safedep/vet
1
0
Fork 0
mirror of https://github.com/safedep/vet.git synced 2025-12-10 00:22:08 -06:00
Code Issues Packages Projects Releases 68 Wiki Activity

Add filter suite option for scan

Browse Source
This commit is contained in:
abhisek 2023-02-18 18:01:35 +05:30
parent 2ca64478cf
commit 24f265359b
No known key found for this signature in database
GPG Key ID: CB92A4990C02A88F
4 changed files with 23 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
Dockerfile
View File

@ -20,6 +20,7 @@ LABEL org.opencontainers.image.source=https://github.com/safedep/vet
LABEL org.opencontainers.image.description="Open source software supply chain security tool" LABEL org.opencontainers.image.description="Open source software supply chain security tool"
LABEL org.opencontainers.image.licenses=Apache-2.0 LABEL org.opencontainers.image.licenses=Apache-2.0
COPY ./samples/ /vet/samples
COPY --from=build /build/vet /usr/local/bin/vet COPY --from=build /build/vet /usr/local/bin/vet
USER nonroot:nonroot USER nonroot:nonroot

11
README.md
View File

@ -84,9 +84,16 @@ Learn more about [filtering with vet](docs/filtering.md).
Look at [filter input spec](api/filter_input_spec.proto) on attributes Look at [filter input spec](api/filter_input_spec.proto) on attributes
available to the filter expression. available to the filter expression.
## Policy Evaluation ### Using Filter Suite
TODO Filter suites can be used to implement security gating in CI. [Example](samples/filter-suites/fs-generic.yml)
file suite contains rules to enforce generic OSS consumption best practices.
```bash
vet scan -D /path/to/dir --filter-suite /path/to/suite.yml --filter-fail
```
Read more about filter suites in [filtering guide](docs/filtering.md)
## FAQ ## FAQ

1
docs/filtering.md
View File

@ -142,7 +142,6 @@ The filter suite will be evaluated as:
* Ordered list of filters as given in the suite file * Ordered list of filters as given in the suite file
* Stop on first rule match for a given package * Stop on first rule match for a given package
* Stop on first evaluation error for a given package
## FAQ ## FAQ

13
scan.go
View File

@ -23,6 +23,7 @@ var (
concurrency int concurrency int
dumpJsonManifestDir string dumpJsonManifestDir string
celFilterExpression string celFilterExpression string
celFilterSuiteFile string
celFilterFailOnMatch bool celFilterFailOnMatch bool
markdownReportPath string markdownReportPath string
consoleReport bool consoleReport bool
@ -63,6 +64,8 @@ func newScanCommand() *cobra.Command {
"Dump enriched package manifests as JSON files to dir") "Dump enriched package manifests as JSON files to dir")
cmd.Flags().StringVarP(&celFilterExpression, "filter", "", "", cmd.Flags().StringVarP(&celFilterExpression, "filter", "", "",
"Filter and print packages using CEL") "Filter and print packages using CEL")
cmd.Flags().StringVarP(&celFilterSuiteFile, "filter-suite", "", "",
"Filter packages using CEL Filter Suite from file")
cmd.Flags().BoolVarP(&celFilterFailOnMatch, "filter-fail", "", false, cmd.Flags().BoolVarP(&celFilterFailOnMatch, "filter-fail", "", false,
"Fail the scan if the filter match any package (security gate)") "Fail the scan if the filter match any package (security gate)")
cmd.Flags().StringVarP(&markdownReportPath, "report-markdown", "", "", cmd.Flags().StringVarP(&markdownReportPath, "report-markdown", "", "",
@ -118,6 +121,16 @@ func internalStartScan() error {
analyzers = append(analyzers, task) analyzers = append(analyzers, task)
} }
if !utils.IsEmptyString(celFilterSuiteFile) {
task, err := analyzer.NewCelFilterSuiteAnalyzer(celFilterSuiteFile,
celFilterFailOnMatch)
if err != nil {
return err
}
analyzers = append(analyzers, task)
}
reporters := []reporter.Reporter{} reporters := []reporter.Reporter{}
if consoleReport { if consoleReport {
rp, err := reporter.NewConsoleReporter() rp, err := reporter.NewConsoleReporter()