Aqua Trivy and Starboard for scanning Gitlab on Power
Trivy is a simple and comprehensive scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues. In addition, Trivy scans Infrastructure as Code (IaC) files such as Terraform, Dockerfile and Kubernetes, to detect potential configuration issues that expose your deployments to the risk of attack.
Starboard integrates security tools into the Kubernetes environment, so that users can find and view the risks that relate to different resources in a Kubernetes-native way. Starboard CLI is a single executable binary which can be used to find risks, such as vulnerabilities or insecure pod descriptors, in Kubernetes workloads. By default, the risk assessment reports are stored as custom resources.
Trivy and Starboard for scanning Gitlab on Power
Trivy and Starboard have gained lot of popularity as a DevOps vulnerability scanning tools. Many users are interested in using its functionalities on IBM Power systems, which leads to the need for these tools on Power. Also, Gitlab has announced Aqua Trivy and Starboard as their default scanner tools to provide DevOps container security to their customers. You can read more about it in this case study.
Aqua Trivy is officially supported on IBM Power systems, whereas Aqua Starboard does not have official support for ppc64le architecture. This blog aims at helping out users interested in using these scanning tools on Power architecture for testing Gitlab workloads.
Aqua Trivy
Pre-requisites
- A standalone VM to build and install Trivy
This example uses a ppc64le Centos 8.2 VM. You can use PowerVS service at IBM Cloud or Minicloud to get your ppc64le virtual machine.
- Install Docker
wget https://oplab9.parqtec.unicamp.br/pub/ppc64el/docker/version-20.10.2/centos-8/docker-ce-rootless-extras-20.10.2-3.el8.ppc64le.rpmwget https://oplab9.parqtec.unicamp.br/pub/ppc64el/docker/version-20.10.2/centos-8/docker-ce-20.10.2-3.el8.ppc64le.rpmwget https://oplab9.parqtec.unicamp.br/pub/ppc64el/docker/version-20.10.2/centos-8/docker-ce-cli-20.10.2-3.el8.ppc64le.rpmwget https://download.docker.com/linux/centos/8/ppc64le/test/Packages/containerd.io-1.4.9-3.1.el8.ppc64le.rpmyum localinstall docker-ce-rootless-extras-20.10.2-3.el8.ppc64le.rpm docker-ce-cli-20.10.2-3.el8.ppc64le.rpm docker-ce-20.10.2-3.el8.ppc64le.rpm containerd.io-1.4.9-3.1.el8.ppc64le.rpmservice docker start
- Install Go Lang and other dependencies
git clone https://github.com/rpsene/goconfig.gitcd ./goconfigsource ./go.sh installyum install libseccomp -y
Building Trivy image on Power
The commands to build Trivy image on ppc64le architecture are as follows:
git clone https://github.com/aquasecurity/trivy.gitcd trivydocker build -t quay.io/snehakpersistent/trivy:ppc64le .
This image can be used when you want to use Trivy in a containerized environment. In this blog, we will be using it for building Starboard in the next section. This image is available on this quay repository.
Installing and using Trivy on Power
Aqua Trivy is easy to use. Just install the binary and you're ready to scan. The following command can be used to install Trivy on Power.
rpm -ivh https://github.com/aquasecurity/trivy/releases/download/v0.19.2/trivy_0.19.2_Linux-PPC64LE.rpmTrivy detects two types of security issues: Vulnerabilities and Misconfigurations. It can scan three different artifacts types: Container Images, Filesystem and Git Repositories.
Let’s begin using Trivy to detect vulnerabilities and misconfigurations in Gitlab runner operator on Power.
Example commands for detecting vulnerabilities are as follows:
//Container Image
trivy image registry.gitlab.com/skanekar1/gitlab-runner-operator/gitlab-runner-operator:linux-ppc64le-v0.0.1-259402c6 //Filesystem
trivy fs /root/gitlab-runner-operator//Git repository
trivy repo https://gitlab.com/skanekar1/gitlab-runner-operator
Example commands for detecting misconfigurations in Infrastructure as Code(IaC) files are as follows:
//Dockerfile
trivy config --severity HIGH /root/gitlab-runner-operator/ci//Yaml or Terraform
trivy config gitlab-runner-operator/config/manager/
Aqua Starboard
Pre-requisites
- A ppc64le OCP cluster for building and installing Starboard
You can deploy a Red Hat OpenShift cluster on IBM Power Systems Virtual Servers using steps in this article: https://developer.ibm.com/components/ibm-power/tutorials/install-ocp-on-power-vs/
- Install Go Lang
git clone https://github.com/rpsene/goconfig.gitcd ./goconfigsource ./go.sh install
Building Starboard on Power
Starboard can be run in two different modes: Starboard CLI and Starboard Operator. In this blog, we will be focusing on Starboard CLI. The steps to build Starboard are as follows:
git clone https://github.com/snehakpersistent/starboard.gitgit checkout ppc-supportcd starboard/makecp bin/starboard /usr/local/bin/
This will build Starboard binary for ppc64le architecture. Internally, it is using Trivy image for Power that we build in Trivy section.
Scanning Gitlab workloads on Power cluster
The easiest way to get started with Starboard is to use an imperative starboard command, which allows ad hoc scanning of Kubernetes workloads deployed in your cluster.
To begin with, execute the following one-time setup command:
starboard initThe init subcommand creates the starboard namespace, in which Starboard executes Kubernetes jobs to perform scans. It also sends custom security resources definitions to the Kubernetes API.
Let’s begin with scanning of Gitlab runner operator workloads. Run the vulnerability scanner to generate vulnerability reports:
starboard scan vulnerabilityreports deployment.apps/gitlab-runner-runnerBehind the scenes, by default, this uses Trivy in Standalone mode to identify vulnerabilities in the container images associated with the specified deployment. Once this has been done, you can retrieve the latest vulnerability reports for this workload:
starboard get vulnerabilities deployment.apps/gitlab-runner-runner -o yamlSimilarly, you can audit Kubernetes configuration of your Gitlab workload using below commands:
starboard scan configauditreports pod/gitlab-runner-runner-7dcd8cc584-rxvwxstarboard get configaudit pod/gitlab-runner-runner-7dcd8cc584-rxvwx -o yaml
This will internally use Polaris image for scanning configuration of your workloads. Polaris image for ppc64le is built and published on this quay repository.
Thats all folks! We now have seen how to use Aqua Trivy and Aqua Starboard for scanning Gitlab runner operator workloads on IBM Power systems.
Thanks for reading. I hope you found this tutorial helpful :)
