UNPKG

klip-sdk

Version:

JavaScript SDK to interact with klip App2App requests

docs.klipwallet.com

188 lines (185 loc) 8.08 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
name: Trivy module author: Bolt lee description: 'Trivy module' inputs: TAG: description: '' # Filled out description. required: true default: '' ECR_REGISTRY: description: '' # Filled out description. required: true default: 'sample-registry' ECR_REPOSITORY: description: '' # Filled out description. required: false default: 'sample-repository' dockerfile: description: '' # Filled out description. required: false default: Dockerfile file-changes: description: 'file pattern list for checking rebuilding image or not' required: false default: '' file-ignore-changes: description: 'file pattern list for checking rebuilding image or not' required: false default: '' extra-build-args: description: '' required: false default: '' base_sha: description: '' required: false default: '' sha: description: '' required: false default: '' deploy_env: description: '' required: false default: '' runs: using: "composite" steps: - name: scan image vulnerability uses: aquasecurity/trivy-action@master with: scan-type: 'image' image-ref: '${{ inputs.ECR_REGISTRY }}/trivy-scanning:${{ inputs.TAG }}' vuln-type: 'os,library' ignore-unfixed: true severity: 'CRITICAL,HIGH' security-checks: 'vuln' format: 'json' output: 'trivy-result.json' - name: trivy-scanning ecr repo image delete shell: bash run: | echo "Delete trivy-scanning image: ${{ inputs.TAG }}" aws ecr batch-delete-image --repository-name trivy-scanning --image-ids imageTag=${{ inputs.TAG }} --region ap-northeast-2 - name: install jq shell: bash run: | curl -L https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64 -o /usr/local/bin/jq >/dev/null chmod a+x /usr/local/bin/jq sleep 5s - name: check trivy result id: result shell: bash run: | cat trivy-result.json echo "OS Check" os_info=`cat trivy-result.json | jq 'try .Results[0].Vulnerabilities[]'` library_info=`cat trivy-result.json | jq 'try .Results[1].Vulnerabilities[]'` if [[ $os_info == *Severity* ]]; then os_count=`cat trivy-result.json | jq 'try .Results[0].Vulnerabilities[].Severity' | grep -e HIGH -e CRITICAL |wc -l | xargs` else os_count=0 fi echo "Library Check" if [[ $library_info == *Severity* ]]; then library_count=`cat trivy-result.json | jq 'try .Results[1].Vulnerabilities[].Severity' | grep -e HIGH -e CRITICAL |wc -l | xargs` else library_count=0 fi echo $os_critical_count echo $library_count OS_COUNT=$((os_count)) LIBRARY_COUNT=$((library_count)) TOTAL_COUNT=$(($OS_COUNT+$LIBRARY_COUNT)) TOTAL_OS_COUNT=$(($OS_COUNT)) TOTAL_LIBRARY_COUNT=$(($LIBRARY_COUNT)) echo "==== TOTAL VULNERABILITY ====" echo "TOTAL OS_VULNERABILITY COUNT: $TOTAL_OS_COUNT" echo "TOTAL LIBRARY_VULNERABILITY COUNT: $TOTAL_LIBRARY_COUNT" echo "TOTAL VULNERABILITY COUNT: $TOTAL_COUNT" echo "TOTAL_OS_COUNT=$TOTAL_OS_COUNT" >> $GITHUB_OUTPUT echo "TOTAL_LIBRARY_COUNT=$TOTAL_LIBRARY_COUNT" >> $GITHUB_OUTPUT echo "check=true" >> $GITHUB_OUTPUT if [[ $TOTAL_COUNT -gt 0 ]]; then echo "Image vulnerability detect" echo "check=false" >> $GITHUB_OUTPUT else echo "## Trivy Summary(OS)" >> $GITHUB_STEP_SUMMARY echo "| PkgName | CVE | Severity | InstallVersion | FixVersion |" >> $GITHUB_STEP_SUMMARY echo "|------------|------------|-------------|-------------------|---------------|" >> $GITHUB_STEP_SUMMARY echo "| - | - | - | - | - |" >> $GITHUB_STEP_SUMMARY echo "## Trivy Summary(LIBRARY)" >> $GITHUB_STEP_SUMMARY echo "| PkgName | CVE | Severity | InstallVersion | FixVersion |" >> $GITHUB_STEP_SUMMARY echo "|------------|------------|-------------|-------------------|---------------|" >> $GITHUB_STEP_SUMMARY echo "| - | - | - | - | - |" >> $GITHUB_STEP_SUMMARY fi - name: trivy summary show shell: bash if: | steps.result.outputs.check == 'false' run: | echo "====== TOTAL COUNT ======" echo ${{ steps.result.outputs.TOTAL_OS_COUNT }} echo ${{ steps.result.outputs.TOTAL_LIBRARY_COUNT }} echo "========================" echo "## Trivy Summary(OS)" >> $GITHUB_STEP_SUMMARY echo "| PkgName | CVE | Severity | InstallVersion | FixVersion |" >> $GITHUB_STEP_SUMMARY echo "|------------|------------|-------------|-------------------|---------------|" >> $GITHUB_STEP_SUMMARY if [[ ${{ steps.result.outputs.TOTAL_OS_COUNT}} -gt 0 ]]; then cat trivy-result.json | jq -r '(try .Results[0].Vulnerabilities[] | .PkgName, .VulnerabilityID, .Severity, .InstalledVersion, .FixedVersion)' > os_summary.txt os_cnt=`cat os_summary.txt | wc -l | xargs` for num in $(seq 1 5 $os_cnt) do index_1=`expr $num` index_2=`expr $num + 1` index_3=`expr $num + 2` index_4=`expr $num + 3` index_5=`expr $num + 4` PkgName=`head -n $index_1 os_summary.txt | tail -n 1` VulnerabilityID=`head -n $index_2 os_summary.txt | tail -n 1` Severity=`head -n $index_3 os_summary.txt | tail -n 1` InstalledVersion=`head -n $index_4 os_summary.txt | tail -n 1` FixedVersion=`head -n $index_5 os_summary.txt | tail -n 1` echo "PKGNAME: $PkgName" echo "VulnerabilityID: $VulnerabilityID" echo "Severity: $Severity" echo "InstalledVersion: $InstalledVersion" echo "FixedVersion: $FixedVersion" echo "| $PkgName | $VulnerabilityID | $Severity | $InstalledVersion | $FixedVersion |" >> $GITHUB_STEP_SUMMARY done else echo "| - | - | - | - | - |" >> $GITHUB_STEP_SUMMARY fi echo "## Trivy Summary(LIBRARY)" >> $GITHUB_STEP_SUMMARY echo "| PkgName | CVE | Severity | InstallVersion | FixVersion |" >> $GITHUB_STEP_SUMMARY echo "|------------|------------|-------------|-------------------|---------------|" >> $GITHUB_STEP_SUMMARY if [[ ${{steps.result.outputs.TOTAL_LIBRARY_COUNT}} -gt 0 ]]; then cat trivy-result.json | jq -r '(try .Results[1].Vulnerabilities[] | .PkgName, .VulnerabilityID, .Severity, .InstalledVersion, .FixedVersion)' > library_summary.txt library_cnt=`cat library_summary.txt | wc -l | xargs` for num in $(seq 1 5 $library_cnt) do index_1=`expr $num` index_2=`expr $num + 1` index_3=`expr $num + 2` index_4=`expr $num + 3` index_5=`expr $num + 4` PkgName=`head -n $index_1 library_summary.txt | tail -n 1` VulnerabilityID=`head -n $index_2 library_summary.txt | tail -n 1` Severity=`head -n $index_3 library_summary.txt | tail -n 1` InstalledVersion=`head -n $index_4 library_summary.txt | tail -n 1` FixedVersion=`head -n $index_5 library_summary.txt | tail -n 1` echo "| $PkgName | $VulnerabilityID | $Severity | $InstalledVersion | $FixedVersion |" >> $GITHUB_STEP_SUMMARY done else echo "| - | - | - | - | - |" >> $GITHUB_STEP_SUMMARY fi - name: trivy-scanning check shell: bash if: | steps.result.outputs.check == 'false' run: | DEPLOY_ENV=${{ inputs.deploy_env }} if [[ $DEPLOY_ENV == "qa" ]] || [[ $DEPLOY_ENV == "staging" ]]; then echo "detect image vulnerability" echo "shutdown github action" fi