cue modules: move stdlib to pkg/alpha.dagger.io

In preparation for Europa, we will vendor multiple CUE modules: - `pkg/alpha.dagger.io`: legacy non-europa packages - `pkg/dagger.io`: core Europa packages - `pkg/universe.dagger.io`: Europa universe Signed-off-by: Andrea Luzzardi <aluzzardi@gmail.com>
2022-01-11 12:40:02 -08:00
parent e5316f3a1e
commit 282759c0e5
277 changed files with 33 additions and 31 deletions
--- a/pkg/alpha.dagger.io/trivy/image.cue
+++ b/pkg/alpha.dagger.io/trivy/image.cue
@@ -0,0 +1,64 @@
+package trivy
+
+import (
+	"encoding/json"
+
+	"alpha.dagger.io/os"
+)
+
+// Scan an Image
+#Image: {
+	// Trivy configuration
+	config: #Config
+
+	// Image source (AWS, GCP, Docker Hub, Self hosted)
+	source: string
+
+	// Trivy Image arguments
+	args: [arg=string]: string
+	// Enforce args best practices
+	args: {
+		"--severity":       *"HIGH,CRITICAL" | string
+		"--exit-code":      *"1" | string
+		"--ignore-unfixed": *"" | string
+		"--format":         *"table" | string
+		"--output":         *"output" | string
+	}
+
+	ctr: os.#Container & {
+		image: #CLI & {
+			"config": config
+		}
+		shell: {
+			path: "/bin/bash"
+			args: ["--noprofile", "--norc", "-eo", "pipefail", "-c"]
+		}
+		always: true
+		command: #"""
+			trivyArgs="$(
+				echo "$ARGS" |
+				jq -c '
+					to_entries |
+					map(.key + " " + (.value | tostring) + " ") |
+					add
+			')"
+
+			# Remove suffix and prefix quotes if present
+			trivyArgs="${trivyArgs#\"}"
+			trivyArgs="${trivyArgs%\"}"
+
+			trivy image $trivyArgs "$SOURCE"
+			echo -n "$SOURCE" > /ref
+			"""#
+		env: ARGS:   json.Marshal(args)
+		env: SOURCE: source
+	}
+
+	// Reference analyzed
+	ref: {
+		os.#File & {
+				from: ctr
+				path: "/ref"
+			}
+	}.contents @dagger(output)
+}
--- a/pkg/alpha.dagger.io/trivy/tests/trivy.cue
+++ b/pkg/alpha.dagger.io/trivy/tests/trivy.cue
@@ -0,0 +1,127 @@
+package trivy
+
+import (
+	"alpha.dagger.io/aws"
+	"alpha.dagger.io/aws/ecr"
+	"alpha.dagger.io/dagger"
+	"alpha.dagger.io/dagger/op"
+	"alpha.dagger.io/gcp"
+	"alpha.dagger.io/gcp/gcr"
+	"alpha.dagger.io/random"
+)
+
+TestConfig: awsConfig: aws.#Config & {
+	region: "us-east-2"
+}
+
+TestConfig: gcpConfig: gcp.#Config & {
+	project: "dagger-ci"
+	region:  "us-west2-a"
+}
+
+TestConfig: {
+	trivyNoAuth: #Config
+
+	trivyBasicAuth: #Config & {
+		basicAuth: {
+			username: "guilaume1234"
+			password: dagger.#Input & {dagger.#Secret}
+		}
+	}
+
+	trivyAWSAuth: #Config & {
+		awsAuth: TestConfig.awsConfig
+	}
+
+	trivyGCPAuth: #Config & {
+		gcpAuth: TestConfig.gcpConfig
+	}
+}
+
+TestSuffix: random.#String & {
+	seed: ""
+}
+
+TestNoAuthClient: #Image & {
+	config: TestConfig.trivyNoAuth
+	source: "ubuntu:21.10"
+}
+
+TestBasicAuthClient: #Image & {
+	config: TestConfig.trivyBasicAuth
+	source: "docker.io/guilaume1234/guillaume:latest"
+}
+
+TestAWSClient: {
+	repository: "125635003186.dkr.ecr.\(TestConfig.awsConfig.region).amazonaws.com/dagger-ci"
+	tag:        "test-ecr-\(TestSuffix.out)"
+
+	creds: ecr.#Credentials & {
+		config: TestConfig.awsConfig
+	}
+
+	push: {
+		ref: "\(repository):\(tag)"
+
+		#up: [
+			op.#DockerBuild & {
+				dockerfile: """
+				FROM alpine
+				RUN echo \(TestSuffix.out) > /test
+				"""
+			},
+
+			op.#DockerLogin & {
+				target:   repository
+				username: creds.username
+				secret:   creds.secret
+			},
+
+			op.#PushContainer & {
+				"ref": ref
+			},
+		]
+	}
+
+	verify: #Image & {
+		config: TestConfig.trivyAWSAuth
+		source: push.ref
+	}
+}
+
+TestGCPClient: {
+	repository: "gcr.io/dagger-ci/test"
+	tag:        "test-gcr-\(TestSuffix.out)"
+
+	creds: gcr.#Credentials & {
+		config: TestConfig.gcpConfig
+	}
+
+	push: {
+		ref: "\(repository):\(tag)"
+
+		#up: [
+			op.#DockerBuild & {
+				dockerfile: """
+				FROM alpine
+				RUN echo \(TestSuffix.out) > /test
+				"""
+			},
+
+			op.#DockerLogin & {
+				target:   repository
+				username: creds.username
+				secret:   creds.secret
+			},
+
+			op.#PushContainer & {
+				"ref": ref
+			},
+		]
+	}
+
+	verify: #Image & {
+		config: TestConfig.trivyGCPAuth
+		source: push.ref
+	}
+}
--- a/pkg/alpha.dagger.io/trivy/trivy.cue
+++ b/pkg/alpha.dagger.io/trivy/trivy.cue
@@ -0,0 +1,128 @@
+package trivy
+
+import (
+	"strconv"
+
+	"alpha.dagger.io/alpine"
+	"alpha.dagger.io/aws"
+	"alpha.dagger.io/dagger"
+	"alpha.dagger.io/dagger/op"
+	"alpha.dagger.io/gcp"
+)
+
+// Set Trivy download source
+// - AWS
+// - GCP
+// - Docker Hub
+// - Self Hosted
+
+// Trivy Configuration
+#Config: {
+	// Docker Hub / Self hosted registry auth
+	basicAuth: {
+		// Username
+		username: dagger.#Input & {string}
+
+		// Password
+		password: dagger.#Input & {dagger.#Secret}
+
+		// No SSL connection
+		noSSL: *false | bool
+	} | *null
+
+	// AWS ECR auth
+	awsAuth: aws.#Config | *null
+
+	// GCP auth 
+	gcpAuth: gcp.#Config | *null
+}
+
+// Re-usable CLI component
+#CLI: {
+	config: #Config
+
+	#up: [
+		if config.awsAuth == null && config.gcpAuth == null {
+			op.#Load & {
+				from: alpine.#Image & {
+					package: bash: true
+					package: curl: true
+					package: jq:   true
+				}
+			}
+		},
+		if config.awsAuth != null && config.gcpAuth == null {
+			op.#Load & {
+				from: aws.#CLI & {
+					"config": config.awsAuth
+				}
+			}
+		},
+		if config.awsAuth == null && config.gcpAuth != null {
+			op.#Load & {
+				from: gcp.#GCloud & {
+					"config": config.gcpAuth
+				}
+			}
+		},
+		op.#Exec & {
+			args: ["sh", "-c",
+				#"""
+					curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.18.3 &&
+					chmod +x /usr/local/bin/trivy
+					"""#,
+			]
+		},
+		// config.basicAuth case
+		if config.basicAuth != null && config.awsAuth == null && config.gcpAuth == null {
+			op.#Exec & {
+				args: ["/bin/bash", "-c",
+					#"""
+						# Rename
+						mv /usr/local/bin/trivy /usr/local/bin/trivy-dagger
+
+						# Build root of executable script
+						echo '#!/bin/bash'$'\n' > /usr/local/bin/trivy
+
+						# Construct env string from env vars
+						envs=()
+						[ -n "$TRIVY_USERNAME" ] && envs+=("TRIVY_USERNAME=$TRIVY_USERNAME")
+						[ -n "$TRIVY_NON_SSL" ] && envs+=("TRIVY_NON_SSL=$TRIVY_NON_SSL")
+
+						# Append secret to env string
+						[ -n "$(cat /password)" ] && envs+=("TRIVY_PASSWORD=$(cat /password)")
+
+						# Append full command
+						echo "${envs[@]}" '/usr/local/bin/trivy-dagger "$@"' >> /usr/local/bin/trivy
+
+						# Make it executable
+						chmod +x /usr/local/bin/trivy
+						"""#,
+				]
+				env: TRIVY_USERNAME: config.basicAuth.username
+				env: TRIVY_NON_SSL:  strconv.FormatBool(config.basicAuth.noSSL)
+				mount: "/password": secret: config.basicAuth.password
+			}
+		},
+		// config.gcpAuth case
+		if config.basicAuth == null && config.awsAuth == null && config.gcpAuth != null {
+			op.#Exec & {
+				args: ["/bin/bash", "-c",
+					#"""
+						# Rename
+						mv /usr/local/bin/trivy /usr/local/bin/trivy-dagger
+
+						# Build root of executable script
+						echo '#!/bin/bash'$'\n' > /usr/local/bin/trivy
+
+						# Append full command
+						echo "TRIVY_USERNAME=''" "GOOGLE_APPLICATION_CREDENTIALS=/service_key" '/usr/local/bin/trivy-dagger "$@"' >> /usr/local/bin/trivy
+
+						# Make it executable
+						chmod +x /usr/local/bin/trivy
+						"""#,
+				]
+			}
+		},
+	]
+}