255ba6aec9
- Updated `generate_report.sh` to include additional scanners and output paths. - Enhanced `send_report.py` with new data classes for misconfigurations and vulnerabilities. - Improved parsing logic for Trivy output, supporting both Kubernetes and image scans. - Added Prometheus metrics generation for various scan results, including misconfigurations and vulnerabilities. - Introduced unit tests for parsing Trivy output and generating Prometheus metrics. - Modified Terraform variables for SMTP port type and added Pushgateway URL variable.
212 lines
5.8 KiB
Terraform
212 lines
5.8 KiB
Terraform
resource "kubernetes_namespace" "trivy" {
|
|
metadata {
|
|
name = "trivy"
|
|
}
|
|
}
|
|
|
|
resource "kubernetes_service_account" "trivy" {
|
|
metadata {
|
|
name = "trivy"
|
|
namespace = kubernetes_namespace.trivy.metadata[0].name
|
|
}
|
|
|
|
automount_service_account_token = false
|
|
}
|
|
|
|
resource "kubernetes_cluster_role" "trivy" {
|
|
metadata {
|
|
name = "trivy"
|
|
}
|
|
rule {
|
|
api_groups = [""]
|
|
resources = ["*"]
|
|
verbs = ["list"]
|
|
}
|
|
rule {
|
|
api_groups = ["apps", "batch", "networking.k8s.io", "rbac.authorization.k8s.io"]
|
|
resources = ["*"]
|
|
verbs = ["list"]
|
|
}
|
|
}
|
|
|
|
resource "kubernetes_cluster_role_binding" "trivy" {
|
|
metadata {
|
|
name = "trivy"
|
|
}
|
|
role_ref {
|
|
api_group = "rbac.authorization.k8s.io"
|
|
kind = "ClusterRole"
|
|
name = kubernetes_cluster_role.trivy.metadata[0].name
|
|
}
|
|
subject {
|
|
kind = "ServiceAccount"
|
|
name = kubernetes_service_account.trivy.metadata[0].name
|
|
namespace = kubernetes_namespace.trivy.metadata[0].name
|
|
}
|
|
}
|
|
|
|
resource "kubernetes_secret" "email_credentials" {
|
|
metadata {
|
|
name = "trivy-email-credentials"
|
|
namespace = kubernetes_namespace.trivy.metadata[0].name
|
|
}
|
|
data = {
|
|
smtp_username = var.smtp_username
|
|
smtp_password = var.smtp_password
|
|
}
|
|
}
|
|
|
|
resource "kubernetes_config_map" "scripts" {
|
|
metadata {
|
|
name = "trivy-scripts"
|
|
namespace = kubernetes_namespace.trivy.metadata[0].name
|
|
}
|
|
data = {
|
|
"send_report.py" = local.send_report_script
|
|
"generate_report.sh" = local.generate_report_script
|
|
}
|
|
}
|
|
|
|
resource "kubernetes_cron_job_v1" "trivy" {
|
|
metadata {
|
|
name = "trivy-scan"
|
|
namespace = kubernetes_namespace.trivy.metadata[0].name
|
|
}
|
|
spec {
|
|
schedule = var.cron_schedule
|
|
concurrency_policy = "Forbid"
|
|
successful_jobs_history_limit = 1
|
|
failed_jobs_history_limit = 1
|
|
job_template {
|
|
metadata {
|
|
name = "trivy-scan"
|
|
}
|
|
spec {
|
|
backoff_limit = 1
|
|
parallelism = 1
|
|
completions = 1
|
|
active_deadline_seconds = 600
|
|
|
|
template {
|
|
metadata {
|
|
labels = {
|
|
app = "trivy-scan"
|
|
}
|
|
}
|
|
spec {
|
|
restart_policy = "Never"
|
|
service_account_name = kubernetes_service_account.trivy.metadata[0].name
|
|
automount_service_account_token = true
|
|
container {
|
|
image = "aquasec/trivy:${var.tag}"
|
|
name = "trivy"
|
|
command = ["/bin/sh", "-c", "/scripts/generate_report.sh"]
|
|
security_context {
|
|
run_as_non_root = true
|
|
run_as_user = 1000
|
|
run_as_group = 1000
|
|
allow_privilege_escalation = false
|
|
read_only_root_filesystem = true
|
|
}
|
|
env {
|
|
name = "REPORT_TYPE"
|
|
value = var.report_type
|
|
}
|
|
env {
|
|
name = "LEVELS"
|
|
value = var.levels
|
|
}
|
|
volume_mount {
|
|
name = "trivy-scripts"
|
|
mount_path = "/scripts"
|
|
}
|
|
volume_mount {
|
|
name = "tmp"
|
|
mount_path = "/tmp"
|
|
}
|
|
}
|
|
container {
|
|
name = "send-report"
|
|
image = "python:${local.python_version}"
|
|
command = ["python3", "/scripts/send_report.py"]
|
|
env {
|
|
name = "SMTP_HOST"
|
|
value = var.smtp_host
|
|
}
|
|
env {
|
|
name = "SMTP_PORT"
|
|
value = var.smtp_port
|
|
}
|
|
env {
|
|
name = "SMTP_USER"
|
|
value_from {
|
|
secret_key_ref {
|
|
key = "smtp_username"
|
|
name = kubernetes_secret.email_credentials.metadata[0].name
|
|
}
|
|
}
|
|
}
|
|
env {
|
|
name = "SMTP_PASS"
|
|
value_from {
|
|
secret_key_ref {
|
|
key = "smtp_password"
|
|
name = kubernetes_secret.email_credentials.metadata[0].name
|
|
}
|
|
}
|
|
}
|
|
env {
|
|
name = "EMAIL_FROM"
|
|
value = var.from_email
|
|
}
|
|
env {
|
|
name = "EMAIL_TO"
|
|
value = var.to_email
|
|
}
|
|
env {
|
|
name = "PUSHGATEWAY_URL"
|
|
value = var.pushgateway_url
|
|
}
|
|
env {
|
|
name = "REPORT_PATH"
|
|
value = "/tmp/report.html"
|
|
}
|
|
env {
|
|
name = "TRIVY_OUTPUT_FILE"
|
|
value = "/tmp/trivy.json"
|
|
}
|
|
security_context {
|
|
run_as_non_root = true
|
|
run_as_user = 1000
|
|
run_as_group = 1000
|
|
allow_privilege_escalation = false
|
|
read_only_root_filesystem = true
|
|
}
|
|
volume_mount {
|
|
name = "trivy-scripts"
|
|
mount_path = "/scripts"
|
|
}
|
|
volume_mount {
|
|
name = "tmp"
|
|
mount_path = "/tmp"
|
|
}
|
|
}
|
|
volume {
|
|
name = "trivy-scripts"
|
|
config_map {
|
|
name = kubernetes_config_map.scripts.metadata[0].name
|
|
default_mode = "0755"
|
|
|
|
}
|
|
}
|
|
volume {
|
|
name = "tmp"
|
|
empty_dir {}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|