE_TOKEN] + [--workspace WORKSPACE] [--url URL] [--scope.workspace [WORKSPACE ...]] [--scope.project [PROJECT ...]] + [--scope.repository [REPOSITORY ...]] [--scope.commit [COMMIT ...]] [--scope.branch [BRANCH ...]] + [--scope.webhook [WEBHOOK ...]] [--commit.skip] [--branch-protection.skip] [--broad] [--workspace.mapping [MAPPING ...]] [--project.mapping [MAPPING ...]] [--repository.mapping [MAPPING ...]] [--default_product_key_strategy {mapping}] [--workspace.single] [--project.single] [--repository.single] + [--skip-cache] [--cache-ttl CACHE_TTL] [--cache-group CACHE_GROUP] options: -h, --help Show this help message and exit. @@ -711,11 +750,11 @@ options: --scope.workspace [WORKSPACE ...] BitBucket workspace list (default: ['*']) --scope.project [PROJECT ...] - BitBucket projects wildcards. Default is all projects. Note that a project name includes as a prefix its namesapce in the format 'namespace / project_name' - (default: ['*']) - --scope.repository [REPOSITORY ...] - BitBucket repositories wildcards. Default is all projects. Note that a project name includes as a prefix its namesapce in the format 'namespace / + BitBucket projects wildcards. Default is all projects. Note that a project name includes as a prefix its namesapce in the format 'namespace / project_name' (default: ['*']) + --scope.repository [REPOSITORY ...] + BitBucket repositories wildcards. Default is all projects. Note that a project name includes as a prefix its namesapce in the format + 'namespace / project_name' (default: ['*']) --scope.commit [COMMIT ...] BitBucket commit wildcards (default: []) --scope.branch [BRANCH ...] @@ -723,21 +762,28 @@ options: --scope.webhook [WEBHOOK ...] BitBucket webhook wildcards (default: []) --commit.skip Skip commits in discovery/evidence (default: False) + --branch-protection.skip + Skip Branch protection in discovery/evidence (default: False) --broad Retrieves limited information (only workspaces, repositories) (default: False) --workspace.mapping [MAPPING ...] - Workspace product key mapping in the format of workspace::product_key::product_version where org is the workspace name, wildcards are supported (type: - AssetMappingString, default: []) + Workspace product key mapping in the format of workspace::product_key::product_version where org is the workspace name, wildcards are + supported (type: AssetMappingString, default: []) --project.mapping [MAPPING ...] - Project product key mapping in the format of project::product_key::product_version where org is the project name, wildcards are supported (type: - AssetMappingString, default: []) + Project product key mapping in the format of project::product_key::product_version where org is the project name, wildcards are supported + (type: AssetMappingString, default: []) --repository.mapping [MAPPING ...] - Repository product key mapping in the format of repo::product_key::product_version where repo is the repository name, wildcards are supported (type: - AssetMappingString, default: []) + Repository product key mapping in the format of repo::product_key::product_version where repo is the repository name, wildcards are supported + (type: AssetMappingString, default: []) --default_product_key_strategy {mapping} Deferment product key by mapping. In the future - we shall support by reopsitory name too. (default: mapping) --workspace.single Export all workspaces in a single evidence (default: False) --project.single Export all projects in a single evidence (default: False) --repository.single Export all repos in a single evidence (default: False) + --skip-cache, -f Skip Scribe Evidence cache lookup (default: False) + --cache-ttl CACHE_TTL + time to live for cache (default: 2d) + --cache-group CACHE_GROUP + Scribe cache group, default to runners pipeline ID, empty to use global context (default: by_pipeline) ``` @@ -783,10 +829,11 @@ platforms discover jenkins \ ```bash usage: platforms [options] discover [options] jenkins [-h] [--instance.instance INSTANCE] [--username USERNAME] [--password PASSWORD] [--url URL] [--broad] [--types {all,computer_set,users,jobs,job_runs,credential_stores,plugins,security_settings,all} [{all,computer_set,users,jobs,job_runs,credential_stores,plugins,security_settings,all} ...]] - [--credential_stores.skip] [--users.skip] [--plugins.skip] [--security_settings.skip] [--computer_set.skip] [--jobs.skip] - [--scope.folder [FOLDER ...]] [--exclude.folder [FOLDER ...]] [--scope.job_runs.past_days PAST_DAYS] [--scope.job_runs.max MAX] - [--scope.job_runs.analyzed_logs] [--job_runs.skip] [--default_product_key_strategy {mapping}] - [--instance-mapping [INSTANCE_MAPPING ...]] [--folder.mapping [MAPPING ...]] + [--credential_stores.skip] [--users.skip] [--plugins.skip] [--security_settings.skip] [--computer_set.skip] + [--jobs.skip] [--scope.folder [FOLDER ...]] [--exclude.folder [FOLDER ...]] + [--scope.job_runs.past_days PAST_DAYS] [--scope.job_runs.max MAX] [--scope.job_runs.analyzed_logs] + [--job_runs.skip] [--default_product_key_strategy {mapping}] [--instance-mapping [INSTANCE_MAPPING ...]] + [--folder.mapping [MAPPING ...]] options: -h, --help Show this help message and exit. @@ -794,7 +841,7 @@ options: Jenkins instance string (default: ) --username USERNAME Jenkins username (default: ) --password PASSWORD Jenkins token (JENKINS_PASSWORD) (default: ) - --url URL Jenkins base URL (default: null) + --url URL Jenkins base URL (default: ) --broad Perform a fast broad discovery instead of a detailed one (default: False) --types {all,computer_set,users,jobs,job_runs,credential_stores,plugins,security_settings,all} [{all,computer_set,users,jobs,job_runs,credential_stores,plugins,security_settings,all} ...] Defines which asset to discover, scoped by scope parameters (default: ['all']) @@ -807,25 +854,28 @@ options: --computer_set.skip Skip computer sets in discovery/evidence (default: False) --jobs.skip Skip jobs (default: False) --scope.folder [FOLDER ...] - Jenkins folder/job list. Default is all folders. The folder scoping is defined as a path of folders and can include the job name in order to scope specific - jobs. Wildcard is supported only as a suffix. examples: folder-a* will discover all folders that are included in a root folder that starts with folder-a. - folder-a/* will discover all folders and jobs under the root folder folder-a (type: JenkinsFolderScope, default: ['*']) + Jenkins folder/job list. Default is all folders. The folder scoping is defined as a path of folders and can include the job name in order to + scope specific jobs. Wildcard is supported only as a suffix. examples: folder-a* will discover all folders that are included in a root folder + that starts with folder-a. folder-a/* will discover all folders and jobs under the root folder folder-a (type: JenkinsFolderScope, default: + ['*']) --exclude.folder [FOLDER ...] Jenkins folder/job list to exclude from discovery. Format is like the --scope.folder argument (type: JenkinsFolderScope, default: []) --scope.job_runs.past_days PAST_DAYS Number of past days to include in the job run discovery, 0 for no time limit (type: int, default: 30) --scope.job_runs.max MAX - Mam number of job runs to include in the job run discovery. This argument will limit the number of job runs in the past_days range. 0 for no limit (type: int, - default: 10) + Mam number of job runs to include in the job run discovery. This argument will limit the number of job runs in the past_days range. 0 for no + limit (type: int, default: 10) --scope.job_runs.analyzed_logs Include analyzed job run logs (default: False) --job_runs.skip Skip commits in discovery/evidence (default: False) --default_product_key_strategy {mapping} Deferment product key by mapping. In the future - we shall support by folder name too. (default: mapping) --instance-mapping [INSTANCE_MAPPING ...] - Instance product key mapping in the format of *::product_key::product_version, wildcards are supported (type: AssetMappingString, default: []) + Instance product key mapping in the format of *::product_key::product_version, wildcards are supported (type: AssetMappingString, default: + []) --folder.mapping [MAPPING ...] - Folder product key mapping in the format of folder_path::product_key::product_version, wildcards are supported (type: AssetMappingString, default: []) + Folder product key mapping in the format of folder_path::product_key::product_version, wildcards are supported (type: AssetMappingString, + default: []) ``` diff --git a/docs/platforms/evidence.md b/docs/platforms/evidence.md index 603dce1bd..ffbd9e9ea 100644 --- a/docs/platforms/evidence.md +++ b/docs/platforms/evidence.md @@ -25,11 +25,11 @@ The evidence command uses Scribe's `valint` tool to upload the evidence and to s ```bash usage: platforms [options] evidence [-h] [--evidence.local.path PATH] [--evidence.local.prefix PREFIX] [--evidence.local_only] [--max-threads MAX_THREADS] [--thread-timeout THREAD_TIMEOUT] [--rate-limit-retry RATE_LIMIT_RETRY] [--allow-failures] [--export-partial] [--skip-evidence] - [--valint.scribe.client-secret CLIENT_SECRET] [--valint.scribe.enable] [--valint.cache.disable] [--valint.context-type CONTEXT_TYPE] + [--valint.scribe.client-secret CLIENT_SECRET] [--valint.cache.disable] [--valint.context-type CONTEXT_TYPE] [--valint.log-level LOG_LEVEL] [--valint.output-directory OUTPUT_DIRECTORY] [--valint.bin BIN] [--valint.product-key PRODUCT_KEY] [--valint.product-version PRODUCT_VERSION] [--valint.predicate-type PREDICATE_TYPE] [--valint.attest ATTEST] [--valint.sign] [--valint.components COMPONENTS] [--valint.label LABEL] [--unique] - {gitlab,k8s,dockerhub,github,jfrog,ecr,jenkins,bitbucket} ... + {gitlab,k8s,dockerhub,github,jfrog,ecr,jenkins,bitbucket,azure} ... Export evidence data (Deprecated) @@ -46,14 +46,12 @@ options: --thread-timeout THREAD_TIMEOUT Thread timeout in seconds (type: float, default: 20.0) --rate-limit-retry RATE_LIMIT_RETRY - Retry on rate limit (type: int, default: 3) + Retry on rate limit (default disabled) (type: int, default: 0) --allow-failures Allow failures without returning an error code (default: False) --export-partial Upload Partial Discover evidence (default: False) --skip-evidence Skip evidence upload (default: False) --valint.scribe.client-secret CLIENT_SECRET, --scribe-token CLIENT_SECRET, --scribe-client-secret CLIENT_SECRET Scribe client Secret (type: str, default: ) - --valint.scribe.enable - Enable Scribe client (default: False) --valint.cache.disable Disable Valint local cache (default: False) --valint.context-type CONTEXT_TYPE @@ -68,13 +66,13 @@ options: --valint.product-version PRODUCT_VERSION Evidence product version (type: str, default: ) --valint.predicate-type PREDICATE_TYPE - Evidence predicate type (type: str, default: http://scribesecurity.com/evidence/discovery/v0.1) + Evidence predicate type (type: str, default: ) --valint.attest ATTEST Evidence attest type (type: str, default: x509-env) --valint.sign sign evidence (default: False) --valint.components COMPONENTS components list (type: str, default: ) - --valint.label LABEL Set additional labels (type: at 0x7b9df7c3ff60>, default: []) + --valint.label LABEL Set additional labels (type: at 0x7f0fc74b5800>, default: []) --unique Allow unique assets (default: False) subcommands: @@ -89,6 +87,7 @@ subcommands: ecr jenkins bitbucket + azure ``` @@ -109,9 +108,10 @@ platforms evidence gitlab --organization.mapping "my-org::my-product::1.0" --pro ```bash usage: platforms [options] evidence [options] gitlab [-h] [--instance.instance INSTANCE] [--token TOKEN] [--url URL] [--types {organization,project,all}] - [--scope.organization [ORGANIZATION ...]] [--scope.project [PROJECT ...]] [--scope.branch [BRANCH ...]] [--scope.tag [TAG ...]] - [--commit.skip] [--pipeline.skip] [--default_product_key_strategy {mapping}] [--organization.mapping [MAPPING ...]] - [--project.mapping [MAPPING ...]] [--organization.single] [--project.single] + [--scope.organization [ORGANIZATION ...]] [--scope.project [PROJECT ...]] [--scope.branch [BRANCH ...]] + [--scope.tag [TAG ...]] [--commit.skip] [--pipeline.skip] [--default_product_key_strategy {mapping}] + [--organization.mapping [MAPPING ...]] [--project.mapping [MAPPING ...]] [--organization.single] + [--project.single] options: -h, --help Show this help message and exit. @@ -124,8 +124,8 @@ options: --scope.organization [ORGANIZATION ...] Gitlab organization list (default: ['*']) --scope.project [PROJECT ...] - Gitlab projects epositories wildcards. Default is all projects. Note that a project name includes as a prefix its namesapce in the format 'namespace / - project_name' (default: ['*']) + Gitlab projects epositories wildcards. Default is all projects. Note that a project name includes as a prefix its namesapce in the format + 'namespace / project_name' (default: ['*']) --scope.branch [BRANCH ...] Gitlab branches wildcards (default: null) --scope.tag [TAG ...] @@ -164,7 +164,8 @@ platforms evidence github --organization.mapping "my-org::my-product::1.0" --rep usage: platforms [options] evidence [options] github [-h] [--instance.instance INSTANCE] [--token TOKEN] [--url URL] [--types {organization,repository,all,all}] [--scope.organization [ORGANIZATION ...]] [--scope.repository [REPOSITORY ...]] [--scope.branch [BRANCH ...]] [--scope.tag [TAG ...]] [--branch.shallow] [--commit.skip] [--default_product_key_strategy {mapping}] - [--organization.mapping [MAPPING ...]] [--repository.mapping [MAPPING ...]] [--organization.single] [--repository.single] + [--organization.mapping [MAPPING ...]] [--repository.mapping [MAPPING ...]] [--organization.single] + [--repository.single] options: -h, --help Show this help message and exit. @@ -177,8 +178,8 @@ options: --scope.organization [ORGANIZATION ...] Github organization list (default: ['*']) --scope.repository [REPOSITORY ...] - Github repositories wildcards. Default is all projects. Note that a project name includes as a prefix its namesapce in the format 'namespace / project_name' - (default: ['*']) + Github repositories wildcards. Default is all projects. Note that a project name includes as a prefix its namesapce in the format 'namespace + / project_name' (default: ['*']) --scope.branch [BRANCH ...] Github branches wildcards (default: []) --scope.tag [TAG ...] @@ -188,11 +189,11 @@ options: --default_product_key_strategy {mapping} Deferment product key by mapping. In the future - we shall support by reopsitory name too. (default: mapping) --organization.mapping [MAPPING ...] - Organization product key mapping in the format of org::product_key::product_version where org is the organization name, wildcards are supported (type: - AssetMappingString, default: []) + Organization product key mapping in the format of org::product_key::product_version where org is the organization name, wildcards are + supported (type: AssetMappingString, default: []) --repository.mapping [MAPPING ...] - Repository product key mapping in the format of repo::product_key::product_version where repo is the repository name, wildcards are supported (type: - AssetMappingString, default: []) + Repository product key mapping in the format of repo::product_key::product_version where repo is the repository name, wildcards are supported + (type: AssetMappingString, default: []) --organization.single Export all organizations in a single evidence (default: False) --repository.single Export all repos in a single evidence (default: False) @@ -214,12 +215,14 @@ platforms evidence dockerhub --namespace.mapping "my-namespace::my-product::1.0" --> ```bash -usage: platforms [options] evidence [options] dockerhub [-h] [--instance.instance INSTANCE] [--types {instance,token,repository,namespace,repository_tag,webhook,all}] - [--username USERNAME] [--password PASSWORD] [--token TOKEN] [--url URL] [--scope.repository [REPOSITORY ...]] +usage: platforms [options] evidence [options] dockerhub [-h] [--instance.instance INSTANCE] + [--types {instance,token,repository,namespace,repository_tag,webhook,all}] [--username USERNAME] + [--password PASSWORD] [--token TOKEN] [--url URL] [--scope.repository [REPOSITORY ...]] [--scope.repository_tags [REPOSITORY_TAGS ...]] [--scope.image_platform [IMAGE_PLATFORM ...]] - [--exclude.repository [REPOSITORY ...]] [--exclude.repository_tags [REPOSITORY_TAGS ...]] [--scope.namespace [NAMESPACE ...]] - [--namespace.mapping [MAPPING ...]] [--repository.mapping [MAPPING ...]] [--instance.mapping [MAPPING ...]] - [--namespace.single] [--repository.single] [--default_product_key_strategy {mapping,mapping,mapping,mapping}] + [--exclude.repository [REPOSITORY ...]] [--exclude.repository_tags [REPOSITORY_TAGS ...]] + [--scope.namespace [NAMESPACE ...]] [--namespace.mapping [MAPPING ...]] [--repository.mapping [MAPPING ...]] + [--instance.mapping [MAPPING ...]] [--namespace.single] [--repository.single] + [--default_product_key_strategy {mapping,mapping,mapping,mapping}] options: -h, --help Show this help message and exit. @@ -271,10 +274,11 @@ platforms evidence k8s --namespace.mapping "my-namespace::my-product::1.0" --pod --> ```bash -usage: platforms [options] evidence [options] k8s [-h] [--instance.instance INSTANCE] [--types {namespace,pod,all}] [--scope.namespace [NAMESPACE ...]] [--scope.pod [POD ...]] - [--scope.image [IMAGE ...]] [--ignore-state] [--exclude.namespace [NAMESPACE ...]] [--exclude.pod [POD ...]] - [--exclude.image [IMAGE ...]] [--default_product_key_strategy {namespace,pod,image,mapping}] [--secret.skip] [--url URL] - [--token TOKEN] [--namespace.single] [--pod.single] [--namespace.mapping [MAPPING ...]] [--pod.mapping [MAPPING ...]] +usage: platforms [options] evidence [options] k8s [-h] [--instance.instance INSTANCE] [--types {namespace,pod,all}] [--scope.namespace [NAMESPACE ...]] + [--scope.pod [POD ...]] [--scope.image [IMAGE ...]] [--ignore-state] [--exclude.namespace [NAMESPACE ...]] + [--exclude.pod [POD ...]] [--exclude.image [IMAGE ...]] + [--default_product_key_strategy {namespace,pod,image,mapping}] [--secret.skip] [--url URL] [--token TOKEN] + [--namespace.single] [--pod.single] [--namespace.mapping [MAPPING ...]] [--pod.mapping [MAPPING ...]] options: -h, --help Show this help message and exit. @@ -327,10 +331,12 @@ platforms evidence jfrog --jf-repository.mapping "*::my-product::1.0" --namespac ```bash usage: platforms [options] evidence [options] ecr [-h] [--instance.instance INSTANCE] [--url URL] [--types {instance,aws-account,repository,all}] - [--scope.aws-account [AWS_ACCOUNT ...]] [--scope.repository [REPOSITORY ...]] [--scope.repository_tags [REPOSITORY_TAGS ...]] - [--scope.image_platform [IMAGE_PLATFORM ...]] [--exclude.aws-account [AWS_ACCOUNT ...]] [--exclude.repository [REPOSITORY ...]] - [--exclude.repository_tags [REPOSITORY_TAGS ...]] [--aws-account.mapping [MAPPING ...]] [--repository.mapping [MAPPING ...]] - [--aws-account.single] [--repository.single] [--default_product_key_strategy {instance,aws-account,repository,tag,mapping}] + [--scope.aws-account [AWS_ACCOUNT ...]] [--scope.repository [REPOSITORY ...]] + [--scope.repository_tags [REPOSITORY_TAGS ...]] [--scope.image_platform [IMAGE_PLATFORM ...]] + [--exclude.aws-account [AWS_ACCOUNT ...]] [--exclude.repository [REPOSITORY ...]] + [--exclude.repository_tags [REPOSITORY_TAGS ...]] [--aws-account.mapping [MAPPING ...]] + [--repository.mapping [MAPPING ...]] [--aws-account.single] [--repository.single] + [--default_product_key_strategy {instance,aws-account,repository,tag,mapping}] options: -h, --help Show this help message and exit. @@ -381,10 +387,12 @@ platforms evidence ecr --repository.mapping "*my-service*::my-product::1.0" ```bash usage: platforms [options] evidence [options] ecr [-h] [--instance.instance INSTANCE] [--url URL] [--types {instance,aws-account,repository,all}] - [--scope.aws-account [AWS_ACCOUNT ...]] [--scope.repository [REPOSITORY ...]] [--scope.repository_tags [REPOSITORY_TAGS ...]] - [--scope.image_platform [IMAGE_PLATFORM ...]] [--exclude.aws-account [AWS_ACCOUNT ...]] [--exclude.repository [REPOSITORY ...]] - [--exclude.repository_tags [REPOSITORY_TAGS ...]] [--aws-account.mapping [MAPPING ...]] [--repository.mapping [MAPPING ...]] - [--aws-account.single] [--repository.single] [--default_product_key_strategy {instance,aws-account,repository,tag,mapping}] + [--scope.aws-account [AWS_ACCOUNT ...]] [--scope.repository [REPOSITORY ...]] + [--scope.repository_tags [REPOSITORY_TAGS ...]] [--scope.image_platform [IMAGE_PLATFORM ...]] + [--exclude.aws-account [AWS_ACCOUNT ...]] [--exclude.repository [REPOSITORY ...]] + [--exclude.repository_tags [REPOSITORY_TAGS ...]] [--aws-account.mapping [MAPPING ...]] + [--repository.mapping [MAPPING ...]] [--aws-account.single] [--repository.single] + [--default_product_key_strategy {instance,aws-account,repository,tag,mapping}] options: -h, --help Show this help message and exit. @@ -434,11 +442,14 @@ platforms evidence bitbucker --workspace.mapping "my-workspace::my-product::1.0" --> ```bash -usage: platforms [options] evidence [options] bitbucket [-h] [--instance.instance INSTANCE] [--types {workspace,project,repository,all,all}] [--scope.workspace [WORKSPACE ...]] - [--scope.project [PROJECT ...]] [--scope.repository [REPOSITORY ...]] [--scope.commit [COMMIT ...]] - [--scope.branch [BRANCH ...]] [--scope.webhook [WEBHOOK ...]] [--commit.skip] [--default_product_key_strategy {mapping}] - [--workspace.mapping [MAPPING ...]] [--project.mapping [MAPPING ...]] [--repository.mapping [MAPPING ...]] - [--workspace.single] [--project.single] [--repository.single] +usage: platforms [options] evidence [options] bitbucket [-h] [--instance.instance INSTANCE] [--types {workspace,project,repository,all,all}] + [--app_password APP_PASSWORD] [--username USERNAME] [--workspace_token WORKSPACE_TOKEN] + [--workspace WORKSPACE] [--url URL] [--scope.workspace [WORKSPACE ...]] [--scope.project [PROJECT ...]] + [--scope.repository [REPOSITORY ...]] [--scope.commit [COMMIT ...]] [--scope.branch [BRANCH ...]] + [--scope.webhook [WEBHOOK ...]] [--commit.skip] [--branch-protection.skip] + [--default_product_key_strategy {mapping}] [--workspace.mapping [MAPPING ...]] + [--project.mapping [MAPPING ...]] [--repository.mapping [MAPPING ...]] [--workspace.single] + [--project.single] [--repository.single] options: -h, --help Show this help message and exit. @@ -446,14 +457,22 @@ options: BitBucket instance string (default: ) --types {workspace,project,repository,all,all} Defines which evidence to create, scoped by scope parameters (default: all) + --app_password APP_PASSWORD + BitBucket app_password (BB_PASSWORD) (default: ) + --username USERNAME BitBucket username (default: null) + --workspace_token WORKSPACE_TOKEN + BitBucket workspace_token can be used with --workspace_name flag instead of --app_password and --username (BB_WORKSPACE_TOKEN) (default: ) + --workspace WORKSPACE + BitBucket workspace_name can be used with --workspace_token flag instead of --app_password and --username (default: ) + --url URL BitBucket URL (required, default: https://api.bitbucket.org) --scope.workspace [WORKSPACE ...] BitBucket workspace list (default: ['*']) --scope.project [PROJECT ...] - BitBucket projects wildcards. Default is all projects. Note that a project name includes as a prefix its namesapce in the format 'namespace / project_name' - (default: ['*']) - --scope.repository [REPOSITORY ...] - BitBucket repositories wildcards. Default is all projects. Note that a project name includes as a prefix its namesapce in the format 'namespace / + BitBucket projects wildcards. Default is all projects. Note that a project name includes as a prefix its namesapce in the format 'namespace / project_name' (default: ['*']) + --scope.repository [REPOSITORY ...] + BitBucket repositories wildcards. Default is all projects. Note that a project name includes as a prefix its namesapce in the format + 'namespace / project_name' (default: ['*']) --scope.commit [COMMIT ...] BitBucket commit wildcards (default: []) --scope.branch [BRANCH ...] @@ -461,17 +480,19 @@ options: --scope.webhook [WEBHOOK ...] BitBucket webhook wildcards (default: []) --commit.skip Skip commits in discovery/evidence (default: False) + --branch-protection.skip + Skip Branch protection in discovery/evidence (default: False) --default_product_key_strategy {mapping} Deferment product key by mapping. In the future - we shall support by reopsitory name too. (default: mapping) --workspace.mapping [MAPPING ...] - Workspace product key mapping in the format of workspace::product_key::product_version where org is the workspace name, wildcards are supported (type: - AssetMappingString, default: []) + Workspace product key mapping in the format of workspace::product_key::product_version where org is the workspace name, wildcards are + supported (type: AssetMappingString, default: []) --project.mapping [MAPPING ...] - Project product key mapping in the format of project::product_key::product_version where org is the project name, wildcards are supported (type: - AssetMappingString, default: []) + Project product key mapping in the format of project::product_key::product_version where org is the project name, wildcards are supported + (type: AssetMappingString, default: []) --repository.mapping [MAPPING ...] - Repository product key mapping in the format of repo::product_key::product_version where repo is the repository name, wildcards are supported (type: - AssetMappingString, default: []) + Repository product key mapping in the format of repo::product_key::product_version where repo is the repository name, wildcards are supported + (type: AssetMappingString, default: []) --workspace.single Export all workspaces in a single evidence (default: False) --project.single Export all projects in a single evidence (default: False) --repository.single Export all repos in a single evidence (default: False) @@ -494,8 +515,9 @@ platforms evidence jenkins --instance-mapping "my-instance::my-product::1.0" --f --> ```bash -usage: platforms [options] evidence [options] jenkins [-h] [--instance.instance INSTANCE] [--types {instance,folder,all,all}] [--credential_stores.skip] [--users.skip] - [--plugins.skip] [--security_settings.skip] [--computer_set.skip] [--jobs.skip] [--scope.folder [FOLDER ...]] +usage: platforms [options] evidence [options] jenkins [-h] [--instance.instance INSTANCE] [--types {instance,folder,all,all}] [--username USERNAME] + [--password PASSWORD] [--url URL] [--credential_stores.skip] [--users.skip] [--plugins.skip] + [--security_settings.skip] [--computer_set.skip] [--jobs.skip] [--scope.folder [FOLDER ...]] [--exclude.folder [FOLDER ...]] [--scope.job_runs.past_days PAST_DAYS] [--scope.job_runs.max MAX] [--scope.job_runs.analyzed_logs] [--job_runs.skip] [--default_product_key_strategy {mapping}] [--instance-mapping [INSTANCE_MAPPING ...]] [--folder.mapping [MAPPING ...]] [--folder.single] @@ -506,6 +528,9 @@ options: Jenkins instance string (default: ) --types {instance,folder,all,all} Defines which evidence to create, scoped by scope parameters (default: all) + --username USERNAME Jenkins username (default: ) + --password PASSWORD Jenkins token (JENKINS_PASSWORD) (default: ) + --url URL Jenkins base URL (default: ) --credential_stores.skip Skip credential stores (default: False) --users.skip Skip users (default: False) @@ -515,25 +540,28 @@ options: --computer_set.skip Skip computer sets in discovery/evidence (default: False) --jobs.skip Skip jobs (default: False) --scope.folder [FOLDER ...] - Jenkins folder/job list. Default is all folders. The folder scoping is defined as a path of folders and can include the job name in order to scope specific - jobs. Wildcard is supported only as a suffix. examples: folder-a* will discover all folders that are included in a root folder that starts with folder-a. - folder-a/* will discover all folders and jobs under the root folder folder-a (type: JenkinsFolderScope, default: ['*']) + Jenkins folder/job list. Default is all folders. The folder scoping is defined as a path of folders and can include the job name in order to + scope specific jobs. Wildcard is supported only as a suffix. examples: folder-a* will discover all folders that are included in a root folder + that starts with folder-a. folder-a/* will discover all folders and jobs under the root folder folder-a (type: JenkinsFolderScope, default: + ['*']) --exclude.folder [FOLDER ...] Jenkins folder/job list to exclude from discovery. Format is like the --scope.folder argument (type: JenkinsFolderScope, default: []) --scope.job_runs.past_days PAST_DAYS Number of past days to include in the job run discovery, 0 for no time limit (type: int, default: 30) --scope.job_runs.max MAX - Mam number of job runs to include in the job run discovery. This argument will limit the number of job runs in the past_days range. 0 for no limit (type: int, - default: 10) + Mam number of job runs to include in the job run discovery. This argument will limit the number of job runs in the past_days range. 0 for no + limit (type: int, default: 10) --scope.job_runs.analyzed_logs Include analyzed job run logs (default: False) --job_runs.skip Skip commits in discovery/evidence (default: False) --default_product_key_strategy {mapping} Deferment product key by mapping. In the future - we shall support by folder name too. (default: mapping) --instance-mapping [INSTANCE_MAPPING ...] - Instance product key mapping in the format of *::product_key::product_version, wildcards are supported (type: AssetMappingString, default: []) + Instance product key mapping in the format of *::product_key::product_version, wildcards are supported (type: AssetMappingString, default: + []) --folder.mapping [MAPPING ...] - Folder product key mapping in the format of folder_path::product_key::product_version, wildcards are supported (type: AssetMappingString, default: []) + Folder product key mapping in the format of folder_path::product_key::product_version, wildcards are supported (type: AssetMappingString, + default: []) --folder.single Export all repos in a single evidence (default: False) ``` diff --git a/docs/platforms/hooks.md b/docs/platforms/hooks.md new file mode 100644 index 000000000..2cc09321f --- /dev/null +++ b/docs/platforms/hooks.md @@ -0,0 +1,619 @@ +--- +sidebar_label: "Using Hooks" +title: "Extending Platforms with Hooks" +sidebar_position: 2 +--- + +# Extending Platforms with Third-Party Hooks + +Hooks allow you to extend the capabilities of the `platforms` CLI by integrating third-party tools and collecting additional evidence from scanned assets. + +## What are Hooks? +Hooks are user-defined scripts or commands executed during asset discovery or SBOM generation. They enable running external tools such as security scanners, vulnerability analyzers, or policy checkers, enriching the evidence gathered by `platforms`. + +### Hook Configuration +Hooks are configured using a YAML file or via CLI flags. Each hook specifies: +- **ID**: Hook identifier (defaults to the value of **Tool** if not specified). +- **Name**: Hook Name. +- **Tool**: Name of the external tool used. +- **Type**: Asset type (e.g., repository, namespace, image). +- **Platform**: Platform to execute the hook on (e.g., GitHub, Kubernetes). +- **Command**: Platform command target (e.g., `discover`, `bom`); defaults to `discover`. +- **Parser**: Output format parser (e.g., JSON, SARIF). +- **use-stdout-evidence**: Use the Command Stdout as evidence. +- **Run**: Command executed, using environment variables for dynamic input. + +Hook configurations can be provided using the `--hook-config` flag and activated via the `--hook` flag referencing the Hook ID. + +### Example Hook Configuration +```yaml +hooks: + - name: "Semgrep Static Analysis" + type: "repository" + platform: "github" + command: discover + tool: "semgrep" + parser: "json" + run: | + semgrep scan --debug --json --output $HOOK_OUTPUT_FILE $LOCAL_SOURCE_DIR +``` + +To run this hook: +```bash +platforms discover github --hook-config my_hook_config.yaml --hook semgrep +``` + +### Supported Environment Variables +When running hooks, `platforms` provides useful environment variables: + +#### Asset Information +- `ASSET_NAME`: Name of the asset being scanned. +- `ASSET_TYPE`: Type of the asset (e.g., repository, namespace). +- `HOOK_OUTPUT_FILE`: Path to save hook evidence output. +- `REMOTE_IMAGE_REF`: Reference URL for container images (available for registry platforms). +- `REMOTE_SOURCE_URL`: URL of the source repository or asset (available for SCM platforms). +- `REMOTE_SOURCE_URL_WITH_TOKEN`: URL with SCM token of the source repository or asset (available for SCM platforms). +- `LOCAL_SOURCE_DIR`: Local source directory (Avaliable for BOM comamnd on SCM platforms) +- `PLATFORMS_KUBECONFIG`: Kubeconfig path with the provided `url` and `token` to platforms command (avilable for `k8s`). +- `CLUSTER_URL`: Provided `url` to platforms command (avilable for `k8s`). +- `NAMESPACE`: Target asset namespace (avilable for `k8s`). +- `POD`: Target asset namespace (avilable for `k8s`). + +Of course! Here's a cleaner, more formal rephrasing for the Kubernetes (K8s) parts you added, while keeping the structure and meaning you intended: + + +#### CI and Git Context +These variables represent the CI and Git environment in which platforms is executed: + +- `GIT_COMMIT`: Git commit SHA. +- `GIT_BRANCH`: Git branch name. +- `GIT_TAG`: Git tag, if applicable. +- `GIT_REPO`: Git repository URL. +- `GIT_REF`: Git reference. +- `BUILD_NUM`: CI build number. +- `WORKFLOW`: CI workflow name. +- `RUN_ID`: CI run identifier. +- `JOB_NAME`: CI job name. + + +### Adding Hooks via CLI + +You can specify hooks inline when running `platforms` commands using the format: +`command::tool::parser::name` + +For example, to add a Semgrep static analysis hook for GitHub: +```bash +platforms discover github \ + --repository.hooks "semgrep scan --sarif --config auto --output \$HOOK_OUTPUT_FILE"::semgrep::sarif::"Semgrep Static Analysis" +``` +> Escape special chars like `$` so that the parent shell does not expand them. + +## Controlling Hook Execution +Control hook execution with these flags: +- `--hook-config`: Specify a YAML file containing hook configurations. +- `--hook`: Runs only specified hooks by tool name. +- `--hook.skip`: Skips execution of hooks entirely. + +## Kubernetes Hooks Prerequisites +When integrating third-party tools that access Kubernetes (K8s) resources, a kubeconfig is typically required. + +The `platforms` CLI supports issuing Kubernetes commands with a dedicated cluster `URL` and `Access Token`. Hooks targeting Kubernetes can use the `PLATFORMS_KUBECONFIG` environment variable, which provides a temporary kubeconfig file generated with the given credentials. This allows third-party tools executed via hooks to authenticate seamlessly against the cluster. + +In addition to `PLATFORMS_KUBECONFIG`, the `CLUSTER_URL` environment variable is also available, containing the cluster endpoint URL for direct use if needed. + +## Registry and Kubernetes Hooks Prerequisites +For hooks that interact with container registries (e.g., scanning images), you may also need to configure a Docker `config.json` with the required registry credentials to allow authentication during the hook execution. + +## Embedded Supported Hooks +These hooks are provided by the `platforms` container along with required configurations: + + + +### `platform discover` Command Hooks +| Name | ID | Type | Platform | Tool | Parser | License | +| --- | --- | --- | --- | --- | --- | --- | +| Trivy Vulnerability Scan | trivy_image | repository | dockerhub | trivy | sarif | [Apache-2.0](https://github.com/aquasecurity/trivy/blob/main/LICENSE) | +| Trivy IaC and Secrets Scan | trivy_iac_and_secrets | image | dockerhub | trivy | trivy | [Apache-2.0](https://github.com/aquasecurity/trivy/blob/main/LICENSE) | +| Trivy IaC and Secrets Scan | trivy_iac_and_secrets | repository | github | trivy | trivy | [Apache-2.0](https://github.com/aquasecurity/trivy/blob/main/LICENSE) | +| AppArmor Profile Check | apparmor_namespace | namespace | k8s | apparmor | json | | +| Kubescape Cluster Scan | kubescape_cluster | namespace | k8s | kubescape | kubescape | [Apache-2.0](https://github.com/kubescape/kubescape/blob/master/LICENSE) | + +> Use `platforms discover [platform] --hook [hook_id]` to enable the hook. + + +### `platform bom` Command Hooks +| Name | ID | Type | Platform | Tool | Parser | License | +| --- | --- | --- | --- | --- | --- | --- | +| Trivy Vulnerability Scan | trivy_image | image | dockerhub | trivy | sarif | [Apache-2.0](https://github.com/aquasecurity/trivy/blob/main/LICENSE) | +| Trivy IaC and Secrets Scan | trivy_iac_and_secrets | image | dockerhub | trivy | trivy | [Apache-2.0](https://github.com/aquasecurity/trivy/blob/main/LICENSE) | +| Opengrep Static Analysis Scan | opengrep | repository | github | opengrep | sarif | [LGPL-2.1](https://github.com/opengrep/opengrep/blob/main/LICENSE) | +| Gitleaks Secret Scan | gitleaks_secrets | repository | github | gitleaks | gitleaks | [MIT](https://github.com/gitleaks/gitleaks/blob/master/LICENSE) | +| KICS IaC Security Scan | kics_scan | repository | github | kics | kics | [Apache-2.0](https://github.com/Checkmarx/kics/blob/master/LICENSE) | +| Trivy IaC and Secrets Scan | trivy_iac_and_secrets | repository | github | trivy | trivy | [Apache-2.0](https://github.com/aquasecurity/trivy/blob/main/LICENSE) | +| Trivy Vulnerability Scan K8s | trivy_k8s_image | image | k8s | trivy | sarif | [Apache-2.0](https://github.com/aquasecurity/trivy/blob/main/LICENSE) | +| Trivy IaC and Secrets Scan | trivy_iac_and_secrets | image | k8s | trivy | trivy | [Apache-2.0](https://github.com/aquasecurity/trivy/blob/main/LICENSE) | + +> Use `platforms bom [platform] --hook [hook_id]` to enable the hook. + + +## Default hook Examples +
+ +Trivy IaC and Secrets Scan + +```yaml +name: Trivy IaC and Secrets Scan +id: trivy_iac_and_secrets +type: repository +platform: github +command: discover +tool: trivy +parser: trivy +allow_failure: false +use-stdout-evidence: false +license: '[Apache-2.0](https://github.com/aquasecurity/trivy/blob/main/LICENSE)' +run: | + trivy repository \ + --scanners config,secret \ + --exit-code 0 \ + --format json \ + --output $HOOK_OUTPUT_FILE \ + $REMOTE_SOURCE_URL_WITH_TOKEN +``` +
+ +
+ +Opengrep Static Analysis Scan + +```yaml +name: Opengrep Static Analysis Scan +id: opengrep +type: repository +platform: github +command: bom +tool: '' +parser: sarif +allow_failure: false +use-stdout-evidence: false +license: '[LGPL-2.1](https://github.com/opengrep/opengrep/blob/main/LICENSE)' +predicate-type: auto +timeout: 300 +run: | + opengrep scan --metrics=on --config auto --sarif -o "$HOOK_OUTPUT_FILE" "$LOCAL_SOURCE_DIR" +``` +
+ +
+ +Trivy IaC and Secrets Scan + +```yaml +name: Trivy IaC and Secrets Scan +id: trivy_iac_and_secrets +type: repository +platform: github +command: bom +tool: trivy +parser: trivy +allow_failure: true +use-stdout-evidence: false +license: '[Apache-2.0](https://github.com/aquasecurity/trivy/blob/main/LICENSE)' +run: | + trivy config \ + --scanners config,secret \ + --exit-code 0 \ + --format json \ + --output $HOOK_OUTPUT_FILE \ + $LOCAL_SOURCE_DIR +``` +
+ +
+ +Gitleaks Secret Scan + +```yaml +name: Gitleaks Secret Scan +id: gitleaks_secrets +type: repository +platform: github +command: bom +tool: gitleaks +parser: gitleaks +allow_failure: false +use-stdout-evidence: false +timeout: 600 +license: '[MIT](https://github.com/gitleaks/gitleaks/blob/master/LICENSE)' +run: | + gitleaks detect \ + --source "$LOCAL_SOURCE_DIR" \ + --report-path "$HOOK_OUTPUT_FILE" \ + --report-format json \ + --redact \ + --verbose +``` +
+ +
+ +KICS IaC Security Scan + +```yaml +name: KICS IaC Security Scan +id: kics_scan +type: repository +platform: github +command: bom +tool: kics +parser: kics +allow_failure: false +use-stdout-evidence: false +license: '[Apache-2.0](https://github.com/Checkmarx/kics/blob/master/LICENSE)' +run: "kics scan \\\n -p \"$LOCAL_SOURCE_DIR\" \\\n -o \"$HOOK_OUTPUT_DIR\" \\\n\ + \ --output-name \"$HOOK_OUTPUT_FILE_NAME\" \\\n --report-formats json \\\n --no-progress\ + \ \\\n --log-level INFO \n" +``` +
+ +
+ +Trivy Vulnerability Scan + +```yaml +name: Trivy Vulnerability Scan +id: trivy_image +type: repository +platform: dockerhub +command: discover +tool: '' +parser: sarif +allow_failure: false +use-stdout-evidence: false +predicate-type: auto +license: '[Apache-2.0](https://github.com/aquasecurity/trivy/blob/main/LICENSE)' +run: | + trivy image \ + --scanners vuln \ + --exit-code 0 \ + --format sarif \ + --output $HOOK_OUTPUT_FILE \ + $REMOTE_IMAGE_REF +``` +
+ +
+ +Trivy IaC and Secrets Scan + +```yaml +name: Trivy IaC and Secrets Scan +id: trivy_iac_and_secrets +type: image +platform: dockerhub +command: discover +tool: trivy +parser: trivy +allow_failure: false +use-stdout-evidence: false +license: '[Apache-2.0](https://github.com/aquasecurity/trivy/blob/main/LICENSE)' +run: | + trivy image \ + --scanners misconfig,secret \ + --exit-code 0 \ + --format json \ + --output $HOOK_OUTPUT_FILE \ + $REMOTE_IMAGE_REF +``` +
+ +
+ +Trivy Vulnerability Scan + +```yaml +name: Trivy Vulnerability Scan +id: trivy_image +type: image +platform: dockerhub +command: bom +tool: '' +parser: sarif +allow_failure: false +use-stdout-evidence: false +predicate-type: auto +license: '[Apache-2.0](https://github.com/aquasecurity/trivy/blob/main/LICENSE)' +run: | + trivy image \ + --scanners vuln \ + --exit-code 0 \ + --format sarif \ + --output $HOOK_OUTPUT_FILE \ + $REMOTE_IMAGE_REF +``` +
+ +
+ +Trivy IaC and Secrets Scan + +```yaml +name: Trivy IaC and Secrets Scan +id: trivy_iac_and_secrets +type: image +platform: dockerhub +command: bom +tool: trivy +parser: trivy +allow_failure: false +use-stdout-evidence: false +license: '[Apache-2.0](https://github.com/aquasecurity/trivy/blob/main/LICENSE)' +run: | + trivy image \ + --scanners misconfig,secret \ + --exit-code 0 \ + --format json \ + --output $HOOK_OUTPUT_FILE \ + $REMOTE_IMAGE_REF +``` +
+ +
+ +Kubescape Cluster Scan + +```yaml +name: Kubescape Cluster Scan +id: kubescape_cluster +type: namespace +platform: k8s +command: discover +tool: kubescape +parser: kubescape +allow_failure: false +use-stdout-evidence: true +license: '[Apache-2.0](https://github.com/kubescape/kubescape/blob/master/LICENSE)' +run: | + kubescape scan framework nsa \ + --include-namespaces $ASSET_NAME \ + --kubeconfig $PLATFORMS_KUBECONFIG \ + --format json \ + --format-version v2 \ + --output $HOOK_OUTPUT_FILE +``` +
+ +
+ +AppArmor Profile Check + +```yaml +name: AppArmor Profile Check +id: apparmor_namespace +type: namespace +platform: k8s +command: discover +tool: apparmor +parser: json +allow_failure: true +use-stdout-evidence: false +run: "echo bash scripts/hooks/k8s-apparmor-profiles.sh \\\n --namespace $ASSET_NAME\ + \ \\\n --output $HOOK_OUTPUT_FILE \\\n --format json \n\necho bash scripts/hooks/k8s-apparmor-profiles.sh\ + \ \\\n --namespace $ASSET_NAME \\\n --output $HOOK_OUTPUT_FILE \\\n --format\ + \ json \n" +``` +
+ +
+ +Trivy Vulnerability Scan K8s + +```yaml +name: Trivy Vulnerability Scan K8s +id: trivy_k8s_image +type: image +platform: k8s +command: bom +tool: '' +parser: sarif +allow_failure: false +use-stdout-evidence: false +predicate-type: auto +license: '[Apache-2.0](https://github.com/aquasecurity/trivy/blob/main/LICENSE)' +run: | + trivy image \ + --scanners vuln \ + --exit-code 0 \ + --format sarif \ + --output $HOOK_OUTPUT_FILE \ + $REMOTE_IMAGE_REF +``` +
+ +
+ +Trivy IaC and Secrets Scan + +```yaml +name: Trivy IaC and Secrets Scan +id: trivy_iac_and_secrets +type: image +platform: k8s +command: bom +tool: trivy +parser: trivy +allow_failure: false +use-stdout-evidence: false +license: '[Apache-2.0](https://github.com/aquasecurity/trivy/blob/main/LICENSE)' +run: |- + trivy image \ + --scanners misconfig,secret \ + --exit-code 0 \ + --format json \ + --output $HOOK_OUTPUT_FILE \ + $REMOTE_IMAGE_REF +``` +
+ +## General hook Examples +
+ +CodeQL Static Analysis Scan + +```yaml +name: CodeQL Static Analysis Scan +type: repository +platform: github +command: bom +tool: codeql +disable: false +parser: '' +allow_failure: false +use-stdout-evidence: true +run: | + /platforms/codeql/codeql database create /tmp/db \ + --language=javascript \ + --source-root=$LOCAL_SOURCE_DIR \ + --threads=4 || true + + /platforms/codeql/codeql database analyze /tmp/db \ + --format=sarifv2.1.0 \ + --output=$HOOK_OUTPUT_FILE \ + --threads=4 +``` +
+ +
+ +Grype Vulnrability Scan + +```yaml +name: Grype Vulnrability Scan +type: image +platform: dockerhub +command: bom +tool: grype +disable: false +parser: anchoregrype +allow_failure: true +use-stdout-evidence: false +run: | + grype $REMOTE_IMAGE_REF --output json --file $HOOK_OUTPUT_FILE +``` +
+ +
+ +Hadolint Dockerfile Lint Scan + +```yaml +name: Hadolint Dockerfile Lint Scan +id: hadolint +type: repository +platform: github +command: bom +tool: hadolint +parser: hadolint +allow_failure: false +use-stdout-evidence: false +license: '[GNU.3](https://github.com/hadolint/hadolint/blob/master/LICENSE)' +run: | + cd "$LOCAL_SOURCE_DIR" + if [ -f Dockerfile ]; then + echo "Found Dockerfile, running Hadolint" + hadolint --format sarif Dockerfile > "$HOOK_OUTPUT_FILE" + else + echo "No Dockerfile found, skipping Hadolint" + fi +``` +
+ +
+ +GitGuardian Secret Scan + +```yaml +name: GitGuardian Secret Scan +id: ggshield_secrets +type: repository +platform: github +command: bom +tool: ggshield +parser: ggshield +allow_failure: false +use-stdout-evidence: true +timeout: 600 +license: '[MIT](https://github.com/GitGuardian/ggshield/blob/main/LICENSE)' +run: | + ggshield secret scan repo \ + $LOCAL_SOURCE_DIR \ + -o $HOOK_OUTPUT_FILE \ + --format json +``` +
+ +
+ +GitGuardian Secret Scan + +```yaml +name: GitGuardian Secret Scan +id: ggshield_secrets +type: repository +platform: github +command: bom +tool: ggshield +parser: ggshield +allow_failure: false +use-stdout-evidence: true +timeout: 600 +license: '[MIT](https://github.com/GitGuardian/ggshield/blob/main/LICENSE)' +run: | + ggshield secret scan repo \ + $LOCAL_SOURCE_DIR \ + -o $HOOK_OUTPUT_FILE \ + --format json +``` +
+ +
+ +GitGuardian Secret Scan + +```yaml +name: GitGuardian Secret Scan +id: ggshield_secrets +type: repository +platform: github +command: discover +tool: ggshield +parser: ggshield +allow_failure: false +use-stdout-evidence: true +timeout: 600 +license: '[MIT](https://github.com/GitGuardian/ggshield/blob/main/LICENSE)' +run: |- + ggshield secret scan repo \ + $REMOTE_SOURCE_URL_WITH_TOKEN \ + -o $HOOK_OUTPUT_FILE \ + --format json +``` +
+ + + + + +Example: +```bash +docker run -it scribesecurity/platforms:latest discover github --hook trivy_iac_and_secrets_remote +``` + +## Evidence from Hooks +Hook-generated evidence is automatically attached to assets and included in Scribe's attestation store, enabling comprehensive security analysis and policy evaluation. + diff --git a/docs/platforms/usage.md b/docs/platforms/usage.md index 45ba7420e..977741988 100644 --- a/docs/platforms/usage.md +++ b/docs/platforms/usage.md @@ -61,7 +61,8 @@ In the following sections, we shall explain each command in detail, by going thr --> ```bash -usage: platforms [-h] [--config CONFIG] [--print_config [=flags]] [--log-level {TRACE,DEBUG,INFO,WARNING,ERROR,CRITICAL}] [--log-file LOG_FILE] [--db.local.path PATH] +usage: platforms [-h] [--config CONFIG] [--print_config [=flags]] [--log-level {TRACE,DEBUG,INFO,WARNING,ERROR,CRITICAL}] [--log-file LOG_FILE] + [--db.local.path PATH] {discover,evidence,bom,verify} ... CLI tool for collecting evidence and enforcing policies via CI/CD platform APIs @@ -70,8 +71,8 @@ options: -h, --help Show this help message and exit. --config CONFIG Path to a configuration file. --print_config [=flags] - Print the configuration after applying all other arguments and exit. The optional flags customizes the output and are one or more keywords separated by comma. - The supported flags are: comments, skip_default, skip_null. + Print the configuration after applying all other arguments and exit. The optional flags customizes the output and are one or more keywords + separated by comma. The supported flags are: comments, skip_default, skip_null. --log-level {TRACE,DEBUG,INFO,WARNING,ERROR,CRITICAL} Set the logging level (default: INFO) --log-file LOG_FILE Set the logging file (default: ) diff --git a/docs/platforms/verify.md b/docs/platforms/verify.md index a20c26559..82a61ef3b 100644 --- a/docs/platforms/verify.md +++ b/docs/platforms/verify.md @@ -19,13 +19,13 @@ The recommended use of the verify command with the product-mapping capabilities; --> ```bash -usage: platforms [options] verify [-h] [--valint.scribe.client-secret CLIENT_SECRET] [--valint.scribe.enable] [--valint.cache.disable] [--valint.context-type CONTEXT_TYPE] +usage: platforms [options] verify [-h] [--valint.scribe.client-secret CLIENT_SECRET] [--valint.cache.disable] [--valint.context-type CONTEXT_TYPE] [--valint.log-level LOG_LEVEL] [--valint.output-directory OUTPUT_DIRECTORY] [--valint.bin BIN] [--valint.product-key PRODUCT_KEY] [--valint.product-version PRODUCT_VERSION] [--valint.predicate-type PREDICATE_TYPE] [--valint.attest ATTEST] [--valint.sign] [--valint.components COMPONENTS] [--valint.label LABEL] [--unique] [--valint.bundle BUNDLE] [--valint.bundle-auth BUNDLE_AUTH] [--valint.bundle-branch BUNDLE_BRANCH] [--valint.bundle-commit BUNDLE_COMMIT] [--valint.bundle-tag BUNDLE_TAG] [--allow-failures] [--max-threads MAX_THREADS] - {k8s,dockerhub,gitlab,github,jfrog,ecr,bitbucket,jenkins} ... + {k8s,dockerhub,gitlab,github,jfrog,ecr,bitbucket,jenkins,azure} ... Verify supply chain policies @@ -33,8 +33,6 @@ options: -h, --help Show this help message and exit. --valint.scribe.client-secret CLIENT_SECRET, --scribe-token CLIENT_SECRET, --scribe-client-secret CLIENT_SECRET Scribe client Secret (type: str, default: ) - --valint.scribe.enable - Enable Scribe client (default: False) --valint.cache.disable Disable Valint local cache (default: False) --valint.context-type CONTEXT_TYPE @@ -49,13 +47,13 @@ options: --valint.product-version PRODUCT_VERSION Evidence product version (type: str, default: ) --valint.predicate-type PREDICATE_TYPE - Evidence predicate type (type: str, default: http://scribesecurity.com/evidence/discovery/v0.1) + Evidence predicate type (type: str, default: ) --valint.attest ATTEST Evidence attest type (type: str, default: x509-env) --valint.sign sign evidence (default: False) --valint.components COMPONENTS components list (type: str, default: ) - --valint.label LABEL Set additional labels (type: at 0x747b9cb90a40>, default: []) + --valint.label LABEL Set additional labels (type: at 0x7fd39cf92fc0>, default: []) --unique Allow unique assets (default: False) --valint.bundle BUNDLE Set bundle git branch (type: str, default: ) @@ -83,6 +81,7 @@ subcommands: ecr bitbucket jenkins + azure ``` @@ -142,9 +141,10 @@ platforms verify gitlab --organization.mapping "my-org::my-product::1.0" --proje ```bash usage: platforms [options] verify [options] gitlab [-h] [--instance.instance INSTANCE] [--token TOKEN] [--url URL] [--types {organization,project,all}] - [--scope.organization [ORGANIZATION ...]] [--scope.project [PROJECT ...]] [--scope.branch [BRANCH ...]] [--scope.tag [TAG ...]] - [--commit.skip] [--organization.mapping [MAPPING ...]] [--project.mapping [MAPPING ...]] [--project.policy [POLICY ...]] - [--organization.policy [POLICY ...]] [--org-policy-skip-aggregate] [--project-policy-skip-aggregate] + [--scope.organization [ORGANIZATION ...]] [--scope.project [PROJECT ...]] [--scope.branch [BRANCH ...]] + [--scope.tag [TAG ...]] [--commit.skip] [--organization.mapping [MAPPING ...]] [--project.mapping [MAPPING ...]] + [--project.policy [POLICY ...]] [--organization.policy [POLICY ...]] [--org-policy-skip-aggregate] + [--project-policy-skip-aggregate] options: -h, --help Show this help message and exit. @@ -157,8 +157,8 @@ options: --scope.organization [ORGANIZATION ...] Gitlab organization list (default: ['*']) --scope.project [PROJECT ...] - Gitlab projects epositories wildcards. Default is all projects. Note that a project name includes as a prefix its namesapce in the format 'namespace / - project_name' (default: ['*']) + Gitlab projects epositories wildcards. Default is all projects. Note that a project name includes as a prefix its namesapce in the format + 'namespace / project_name' (default: ['*']) --scope.branch [BRANCH ...] Gitlab branches wildcards (default: null) --scope.tag [TAG ...] @@ -210,8 +210,8 @@ options: --scope.organization [ORGANIZATION ...] Github organization list (default: ['*']) --scope.repository [REPOSITORY ...] - Github repositories wildcards. Default is all projects. Note that a project name includes as a prefix its namesapce in the format 'namespace / project_name' - (default: ['*']) + Github repositories wildcards. Default is all projects. Note that a project name includes as a prefix its namesapce in the format 'namespace + / project_name' (default: ['*']) --scope.branch [BRANCH ...] Github branches wildcards (default: []) --scope.tag [TAG ...] @@ -219,11 +219,11 @@ options: --branch.shallow Shallow branch discovery (default: False) --commit.skip Skip commits in discovery/evidence (default: False) --organization.mapping [MAPPING ...] - Organization product key mapping in the format of org::product_key::product_version where org is the organization name, wildcards are supported (type: - AssetMappingString, default: []) + Organization product key mapping in the format of org::product_key::product_version where org is the organization name, wildcards are + supported (type: AssetMappingString, default: []) --repository.mapping [MAPPING ...] - Repository product key mapping in the format of repo::product_key::product_version where repo is the repository name, wildcards are supported (type: - AssetMappingString, default: []) + Repository product key mapping in the format of repo::product_key::product_version where repo is the repository name, wildcards are supported + (type: AssetMappingString, default: []) --repository.policy [POLICY ...] Set repository evidence policy file (type: str, default: []) --organization.policy [POLICY ...] @@ -252,8 +252,9 @@ usage: platforms [options] verify [options] dockerhub [-h] [--instance.instance [--types {token,repository,namespace,all}] [--default_product_key_strategy {namespace,repository,tag,mapping}] [--default_product_version_strategy {tag,short_image_id,image_id}] [--scope.repository [REPOSITORY ...]] [--scope.repository_tags [REPOSITORY_TAGS ...]] [--scope.image_platform [IMAGE_PLATFORM ...]] - [--exclude.repository [REPOSITORY ...]] [--exclude.repository_tags [REPOSITORY_TAGS ...]] [--scope.namespace [NAMESPACE ...]] - [--image.mapping [MAPPING ...]] [--image.policy [POLICY ...]] [--policy-skip-aggregate] + [--exclude.repository [REPOSITORY ...]] [--exclude.repository_tags [REPOSITORY_TAGS ...]] + [--scope.namespace [NAMESPACE ...]] [--image.mapping [MAPPING ...]] [--image.policy [POLICY ...]] + [--policy-skip-aggregate] options: -h, --help Show this help message and exit. @@ -324,10 +325,12 @@ The option `--image.policy` sets the image mapping policy file, defaulting to "c ```bash usage: platforms [options] verify [options] k8s [-h] [--instance.instance INSTANCE] [--url URL] [--token TOKEN] [--types {namespace,pod,cluster-images,all}] - [--default_product_key_strategy {namespace,pod,image,mapping}] [--default_product_version_strategy {namespace_hash,pod_hash,image_id}] - [--scope.namespace [NAMESPACE ...]] [--scope.pod [POD ...]] [--scope.image [IMAGE ...]] [--ignore-state] - [--exclude.namespace [NAMESPACE ...]] [--exclude.pod [POD ...]] [--exclude.image [IMAGE ...]] [--namespace.single] [--pod.single] - [--image.mapping [MAPPING ...]] [--cluster-images.policy [POLICY ...]] [--namespace.policy [POLICY ...]] [--policy-skip-aggregate] + [--default_product_key_strategy {namespace,pod,image,mapping}] + [--default_product_version_strategy {namespace_hash,pod_hash,image_id}] [--scope.namespace [NAMESPACE ...]] + [--scope.pod [POD ...]] [--scope.image [IMAGE ...]] [--ignore-state] [--exclude.namespace [NAMESPACE ...]] + [--exclude.pod [POD ...]] [--exclude.image [IMAGE ...]] [--namespace.single] [--pod.single] + [--image.mapping [MAPPING ...]] [--cluster-images.policy [POLICY ...]] [--namespace.policy [POLICY ...]] + [--policy-skip-aggregate] options: -h, --help Show this help message and exit. @@ -357,8 +360,8 @@ options: --namespace.single Export all namespaces (default: False) --pod.single Export all pods in a single evidence (default: False) --image.mapping [MAPPING ...] - K8s namespace;pod;image to product_key:product_version mappinge.g. my-namespace::my-pod::my-image::product_key::product_version (type: K8sImageMappingString, - default: []) + K8s namespace;pod;image to product_key:product_version mappinge.g. my-namespace::my-pod::my-image::product_key::product_version (type: + K8sImageMappingString, default: []) --cluster-images.policy [POLICY ...] Set image policy file (type: str, default: ['ct-8@discovery', 'ct-11@discovery', 'ct-12@discovery', 'ct-13@discovery']) --namespace.policy [POLICY ...] @@ -409,10 +412,10 @@ To evaluate policies on Jfrog evidence. usage: platforms [options] verify [options] jfrog [-h] [--instance.instance INSTANCE] [--token TOKEN] [--url URL] [--types {token,repository,jf-repository,all}] [--default_product_key_strategy {jf-repository,repository,tag,mapping}] [--default_product_version_strategy {tag,short_image_id,image_id}] [--scope.jf-repository [JF_REPOSITORY ...]] - [--scope.repository [REPOSITORY ...]] [--scope.repository_tags [REPOSITORY_TAGS ...]] [--scope.image_platform [IMAGE_PLATFORM ...]] - [--exclude.jf-repository [JF_REPOSITORY ...]] [--exclude.repository [REPOSITORY ...]] - [--exclude.repository_tags [REPOSITORY_TAGS ...]] [--image.mapping [MAPPING ...]] [--image.policy [POLICY ...]] - [--policy-skip-aggregate] + [--scope.repository [REPOSITORY ...]] [--scope.repository_tags [REPOSITORY_TAGS ...]] + [--scope.image_platform [IMAGE_PLATFORM ...]] [--exclude.jf-repository [JF_REPOSITORY ...]] + [--exclude.repository [REPOSITORY ...]] [--exclude.repository_tags [REPOSITORY_TAGS ...]] + [--image.mapping [MAPPING ...]] [--image.policy [POLICY ...]] [--policy-skip-aggregate] options: -h, --help Show this help message and exit. @@ -463,12 +466,14 @@ platforms verify bitbucket --workspace.mapping "my-workspace::my-product::1.0" - --> ```bash -usage: platforms [options] verify [options] bitbucket [-h] [--instance.instance INSTANCE] [--app_password APP_PASSWORD] [--username USERNAME] [--workspace_token WORKSPACE_TOKEN] - [--workspace WORKSPACE] [--url URL] [--types {workspace,project,repository,all}] [--scope.workspace [WORKSPACE ...]] +usage: platforms [options] verify [options] bitbucket [-h] [--instance.instance INSTANCE] [--app_password APP_PASSWORD] [--username USERNAME] + [--workspace_token WORKSPACE_TOKEN] [--workspace WORKSPACE] [--url URL] + [--types {workspace,project,repository,all}] [--scope.workspace [WORKSPACE ...]] [--scope.project [PROJECT ...]] [--scope.repository [REPOSITORY ...]] [--scope.commit [COMMIT ...]] - [--scope.branch [BRANCH ...]] [--scope.webhook [WEBHOOK ...]] [--commit.skip] [--workspace.mapping [MAPPING ...]] - [--project.mapping [MAPPING ...]] [--repository.mapping [MAPPING ...]] [--repository.policy [POLICY ...]] - [--project.policy [POLICY ...]] [--workspace.policy [POLICY ...]] [--org-policy-skip-aggregate] [--repo-policy-skip-aggregate] + [--scope.branch [BRANCH ...]] [--scope.webhook [WEBHOOK ...]] [--commit.skip] [--branch-protection.skip] + [--workspace.mapping [MAPPING ...]] [--project.mapping [MAPPING ...]] [--repository.mapping [MAPPING ...]] + [--repository.policy [POLICY ...]] [--project.policy [POLICY ...]] [--workspace.policy [POLICY ...]] + [--org-policy-skip-aggregate] [--repo-policy-skip-aggregate] options: -h, --help Show this help message and exit. @@ -487,11 +492,11 @@ options: --scope.workspace [WORKSPACE ...] BitBucket workspace list (default: ['*']) --scope.project [PROJECT ...] - BitBucket projects wildcards. Default is all projects. Note that a project name includes as a prefix its namesapce in the format 'namespace / project_name' - (default: ['*']) - --scope.repository [REPOSITORY ...] - BitBucket repositories wildcards. Default is all projects. Note that a project name includes as a prefix its namesapce in the format 'namespace / + BitBucket projects wildcards. Default is all projects. Note that a project name includes as a prefix its namesapce in the format 'namespace / project_name' (default: ['*']) + --scope.repository [REPOSITORY ...] + BitBucket repositories wildcards. Default is all projects. Note that a project name includes as a prefix its namesapce in the format + 'namespace / project_name' (default: ['*']) --scope.commit [COMMIT ...] BitBucket commit wildcards (default: []) --scope.branch [BRANCH ...] @@ -499,15 +504,17 @@ options: --scope.webhook [WEBHOOK ...] BitBucket webhook wildcards (default: []) --commit.skip Skip commits in discovery/evidence (default: False) + --branch-protection.skip + Skip Branch protection in discovery/evidence (default: False) --workspace.mapping [MAPPING ...] - Workspace product key mapping in the format of workspace::product_key::product_version where org is the workspace name, wildcards are supported (type: - AssetMappingString, default: []) + Workspace product key mapping in the format of workspace::product_key::product_version where org is the workspace name, wildcards are + supported (type: AssetMappingString, default: []) --project.mapping [MAPPING ...] - Project product key mapping in the format of project::product_key::product_version where org is the project name, wildcards are supported (type: - AssetMappingString, default: []) + Project product key mapping in the format of project::product_key::product_version where org is the project name, wildcards are supported + (type: AssetMappingString, default: []) --repository.mapping [MAPPING ...] - Repository product key mapping in the format of repo::product_key::product_version where repo is the repository name, wildcards are supported (type: - AssetMappingString, default: []) + Repository product key mapping in the format of repo::product_key::product_version where repo is the repository name, wildcards are supported + (type: AssetMappingString, default: []) --repository.policy [POLICY ...] Set repository evidence policy file (type: str, default: []) --project.policy [POLICY ...] diff --git a/docs/valint/configuration.md b/docs/valint/configuration.md index dc4e01c81..3faee57dc 100644 --- a/docs/valint/configuration.md +++ b/docs/valint/configuration.md @@ -59,6 +59,7 @@ attest: branch: "" commit: "" depth: 0 + clone-path: "" policy_configs: [] rule_configs: [] label_filters: [] diff --git a/docs/valint/getting-started-valint.md b/docs/valint/getting-started-valint.md index ad9923716..7946266b4 100644 --- a/docs/valint/getting-started-valint.md +++ b/docs/valint/getting-started-valint.md @@ -11,7 +11,7 @@ Valint is a tool used to manage `evidence` generation (for directories, file art Valint also enables you to **capture** any 3rd party report, scan or configuration (any file) into evidence. -> Latest Version `v1.5.18`. +> Latest Version `v1.5.19`. ### Installing Valint diff --git a/docs/valint/help/valint.md b/docs/valint/help/valint.md index 0b399ea61..eb83aaf16 100644 --- a/docs/valint/help/valint.md +++ b/docs/valint/help/valint.md @@ -14,12 +14,12 @@ Flags for `valint` | --- | --- | --- | --- | | | --cache-enable | Enable local cache | true | | -c | --config | Configuration file path | | -| -C | --context-type | CI context type, options=[jenkins github circleci azure gitlab travis tekton bitbucket local admission] | | +| -C | --context-type | CI context type, options=[jenkins github circleci azure gitlab travis tekton bitbucket teamcity local admission] | | | | --deliverable | Mark as deliverable, options=[true, false] | | | -e | --env | Environment keys to include in evidence | | | -G | --gate | Policy Gate name | | | -h | --help | help for valint | | -| | --input | Input Evidence target, format (\:\ or \:\:\) | | +| | --input | Input Evidence target, format (\:\ or \:\:\) | | | -L | --label | Add Custom labels | | | | --level | Log depth level, options=[panic fatal error warning info debug trace] | | | | --log-context | Attach context to all logs | | diff --git a/docs/valint/help/valint_bom.md b/docs/valint/help/valint_bom.md index 0955707e5..4c51188d3 100644 --- a/docs/valint/help/valint_bom.md +++ b/docs/valint/help/valint_bom.md @@ -43,9 +43,9 @@ Flags for `bom` subcommand | | --kms | Provide KMS key reference | | | | --oci | Enable OCI store | | | -R | --oci-repo | Select OCI custom attestation repo | | -| | --package-exclude-type | Exclude package type, options=[ruby python javascript java dpkg apk rpm go dotnet r rust binary sbom nix conan alpm cocoapods swift dart elixir php erlang github portage haskell kernel wordpress lua] | | +| | --package-exclude-type | Exclude package type, options=[ruby python javascript java dpkg apk rpm go dotnet r rust binary sbom nix conan alpm cocoapods swift dart elixir php erlang github portage haskell kernel wordpress lua bitnami terraform] | | | | --package-group | Select package group, options=[index install all] | | -| -t | --package-type | Select package type, options=[ruby python javascript java dpkg apk rpm go dotnet r rust binary sbom nix conan alpm cocoapods swift dart elixir php erlang github portage haskell kernel wordpress lua] | | +| -t | --package-type | Select package type, options=[ruby python javascript java dpkg apk rpm go dotnet r rust binary sbom nix conan alpm cocoapods swift dart elixir php erlang github portage haskell kernel wordpress lua bitnami terraform] | | | | --pass | Private key password | | | | --payload | path of the decoded payload | | | | --platform | Select target platform, examples=windows/armv6, arm64 ..) | | @@ -66,11 +66,11 @@ Flags for all `valint` subcommands | --- | --- | --- | --- | | | --cache-enable | Enable local cache | true | | -c | --config | Configuration file path | | -| -C | --context-type | CI context type, options=[jenkins github circleci azure gitlab travis tekton bitbucket local admission] | | +| -C | --context-type | CI context type, options=[jenkins github circleci azure gitlab travis tekton bitbucket teamcity local admission] | | | | --deliverable | Mark as deliverable, options=[true, false] | | | -e | --env | Environment keys to include in evidence | | | -G | --gate | Policy Gate name | | -| | --input | Input Evidence target, format (\:\ or \:\:\) | | +| | --input | Input Evidence target, format (\:\ or \:\:\) | | | -L | --label | Add Custom labels | | | | --level | Log depth level, options=[panic fatal error warning info debug trace] | | | | --log-context | Attach context to all logs | | diff --git a/docs/valint/help/valint_diff.md b/docs/valint/help/valint_diff.md index 6aef2c536..d6cfb9900 100644 --- a/docs/valint/help/valint_diff.md +++ b/docs/valint/help/valint_diff.md @@ -49,7 +49,7 @@ global flag for all commands | -C | --context-type | CI context type, options=[jenkins github circleci local gitlab] | "local" | | -L | --label | Add Custom labels | | | -D | --level | Log depth level, options=[panic fatal error warning info debug trace] | | -| -d | --output-directory | Output directory path | "$\{XDG_CACHE_HOME\}/valint" | +| -d | --output-directory | Output directory path | "${XDG_CACHE_HOME}/valint" | | -O | --output-file | Output file name | | | -n | --product-key | Scribe Project Key | | | -q | --quiet | Suppress all logging output | | diff --git a/docs/valint/help/valint_discard.md b/docs/valint/help/valint_discard.md index e8e418813..cbc893b6a 100644 --- a/docs/valint/help/valint_discard.md +++ b/docs/valint/help/valint_discard.md @@ -32,11 +32,11 @@ Flags for all `valint` subcommands | --- | --- | --- | --- | | | --cache-enable | Enable local cache | true | | -c | --config | Configuration file path | | -| -C | --context-type | CI context type, options=[jenkins github circleci azure gitlab travis tekton bitbucket local admission] | | +| -C | --context-type | CI context type, options=[jenkins github circleci azure gitlab travis tekton bitbucket teamcity local admission] | | | | --deliverable | Mark as deliverable, options=[true, false] | | | -e | --env | Environment keys to include in evidence | | | -G | --gate | Policy Gate name | | -| | --input | Input Evidence target, format (\:\ or \:\:\) | | +| | --input | Input Evidence target, format (\:\ or \:\:\) | | | -L | --label | Add Custom labels | | | | --level | Log depth level, options=[panic fatal error warning info debug trace] | | | | --log-context | Attach context to all logs | | diff --git a/docs/valint/help/valint_download.md b/docs/valint/help/valint_download.md index 8306a8970..2f2a03052 100644 --- a/docs/valint/help/valint_download.md +++ b/docs/valint/help/valint_download.md @@ -28,11 +28,11 @@ Flags for all `valint` subcommands | --- | --- | --- | --- | | | --cache-enable | Enable local cache | true | | -c | --config | Configuration file path | | -| -C | --context-type | CI context type, options=[jenkins github circleci azure gitlab travis tekton bitbucket local admission] | | +| -C | --context-type | CI context type, options=[jenkins github circleci azure gitlab travis tekton bitbucket teamcity local admission] | | | | --deliverable | Mark as deliverable, options=[true, false] | | | -e | --env | Environment keys to include in evidence | | | -G | --gate | Policy Gate name | | -| | --input | Input Evidence target, format (\:\ or \:\:\) | | +| | --input | Input Evidence target, format (\:\ or \:\:\) | | | -L | --label | Add Custom labels | | | | --level | Log depth level, options=[panic fatal error warning info debug trace] | | | | --log-context | Attach context to all logs | | diff --git a/docs/valint/help/valint_evidence.md b/docs/valint/help/valint_evidence.md index 587bb3b32..6161a0ad7 100644 --- a/docs/valint/help/valint_evidence.md +++ b/docs/valint/help/valint_evidence.md @@ -50,11 +50,11 @@ Flags for all `valint` subcommands | --- | --- | --- | --- | | | --cache-enable | Enable local cache | true | | -c | --config | Configuration file path | | -| -C | --context-type | CI context type, options=[jenkins github circleci azure gitlab travis tekton bitbucket local admission] | | +| -C | --context-type | CI context type, options=[jenkins github circleci azure gitlab travis tekton bitbucket teamcity local admission] | | | | --deliverable | Mark as deliverable, options=[true, false] | | | -e | --env | Environment keys to include in evidence | | | -G | --gate | Policy Gate name | | -| | --input | Input Evidence target, format (\:\ or \:\:\) | | +| | --input | Input Evidence target, format (\:\ or \:\:\) | | | -L | --label | Add Custom labels | | | | --level | Log depth level, options=[panic fatal error warning info debug trace] | | | | --log-context | Attach context to all logs | | diff --git a/docs/valint/help/valint_list.md b/docs/valint/help/valint_list.md index ddd57801d..ff0f3da48 100644 --- a/docs/valint/help/valint_list.md +++ b/docs/valint/help/valint_list.md @@ -39,11 +39,11 @@ Flags for all `valint` subcommands | --- | --- | --- | --- | | | --cache-enable | Enable local cache | true | | -c | --config | Configuration file path | | -| -C | --context-type | CI context type, options=[jenkins github circleci azure gitlab travis tekton bitbucket local admission] | | +| -C | --context-type | CI context type, options=[jenkins github circleci azure gitlab travis tekton bitbucket teamcity local admission] | | | | --deliverable | Mark as deliverable, options=[true, false] | | | -e | --env | Environment keys to include in evidence | | | -G | --gate | Policy Gate name | | -| | --input | Input Evidence target, format (\:\ or \:\:\) | | +| | --input | Input Evidence target, format (\:\ or \:\:\) | | | -L | --label | Add Custom labels | | | | --level | Log depth level, options=[panic fatal error warning info debug trace] | | | | --log-context | Attach context to all logs | | diff --git a/docs/valint/help/valint_slsa.md b/docs/valint/help/valint_slsa.md index 5789da25c..dd78e93db 100644 --- a/docs/valint/help/valint_slsa.md +++ b/docs/valint/help/valint_slsa.md @@ -61,11 +61,11 @@ Flags for all `valint` subcommands | --- | --- | --- | --- | | | --cache-enable | Enable local cache | true | | -c | --config | Configuration file path | | -| -C | --context-type | CI context type, options=[jenkins github circleci azure gitlab travis tekton bitbucket local admission] | | +| -C | --context-type | CI context type, options=[jenkins github circleci azure gitlab travis tekton bitbucket teamcity local admission] | | | | --deliverable | Mark as deliverable, options=[true, false] | | | -e | --env | Environment keys to include in evidence | | | -G | --gate | Policy Gate name | | -| | --input | Input Evidence target, format (\:\ or \:\:\) | | +| | --input | Input Evidence target, format (\:\ or \:\:\) | | | -L | --label | Add Custom labels | | | | --level | Log depth level, options=[panic fatal error warning info debug trace] | | | | --log-context | Attach context to all logs | | diff --git a/docs/valint/help/valint_verify.md b/docs/valint/help/valint_verify.md index eba8810b2..b98d0aa11 100644 --- a/docs/valint/help/valint_verify.md +++ b/docs/valint/help/valint_verify.md @@ -72,11 +72,11 @@ Flags for all `valint` subcommands | --- | --- | --- | --- | | | --cache-enable | Enable local cache | true | | -c | --config | Configuration file path | | -| -C | --context-type | CI context type, options=[jenkins github circleci azure gitlab travis tekton bitbucket local admission] | | +| -C | --context-type | CI context type, options=[jenkins github circleci azure gitlab travis tekton bitbucket teamcity local admission] | | | | --deliverable | Mark as deliverable, options=[true, false] | | | -e | --env | Environment keys to include in evidence | | | -G | --gate | Policy Gate name | | -| | --input | Input Evidence target, format (\:\ or \:\:\) | | +| | --input | Input Evidence target, format (\:\ or \:\:\) | | | -L | --label | Add Custom labels | | | | --level | Log depth level, options=[panic fatal error warning info debug trace] | | | | --log-context | Attach context to all logs | | diff --git a/docusaurus.config.js b/docusaurus.config.js index 45bf4883e..699a5a3f5 100644 --- a/docusaurus.config.js +++ b/docusaurus.config.js @@ -167,6 +167,7 @@ const config = { "platforms/verify.md", "platforms/generate_k8s_token.md", "platforms/usage.md", + "platforms/hooks.md", "release-notes/rns.md", // "advanced-guide/generating-sboms.md",