telia-oss
diff --git a/‎.gitignore
+14 b/‎.gitignore
+14
diff --git a/‎.pre-commit-config.yaml
+9 b/‎.pre-commit-config.yaml
+9
diff --git a/‎LICENSE
+21 b/‎LICENSE
+21
diff --git a/‎README.md
+28 b/‎README.md
+28
diff --git a/‎lambdas_code/scan_notify/__init__.py b/‎lambdas_code/scan_notify/__init__.py
diff --git a/‎lambdas_code/scan_notify/lambda_function.py
+162 b/‎lambdas_code/scan_notify/lambda_function.py
+162
diff --git a/‎lambdas_code/scan_trigger/lambda_function.py
+77 b/‎lambdas_code/scan_trigger/lambda_function.py
+77
@@ -0,0 +1,14 @@
+#  Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+*.zip
+
+# .tfvars files
+*.tfvars
+
+# IDE
+.idea/
@@ -0,0 +1,9 @@
+repos:
+- repo: git://github.com/antonbabenko/pre-commit-terraform
+  rev: v1.7.3
+  hooks:
+    - id: terraform_fmt
+- repo: git://github.com/pre-commit/pre-commit-hooks
+  rev: v1.3.0
+  hooks:
+    - id: check-merge-conflict
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2019 Telia Company
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
@@ -0,0 +1,28 @@
+# AWS ECR Vulnerability Scaning Terraform module
+================================================
+
+The module will trigger vulnerability scanning on all images in account ECR and will report the results to Slack channel.
+
+## Architecture
+
+The module will deploy CloudWatch rule to shcedule the scan, Step Function to orchestrate the lamgdas, and two lambda functions. One for triggering the scan and second to read the results and report the outcame.
+
+## Basic usage
+
+```
+module "ecr-regular-scanning" {
+  source = "<module path>"
+
+  slack_channel = "<slack_channel_name>"
+  slack_webhook_url = "<slack_webhook>"
+
+}
+```
+
+You can set the levels of vulnerability, you want to get notified by changing risk_levels variable.
+
+Default value is: "HIGH, CRITICAL"
+
+You can get alarms for the following levels: HIGH, MEDIUM, INFORMATIONAL, LOW, CRITICAL, UNDEFINED.
+
+
@@ -0,0 +1,162 @@
+import os, boto3, json
+import urllib.request, urllib.parse
+from urllib.error import HTTPError
+import logging
+
+from botocore.exceptions import ClientError
+
+client = boto3.client('ecr')
+logger = logging.getLogger()
+
+
+def get_all_image_data(repository):
+    """
+    Gets a list of dicts with Image tags and latest scan results.
+
+    :param repository:
+    :return: [{'imageTags': ['1.0.70'], 'imageScanStatus': {'HIGH': 21, 'MEDIUM': 127, 'INFORMATIONAL': 115, }}]
+    """
+    images = []
+    levels = os.environ['RISK_LEVELS']
+
+    try:
+        response = client.describe_images(repositoryName=repository, filter={
+            'tagStatus': 'TAGGED'
+        })['imageDetails']
+    except ClientError as c:
+        logger.error("Failed to get result from describe images with, client error: {}".format(c))
+        return []
+
+    for image in response:
+        image_data = {}
+        try:
+            image_data['imageTags'] = image['imageTags']
+        except KeyError:
+            image_data['imageTags'] = 'IMAGE UNTAGGED'
+        try:
+            image_data['imageScanStatus'] = image['imageScanFindingsSummary']['findingSeverityCounts']
+        except KeyError:
+            logger.error('FAILED TO RETRIEVE LATEST SCAN STATUS for image {}'.format(image_data['imageTags']))
+            continue
+
+        if len(levels) > 0:
+            image_data['imageScanStatus'] = {key: value for key, value in image_data['imageScanStatus'].items() if key in levels}
+
+        if len(image_data['imageScanStatus']) > 0:
+            images.append(image_data)
+
+    return images
+
+
+def get_all_repositories():
+    """
+    Gets a list of ECR repository string names.
+    :return: ['repository1', 'repository2', 'repository3']
+    """
+    repositories = []
+    response = client.describe_repositories()['repositories']
+    for repository in response:
+        repositories.append(repository['repositoryName'])
+    return repositories
+
+
+def get_scan_results():
+    repositories = get_all_repositories()
+    all_images = {}
+    for repository in repositories:
+        all_images[repository] = get_all_image_data(repository)
+    return all_images
+
+
+def convert_scan_dict_to_string(scan_dict):
+    """
+    converts parsed ImageScanStatus dictionary to string.
+    :param scan_dict:  {'HIGH': 64, 'MEDIUM': 269, 'INFORMATIONAL': 157, 'LOW': 127, 'CRITICAL': 17, 'UNDEFINED': 6}
+    :return: HIGH 64, MEDIUM 269, INFORMATIONAL 157, LOW 127, CRITICAL 17, UNDEFINED 6
+    """
+    result = ''
+
+    if not scan_dict:
+        return result
+    try:
+        for key, value in scan_dict.items():
+            result = result + key + " " + str(value) + ", "
+    except AttributeError:
+        return "Failed to retrieve repository scan results"
+
+    return result[:len(result)-2]
+
+
+def convert_image_scan_status(repository_scan_results):
+    repository_scan_block_list = []
+    for image in sorted(repository_scan_results, key=lambda imageScanResult: imageScanResult['imageTags'][0],
+                        reverse=True):
+        image_block = dict()
+        image_block["image"] = image['imageTags'][0]
+        image_block["vulnerabilities"] = convert_scan_dict_to_string((image['imageScanStatus']))
+        repository_scan_block_list.append(image_block)
+    return repository_scan_block_list
+
+
+def create_image_scan_slack_block(repository, repository_scan_block_list):
+
+    blocks = []
+
+    # Generate slack messages for image scan results.
+    for image in repository_scan_block_list:
+        blocks.append(
+            {
+                "type": "section",
+                "text": {
+                    "type": "mrkdwn",
+                    "text": "*`{}:{}`* vulnerabilities: {}".format(repository, image['image'], image['vulnerabilities'])
+                }
+            }
+        )
+    return blocks
+
+
+# Send a message to a slack channel
+def notify_slack(slack_block):
+    slack_url = os.environ['SLACK_WEBHOOK_URL']
+    slack_channel = os.environ['SLACK_CHANNEL']
+    slack_username = os.environ['SLACK_USERNAME']
+    slack_emoji = os.environ['SLACK_EMOJI']
+
+    payload = {
+        "channel": slack_channel,
+        "username": slack_username,
+        "icon_emoji": slack_emoji,
+        "blocks": slack_block
+    }
+
+    data = urllib.parse.urlencode({"payload": json.dumps(payload)}).encode("utf-8")
+    req = urllib.request.Request(slack_url)
+
+    try:
+        result = urllib.request.urlopen(req, data)
+        return json.dumps({"code": result.getcode(), "info": result.info().as_string()})
+
+    except HTTPError as e:
+        logging.error("{}: result".format(e))
+        return json.dumps({"code": e.getcode(), "info": e.info().as_string()})
+
+
+def lambda_handler(event, context):
+
+    scan_results = get_scan_results()
+
+    for repository, values in scan_results.items():
+        if len(values) > 0:
+            repository_scan_results = convert_image_scan_status(values)
+            slack_block = create_image_scan_slack_block(repository, repository_scan_results)
+        else:
+            continue
+
+        if len(slack_block) > 0:
+            try:
+                response = notify_slack(slack_block=slack_block)
+                if json.loads(response)["code"] != 200:
+                    logger.error("Error: received status {} for slack_block {}".format(json.loads(response)["info"], slack_block))
+            except Exception as e:
+                logger.error(msg=e)
@@ -0,0 +1,77 @@
+import boto3
+import logging
+
+from botocore.exceptions import ClientError
+
+
+client = boto3.client('ecr')
+logger = logging.getLogger()
+
+
+def get_all_images(repository):
+    """
+    Return a list of images for specified repository.
+    :param repository:
+    :return: ['1.0.1', '1.0.2', '1.0.3']
+    """
+    images = []
+    try:
+        response = client.describe_images(repositoryName=repository)['imageDetails']
+    except ClientError as c:
+        logger.error("Failed to get images for repository {} with error: ".format(repository, c))
+        return []
+    for image in response:
+        images.append(image['imageDigest'])
+    return images
+
+
+def get_all_repositories():
+    """
+    Returns a list with ECR repository names
+    :return: ['repo1', 'repo2', 'repo3']
+    """
+    repositories = []
+    try:
+        response = client.describe_repositories()
+    except ClientError as c:
+        logger.error("Failed to retrieve ECR repositories with the following error: {}: ".format(c))
+        return
+
+    try:
+        repository_names = response['repositories']
+    except KeyError:
+        logger.error("Response did not return any repository names")
+        return
+
+    for repository in repository_names:
+        repositories.append(repository['repositoryName'])
+    return repositories
+
+
+def get_repository_image_dict():
+    """
+    Returns a dict with repository and a list of images that it has.
+    :return: {'repo1': ['1.0.1', '1.0.2', '1.0.3'], 'repo2': ['2.2.1', '2.2.2']}
+    """
+    repositories = get_all_repositories()
+    all_images = {}
+    for repository in repositories:
+        all_images[repository] = get_all_images(repository)
+    return all_images
+
+
+def run_image_scan(repository, image):
+    try:
+        client.start_image_scan(repositoryName=repository,imageId={'imageDigest': image})
+    except ClientError as c:
+        logger.error("Got error: {}, when running image scan on repository: {}, image: {}".format(c, repository, image))
+
+
+def lambda_handler(event, context):
+
+    repository_image_dict = get_repository_image_dict()
+
+    for repository in repository_image_dict:
+        for image in repository_image_dict[repository]:
+            run_image_scan(repository, image)
+