-
Notifications
You must be signed in to change notification settings - Fork 0
Add comprehensive test coverage for scanner, enrichment, and CLI #2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from all commits
Commits
Show all changes
9 commits
Select commit
Hold shift + click to select a range
1d362c5
tests: fill critical coverage gaps — kev, scanner parse, runc HostVer…
claude dc2ac68
tests: SARIF validation, WriteFindingsCSVWithImage, enrichment+policy…
claude 49854f8
tests+docs: CLI exit-code tests, architecture/network diagrams, testi…
claude 7793a9e
Add tests for cmd/server, cmd/mcp-server, cmd/baseline; fix go.sum fo…
claude 96660b5
Fix three CI bugs found in code review
claude d1b1163
Update docs and README for Go 1.25, CI pipeline, and full cmd/* test …
claude cc3e876
Add Phase 1 CLI tests and five new CI/CD integrations
claude 4553fe5
Fix runc pre-release false-clean and remove shadowed min() helper
claude a837c70
Update COMPARISON and README to reflect all 9 CI/CD platforms
claude File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,50 @@ | ||
| name: CI | ||
|
|
||
| on: | ||
| push: | ||
| branches: [main] | ||
| pull_request: | ||
|
|
||
| jobs: | ||
| build-and-test: | ||
| name: Build & Unit Tests | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
|
|
||
| - uses: actions/setup-go@v5 | ||
| with: | ||
| go-version-file: go.mod | ||
| cache: true | ||
|
|
||
| - name: Vet | ||
| run: go vet ./... | ||
|
|
||
| - name: Unit tests (with race detector) | ||
| run: go test -race -count=1 ./pkg/... ./cmd/... | ||
|
|
||
| - name: Build all commands | ||
| run: go build ./cmd/... | ||
|
|
||
| integration: | ||
| name: Integration Scan | ||
| runs-on: ubuntu-latest | ||
| # Run on push to main only; path-scoped PR triggers require tj-actions/changed-files | ||
| # (github.event.pull_request.changed_files is an integer count, not a path list). | ||
| if: github.event_name == 'push' | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
|
|
||
| - uses: actions/setup-go@v5 | ||
| with: | ||
| go-version-file: go.mod | ||
|
greptile-apps[bot] marked this conversation as resolved.
|
||
| cache: true | ||
|
|
||
| - name: Install Trivy | ||
| run: | | ||
| curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/v0.69.1/contrib/install.sh | sh -s -- -b /usr/local/bin v0.69.1 | ||
|
|
||
| - name: Integration tests | ||
| run: go test -v -timeout 5m ./tests/integration/... | ||
| env: | ||
| TRIVY_NO_PROGRESS: "true" | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,163 @@ | ||
| # AWS CodeBuild Buildspec — Docker Container Security Scan | ||
| # | ||
| # What this does: | ||
| # 1. Builds the scanner from source (or pulls a pre-published image). | ||
| # 2. Logs in to ECR with the CodeBuild execution role (no stored credentials needed). | ||
| # 3. Builds your application image and tags it with the full ECR URI. | ||
| # 4. Runs a full scan: vulnerability detection, runc advisory, SBOM generation. | ||
| # 5. Writes all reports to reports/ and publishes them as CodeBuild artifacts. | ||
| # 6. Exits non-zero if CRITICAL or HIGH findings are present, failing the build. | ||
| # | ||
| # ─── Environment variables ──────────────────────────────────────────────────── | ||
| # CodeBuild built-ins (set automatically, no configuration needed): | ||
| # CODEBUILD_RESOLVED_SOURCE_VERSION – full commit SHA used as image tag | ||
| # AWS_DEFAULT_REGION – region where the build runs | ||
| # AWS_ACCOUNT_ID – not a built-in; set it in project settings (see below) | ||
| # | ||
| # User-defined (set in CodeBuild project → Environment → Environment variables): | ||
| # AWS_ACCOUNT_ID – your 12-digit AWS account ID, e.g. 123456789012 | ||
| # ECR_REPO_NAME – ECR repository name, e.g. myapp (default below: myapp) | ||
| # | ||
| # The IAM role attached to the CodeBuild project must have: | ||
| # ecr:GetAuthorizationToken | ||
| # ecr:BatchCheckLayerAvailability | ||
| # ecr:GetDownloadUrlForLayer | ||
| # ecr:BatchGetImage | ||
| # ecr:PutImage (and related push actions) | ||
| # ───────────────────────────────────────────────────────────────────────────── | ||
|
|
||
| version: 0.2 | ||
|
|
||
| env: | ||
| variables: | ||
| # Override ECR_REPO_NAME in CodeBuild project settings if your repo differs. | ||
| ECR_REPO_NAME: "myapp" | ||
| # SCANNER_IMAGE controls where the scanner comes from. | ||
| # Option A (default): build from source in the current workspace. | ||
| # Option B: pull a pre-published image — comment out the build step in | ||
| # the install phase and set this to e.g.: | ||
| # 123456789012.dkr.ecr.us-east-1.amazonaws.com/docker-scanner:latest | ||
| SCANNER_IMAGE: "docker-scanner:latest" | ||
|
|
||
| phases: | ||
|
|
||
| # ── install ────────────────────────────────────────────────────────────────── | ||
| # Installs build toolchain and the scanner itself. | ||
| # Docker is available in CodeBuild when the project runs in privileged mode | ||
| # (Project settings → Environment → Privileged → Enable this flag). | ||
| install: | ||
| runtime-versions: | ||
| # Go is only needed when building the scanner from source. | ||
| # Remove this block if you pull a pre-built scanner image instead. | ||
| golang: 1.21 | ||
| commands: | ||
| # Confirm Docker daemon is running (requires privileged mode in project settings). | ||
| - echo "==> Verifying Docker is available" | ||
| - docker version | ||
|
|
||
| # ── Option A: build the scanner from source ────────────────────────────── | ||
| # This builds the scanner binary and packages it into a local Docker image. | ||
| - echo "==> Building scanner from source" | ||
| - go build -o /usr/local/bin/docker-scanner ./cmd/scanner | ||
| # Wrap the binary in a minimal image so the scan step uses a consistent | ||
| # container interface (matches the pattern used in other CI examples). | ||
| - docker build -t "$SCANNER_IMAGE" . | ||
|
|
||
| # ── Option B: pull a pre-published scanner image ───────────────────────── | ||
| # Uncomment the lines below and remove Option A above if you prefer to pull | ||
| # a pinned, pre-built image from your own ECR instead of building from source. | ||
| # - SCANNER_REGISTRY="$AWS_ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com" | ||
| # - aws ecr get-login-password --region "$AWS_DEFAULT_REGION" \ | ||
| # | docker login --username AWS --password-stdin "$SCANNER_REGISTRY" | ||
| # - docker pull "$SCANNER_REGISTRY/docker-scanner:latest" | ||
| # - docker tag "$SCANNER_REGISTRY/docker-scanner:latest" "$SCANNER_IMAGE" | ||
|
|
||
| # ── pre_build ───────────────────────────────────────────────────────────── | ||
| # Authenticates with ECR so subsequent docker push/pull commands succeed. | ||
| # Uses the IAM role attached to the CodeBuild project — no stored passwords. | ||
| pre_build: | ||
| commands: | ||
| - echo "==> Logging in to Amazon ECR" | ||
| # AWS_ACCOUNT_ID must be set as a user-defined env var in project settings. | ||
| # AWS_DEFAULT_REGION is injected automatically by CodeBuild. | ||
| - ECR_REGISTRY="$AWS_ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com" | ||
| - aws ecr get-login-password --region "$AWS_DEFAULT_REGION" \ | ||
| | docker login --username AWS --password-stdin "$ECR_REGISTRY" | ||
| - echo "==> ECR login succeeded" | ||
|
|
||
| # Compose the full image URI with the commit SHA as the tag. | ||
| # CODEBUILD_RESOLVED_SOURCE_VERSION is a CodeBuild built-in — the full | ||
| # Git commit SHA of the source version being built. | ||
| - IMAGE_URI="$ECR_REGISTRY/$ECR_REPO_NAME:$CODEBUILD_RESOLVED_SOURCE_VERSION" | ||
| # Export IMAGE_URI so it is visible to later phases. | ||
| # CodeBuild does not share shell variables across phases, so we write it | ||
| # to a sourced file (a common CodeBuild pattern). | ||
| - echo "export IMAGE_URI=$IMAGE_URI" >> /tmp/build_env.sh | ||
| - echo "export ECR_REGISTRY=$ECR_REGISTRY" >> /tmp/build_env.sh | ||
| - echo "Image will be tagged as: $IMAGE_URI" | ||
|
|
||
| # ── build ───────────────────────────────────────────────────────────────── | ||
| # Builds the application image and pushes it to ECR. | ||
| build: | ||
| commands: | ||
| - source /tmp/build_env.sh | ||
| - echo "==> Building application image" | ||
| # Replace 'Dockerfile' with a specific path if your Dockerfile is not at | ||
| # the repository root, e.g. --file docker/Dockerfile.prod | ||
| - docker build --tag "$IMAGE_URI" --file Dockerfile . | ||
|
|
||
| - echo "==> Pushing image to ECR" | ||
| - docker push "$IMAGE_URI" | ||
|
|
||
| # Also push a :latest tag for convenience (optional — remove if undesired). | ||
| - LATEST_URI="$ECR_REGISTRY/$ECR_REPO_NAME:latest" | ||
| - docker tag "$IMAGE_URI" "$LATEST_URI" | ||
| - docker push "$LATEST_URI" | ||
|
|
||
| # ── post_build ──────────────────────────────────────────────────────────── | ||
| # Runs the security scan against the image just pushed to ECR. | ||
| # Reports are written to reports/ which is published as a CodeBuild artifact. | ||
| # The scanner exits non-zero when CRITICAL or HIGH findings are found, | ||
| # causing the overall build to fail — adjust --fail-on-severity to your policy. | ||
| post_build: | ||
| commands: | ||
| - source /tmp/build_env.sh | ||
| - echo "==> Creating reports directory" | ||
| - mkdir -p reports | ||
|
|
||
| - echo "==> Running security scan against $IMAGE_URI" | ||
| # --fail-on-severity CRITICAL,HIGH — exit code 1 when any finding at | ||
| # these severities exists, which fails the CodeBuild build. | ||
| # Change to HIGH or remove the flag to adjust your gate. | ||
| # --format sarif,markdown,html,csv — emit all report formats; | ||
| # SARIF can be ingested by AWS Security Hub (see docs/ci/aws-codebuild.md). | ||
| # --check-runtime — include runc/containerd advisory check. | ||
| # --sbom — generate a Software Bill of Materials. | ||
| - docker run --rm \ | ||
| -v /var/run/docker.sock:/var/run/docker.sock \ | ||
| -v "$(pwd)/reports":/reports \ | ||
| "$SCANNER_IMAGE" scan \ | ||
| --image "$IMAGE_URI" \ | ||
| --output-dir /reports \ | ||
| --format sarif,markdown,html,csv \ | ||
| --check-runtime \ | ||
| --sbom \ | ||
| --fail-on-severity CRITICAL,HIGH | ||
| # NOTE: if you want reports to be published even when the scan fails, | ||
| # set the step above to continue on error and gate the build via a | ||
| # subsequent step that checks the SARIF for findings: | ||
| # continueOnError equivalent in CodeBuild: use '|| SCAN_FAILED=1' and | ||
| # then 'exit ${SCAN_FAILED:-0}' after the artifact copy below. | ||
|
|
||
| - echo "==> Scan complete. Reports written to reports/" | ||
| - ls -lh reports/ | ||
|
|
||
| # ── artifacts ───────────────────────────────────────────────────────────────── | ||
| # Publishes everything under reports/ to S3 (configured in CodeBuild project | ||
| # settings under Artifacts → S3 bucket). Reports are then downloadable from | ||
| # the CodeBuild build detail page. | ||
| artifacts: | ||
| files: | ||
| - "reports/**/*" | ||
| name: scan-reports | ||
| # discard-paths: yes # uncomment to flatten the directory structure in S3 |
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.