automated-security-helper/ash at main · awslabs/automated-security-helper · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
#!/bin/bash
# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0

# Resolve the absolute path of the parent of the script directory (ASH repo root)
export ASH_ROOT_DIR="$(cd "$(dirname "$0")"; pwd)"
export ASH_UTILS_DIR="${ASH_ROOT_DIR}/utils"

# Set local variables
SOURCE_DIR=""
OUTPUT_DIR=".ash/ash_output"
CONTAINER_UID_SPECIFIED="NO"
CONTAINER_GID_SPECIFIED="NO"
OUTPUT_FORMAT="text"
DOCKER_EXTRA_ARGS="${DOCKER_EXTRA_ARGS:-}"
DOCKER_RUN_EXTRA_ARGS=""
ASH_ARGS=""
COLOR_OUTPUT="true"
NO_BUILD="NO"
NO_RUN="NO"
DEBUG="NO"
OFFLINE="NO"
OFFLINE_SEMGREP_RULESETS="p/ci"
TARGET_STAGE="non-root"
INSTALL_ASH_REVISION="LOCAL"
# Parse arguments
while (("$#")); do
  case $1 in
    --source-dir)
      shift
      SOURCE_DIR="$1"
      ;;
    --output-dir)
      shift
      OUTPUT_DIR="$1"
      ;;
    --offline)
      OFFLINE="YES"
      ;;
    --offline-semgrep-rulesets)
      shift
      OFFLINE_SEMGREP_RULESETS="$1"
      OFFLINE="YES"
      ;;
    --force)
      DOCKER_EXTRA_ARGS="${DOCKER_EXTRA_ARGS} --no-cache"
      ;;
    --quiet | -q)
      DOCKER_EXTRA_ARGS="${DOCKER_EXTRA_ARGS} -q"
      ASH_ARGS="${ASH_ARGS} --quiet"
      ;;
    --oci-runner | -o)
      shift
      OCI_RUNNER="$1"
      ;;
    --container-uid | -u)
      shift
      CONTAINER_UID_SPECIFIED="YES"
      CONTAINER_UID="$1"
      ;;
    --container-gid | -g)
      shift
      CONTAINER_GID_SPECIFIED="YES"
      CONTAINER_GID="$1"
      ;;
    --no-build)
      NO_BUILD="YES"
      ;;
    --no-run)
      NO_RUN="YES"
      ;;
    --debug|-d)
      DEBUG="YES"
      ;;
    --format)
      shift
      OUTPUT_FORMAT="$1"
      ;;
    --build-target)
      shift
      TARGET_STAGE="$1"
      ;;
    --ash-revision | -rev)
      shift
      INSTALL_ASH_REVISION="$1"
      ;;
    --help | -h)
      source "${ASH_ROOT_DIR}/ash-multi" --help
      exit 0
      ;;
    --version | -v)
      source "${ASH_ROOT_DIR}/ash-multi" --version
      exit 0
      ;;
    --no-color | -c)
      COLOR_OUTPUT="false"
      ASH_ARGS="${ASH_ARGS} --no-color"
      ;;
    *)
      ASH_ARGS="${ASH_ARGS} $1"
  esac
  shift
done

export ASH_IMAGE_NAME=${ASH_IMAGE_NAME:-"automated-security-helper:${TARGET_STAGE}"}

# Default to the pwd
if [ "${SOURCE_DIR}" = "" ]; then
  SOURCE_DIR="$(pwd)"
fi

# Resolve the absolute paths
SOURCE_DIR="$(cd "$SOURCE_DIR"; pwd)"
mkdir -p "${OUTPUT_DIR}"
OUTPUT_DIR="$(cd "$OUTPUT_DIR"; pwd)"

#
# Gather the UID and GID of the caller
#
HOST_UID=$(id -u)
HOST_GID=$(id -g)

# Resolve any offline mode flags
if [[ "${OFFLINE}" == "YES" ]]; then
  DOCKER_RUN_EXTRA_ARGS="${DOCKER_RUN_EXTRA_ARGS} --network=none"
fi

# Resolve the OCI_RUNNER
RESOLVED_OCI_RUNNER=${OCI_RUNNER:-$(command -v finch || command -v docker || command -v nerdctl || command -v podman)}

# If we couldn't resolve an OCI_RUNNER, exit
if [[ "${RESOLVED_OCI_RUNNER}" == "" ]]; then
    echo "Unable to resolve an OCI_RUNNER -- exiting"
    exit 1
# else, build and run the image
else
    if [[ "${DEBUG}" = "YES" ]]; then
      set -x
    fi
    echo "Resolved OCI_RUNNER to: ${RESOLVED_OCI_RUNNER}"

    # Build the image if the --no-build flag is not set
    if [ "${NO_BUILD}" = "NO" ]; then
      CONTAINER_UID_OPTION=""
      CONTAINER_GID_OPTION=""
      if [[ ${CONTAINER_UID_SPECIFIED} = "YES" ]]; then
        CONTAINER_UID_OPTION="--build-arg UID=${CONTAINER_UID}" # set the UID build-arg if --container-uid is specified
      elif [[ "${HOST_UID}" != "" ]]; then
        CONTAINER_UID_OPTION="--build-arg UID=${HOST_UID}" # set the UID build-arg to the caller's UID if --container-uid is not specified
      fi
      if [[ ${CONTAINER_GID_SPECIFIED} = "YES" ]]; then
        CONTAINER_GID_OPTION="--build-arg GID=${CONTAINER_GID}" # set the GID build-arg if --container-gid is specified
      elif [[ "${HOST_GID}" != "" ]]; then
        CONTAINER_GID_OPTION="--build-arg GID=${HOST_GID}" # set the GID build-arg to the caller's GID if --container-uid is not specified
      fi
      echo "Building image ${ASH_IMAGE_NAME} -- this may take a few minutes during the first build..."
      ${RESOLVED_OCI_RUNNER} build \
        ${CONTAINER_UID_OPTION} \
        ${CONTAINER_GID_OPTION} \
        --tag ${ASH_IMAGE_NAME} \
        --target ${TARGET_STAGE} \
        --file "${ASH_ROOT_DIR}/Dockerfile" \
        --build-arg OFFLINE="${OFFLINE}" \
        --build-arg INSTALL_ASH_REVISION="${INSTALL_ASH_REVISION}" \
        --build-arg OFFLINE_SEMGREP_RULESETS="${OFFLINE_SEMGREP_RULESETS}" \
        --build-arg BUILD_DATE="$(date +%s)" \
        ${DOCKER_EXTRA_ARGS} \
        "${ASH_ROOT_DIR}"
    fi

    # Run the image if the --no-run flag is not set
    RC=0
    if [ "${NO_RUN}" = "NO" ]; then


      # Only make source dir readonly if output dir is not a subdirectory of source
      # dir, otherwise writing to the output dir will fail due to attempting to write
      # to a readonly fs.
      SOURCE_READONLY=""
      if [[ "${OUTPUT_DIR}" != "${SOURCE_DIR}"* ]]; then
        # add readonly source mount when --output-dir is outside source dir
        SOURCE_READONLY=",readonly"
      fi
      # Capture terminal size if tput is available so the container experience can be improved
      if command -v tput >/dev/null 2>&1; then
        DOCKER_RUN_EXTRA_ARGS="${DOCKER_RUN_EXTRA_ARGS} -e COLUMNS=$(tput cols) -e LINES=$(tput lines)"
      fi
      if [[ "${COLOR_OUTPUT}" = "true" ]]; then
        DOCKER_RUN_EXTRA_ARGS="${DOCKER_RUN_EXTRA_ARGS} -t"
      fi
      echo "Running ASH scan using built image..."
      ${RESOLVED_OCI_RUNNER} run \
          --rm \
          -e "ASH_ACTUAL_SOURCE_DIR=${SOURCE_DIR}" \
          -e "ASH_ACTUAL_OUTPUT_DIR=${OUTPUT_DIR}" \
          -e "ASH_DEBUG=${DEBUG}" \
          -e "ASH_OUTPUT_FORMAT=${OUTPUT_FORMAT}" \
          --mount source="${SOURCE_DIR}",type=bind,destination=/src${SOURCE_READONLY} \
          --mount source="${OUTPUT_DIR}",type=bind,destination=/out \
          ${MOUNT_OUTPUT_DIR} \
          ${DOCKER_RUN_EXTRA_ARGS} \
          ${ASH_IMAGE_NAME} \
            ash \
              --source-dir /src \
              --output-dir /out \
              $ASH_ARGS
      RC=$?
    fi
    if [[ "${DEBUG}" = "YES" ]]; then
      set +x
    fi
    exit ${RC}
fi