Added Grype and Syft Docker, fixed cdk-nag

Author: dbbegimh

README.md

@@ -22,11 +22,15 @@ The security helper supports the following vectors:
     * Git
         * **[git-secrets](https://github.com/awslabs/git-secrets)** - Find api keys, passwords, AWS keys in the code
     * Python
-        * **[bandit](https://github.com/PyCQA/bandit)** - Find common security issues in the code.
+        * **[bandit](https://github.com/PyCQA/bandit)** - finds common security issues in Python code.
+        * **[Grype](https://github.com/anchore/grype)** - finds vulnerabilities scanner for Python code.
+        * **[Syft](https://github.com/anchore/grype)** - generating a Software Bill of Materials (SBOM) for Python code.
     * Jupyter Notebook
-        * **[nbconvert](https://nbconvert.readthedocs.io/en/latest/)** - converts ipynb files into Python executables. Code scan with Bandit.
+        * **[nbconvert](https://nbconvert.readthedocs.io/en/latest/)** - converts Jupyter Notebook (ipynb) files into Python executables. Code scan with Bandit.
     * JavaScript; NodeJS
         * **[npm-audit](https://docs.npmjs.com/cli/v8/commands/npm-audit)** - checks for vulnerabilities in Javascript and NodeJS.
+        * **[Grype](https://github.com/anchore/grype)** - finds vulnerabilities scanner for Javascript and NodeJS.
+        * **[Syft](https://github.com/anchore/grype)** - generating a Software Bill of Materials (SBOM) for Javascript and NodeJS.
 * Infrastructure
     * Teraform; Cloudformation
         *   **[checkov](https://github.com/bridgecrewio/checkov)**

ash

@@ -26,6 +26,7 @@ PY_EXTENSIONS=("py" "pyc" "ipynb")
 INFRA_EXTENSIONS=("yaml" "yml" "tf" "json" "dockerfile")
 CFN_EXTENSIONS=("yaml" "yml" "json")
 JS_EXTENSIONS=("js")
+GRYPE_EXTENSIONS=("js" "py")
 
 # Look for specific files
 CDK_FILENAMES=("cdk.json")
@@ -232,6 +233,7 @@ run_security_check "Dockerfile-yaml" "${INFRA_EXTENSIONS[@]}"
 run_security_check "Dockerfile-js" "${JS_EXTENSIONS[@]}"
 search_file_content "${CFN_EXTENSIONS}" || echo "No CFN files found"
 run_security_check "Dockerfile-cdk" "${CFN_EXTENSIONS[@]}"
+run_security_check "Dockerfile-grype" "${GRYPE_EXTENSIONS[@]}"
 
 # Cleanup any previous file
 rm -f "${OUTPUT_DIR}"/"${AGGREGATED_RESULTS_REPORT_FILENAME}"

helper_dockerfiles/Dockerfile-grype

@@ -0,0 +1,11 @@
+# Get Python Image
+FROM public.ecr.aws/bitnami/python:latest
+
+# Instal prerequisites
+RUN curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin && \
+    curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
+
+WORKDIR /app
+VOLUME /app
+
+CMD bash -C /utils/grype-docker-execute.sh

helper_dockerfiles/Dockerfile-py

@@ -3,10 +3,9 @@ FROM public.ecr.aws/bitnami/python:latest
 
 # Instal prerequisites
 RUN pip install --no-cache-dir --upgrade pip && \
-    pip install --no-cache-dir bandit nbconvert jupyterlab && \
-    curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
+    pip install --no-cache-dir bandit nbconvert jupyterlab
 
 WORKDIR /app
 VOLUME /app
 
-CMD bash -C /utils/py-docker-execute.sh
+CMD bash -C /utils/py-docker-execute.sh

utils/cfn-to-cdk/requirements.txt

@@ -1,3 +1,2 @@
-aws-cdk-lib<3.0.0,>=2.18.0
 constructs>=10.0.0,<11.0.0
 jsii>=1.60.1

utils/grype-docker-execute.sh

@@ -0,0 +1,34 @@
+#!/bin/bash
+
+abs() { # compute the absolute value of the input parameter
+  input=$1
+  if [[ $input -lt 0 ]]; then
+    input=$((-input))
+  fi
+  echo $input
+}
+
+bumprc() { # return the higher absolute value of the inputs
+  output=$1
+  if [[ $2 -ne 0 ]]; then
+    lrc=$(abs $2)
+
+    if [[ $lrc -gt $1 ]]; then
+      output=$lrc
+    fi
+  fi
+  echo $output
+}
+
+RC=0
+
+
+grype dir:. > grype_report_result.txt 2>&1
+SRC=$?
+RC=$(bumprc $RC $SRC)
+
+syft . >> grype_report_result.txt 2>&1
+SRC=$?
+RC=$(bumprc $RC $SRC)
+
+exit $RC

utils/py-docker-execute.sh

@@ -30,9 +30,4 @@ BRC=$?
 RC=$(bumprc $RC $BRC)
 
 
-grype dir:. >> py_report_result.txt 2>&1
-SRC=$?
-RC=$(bumprc $RC $SRC)
-
-
 exit $RC