Merge pull request #431 from kubero-dev/fix/vulnerability-scan

mms-gianni · web-flow · commit c7cb87925270 · 2024-10-07T15:05:36.000+02:00
fix vulnerability scans
diff --git a/server/src/kubero.ts b/server/src/kubero.ts
@@ -1263,10 +1263,15 @@ export class Kubero {
             } else {
                 debug.log('no git repo found to run scan');
             }
+        } else if (app?.spec?.deploymentstrategy === 'git' && app?.spec?.buildstrategy != 'plain') {
+            if (contextName) {
+                this.kubectl.setCurrentContext(contextName);
+                this.kubectl.createScanImageJob(namespace, appName, app.spec.image.repository, app.spec.image.tag, true);
+            }
         } else {
             if (contextName) {
                 this.kubectl.setCurrentContext(contextName);
-                this.kubectl.createScanImageJob(namespace, appName, app.spec.image.repository, app.spec.image.tag);
+                this.kubectl.createScanImageJob(namespace, appName, app.spec.image.repository, app.spec.image.tag, false);
             }
         }
 
diff --git a/server/src/modules/kubectl.ts b/server/src/modules/kubectl.ts
@@ -746,9 +746,9 @@ export class Kubectl {
         }
     }
 
-    public async createScanImageJob(namespace: string, app: string, image: string, tag: string): Promise<any> {
+    public async createScanImageJob(namespace: string, app: string, image: string, tag: string, withCredentials: boolean): Promise<any> {
         await this.deleteScanJob(namespace, app+'-kuberoapp-vuln');
-        const job = {
+        let job = {
             apiVersion: 'batch/v1',
             kind: 'Job',
             metadata: {
@@ -788,34 +788,39 @@ export class Kubectl {
                                     "--exit-code",
                                     "0"
                                 ],
-                                env: [
-                                    {
-                                        name: 'TRIVY_USERNAME',
-                                        valueFrom: {
-                                            secretKeyRef: {
-                                                name: 'registry-credentials',
-                                                key: 'username',
-                                                optional: true
-                                            }
-                                        }
-                                    },
-                                    {
-                                        name: 'TRIVY_PASSWORD',
-                                        valueFrom: {
-                                            secretKeyRef: {
-                                                name: 'registry-credentials',
-                                                key: 'password',
-                                                optional: true
-                                            }
-                                        }
-                                    }
-                                ],
+                                env: [] as { name: string; valueFrom: { secretKeyRef: { name: string; key: string; optional: true; }; }; }[],
                             }
                         ]
                     }
                 }
             }
         };
+
+        if (withCredentials) {
+            job.spec.template.spec.containers[0].env = [
+                {
+                    name: 'TRIVY_USERNAME',
+                    valueFrom: {
+                        secretKeyRef: {
+                            name: 'registry-credentials',
+                            key: 'username',
+                            optional: true
+                        }
+                    }
+                },
+                {
+                    name: 'TRIVY_PASSWORD',
+                    valueFrom: {
+                        secretKeyRef: {
+                            name: 'registry-credentials',
+                            key: 'password',
+                            optional: true
+                        }
+                    }
+                }
+            ]
+        }
+        
         try {
             return await this.batchV1Api.createNamespacedJob(namespace, job);
         } catch (error) {

Original file line number	Diff line number	Diff line change
`@@ -1263,10 +1263,15 @@ export class Kubero {`
`1263`	`1263`	`} else {`
`1264`	`1264`	`debug.log('no git repo found to run scan');`
`1265`	`1265`	`}`
	`1266`	`+ } else if (app?.spec?.deploymentstrategy === 'git' && app?.spec?.buildstrategy != 'plain') {`
	`1267`	`+ if (contextName) {`
	`1268`	`+ this.kubectl.setCurrentContext(contextName);`
	`1269`	`+ this.kubectl.createScanImageJob(namespace, appName, app.spec.image.repository, app.spec.image.tag, true);`
	`1270`	`+ }`
`1266`	`1271`	`} else {`
`1267`	`1272`	`if (contextName) {`
`1268`	`1273`	`this.kubectl.setCurrentContext(contextName);`
`1269`		`- this.kubectl.createScanImageJob(namespace, appName, app.spec.image.repository, app.spec.image.tag);`
	`1274`	`+ this.kubectl.createScanImageJob(namespace, appName, app.spec.image.repository, app.spec.image.tag, false);`
`1270`	`1275`	`}`
`1271`	`1276`	`}`
`1272`	`1277`