From dd8e49701c1817ea174061c8731fe5bdbfb73d93 Mon Sep 17 00:00:00 2001
From: Daniel Pacak <pacak.daniel@gmail.com>
Date: Sat, 19 Sep 2020 20:34:59 +0200
Subject: [PATCH] feat(find vulnerabilities): Configure HTTP proxy for Trivy
 (#154)

Some people might run their (dev) clusters behind the proxy.
It is possible to set the HTTP_PROXY environment variable
when using Trivy directly. This commit makes it possible
to use Starboard CLI and pass HTTP proxy config to Trivy by
setting the trivy.httpProxy configuration parameter before
you run the starboard find vulnerabilities command.

$ starboard init
$ kubectl patch configmap starboard -n starboard \
  --type merge \
  -p '{"data": {"trivy.httpProxy":"http://your-proxy:9001"}}'
$ starboard find vulnerabilities deploy/my-deployment

Resolves: #84

Signed-off-by: Daniel Pacak <pacak.daniel@gmail.com>
---
 README.md                                 | 45 ++++++++++++++++++++---
 pkg/find/vulnerabilities/trivy/scanner.go | 45 ++++++++++++++++++-----
 2 files changed, 76 insertions(+), 14 deletions(-)

diff --git a/README.md b/README.md
index 09ffe72e1..d07af6b3a 100644
--- a/README.md
+++ b/README.md
@@ -19,6 +19,7 @@
   - [From Source (Linux, macOS)](#from-source-linux-macos)
 - [Getting Started](#getting-started)
 - [Next Steps](#next-steps)
+- [Configuration](#configuration)
 - [Custom Security Resources Definitions](#custom-security-resources-definitions)
 - [Starboard CLI](#starboard-cli)
 - [Troubleshooting](#troubleshooting)
@@ -99,11 +100,11 @@ scans. It also sends custom security resources definitions to the Kubernetes API
 
 ```
 $ kubectl api-resources --api-group aquasecurity.github.io
-NAME                  SHORTNAMES   APIGROUP                NAMESPACED  KIND
-ciskubebenchreports   kubebench    aquasecurity.github.io  false       CISKubeBenchReport
-configauditreports    configaudit  aquasecurity.github.io  true        ConfigAuditReport
-kubehunterreports     kubehunter   aquasecurity.github.io  false       KubeHunterReport
-vulnerabilityreports  vulns,vuln   aquasecurity.github.io  true        VulnerabilityReport
+NAME                   SHORTNAMES    APIGROUP                 NAMESPACED   KIND
+ciskubebenchreports    kubebench     aquasecurity.github.io   false        CISKubeBenchReport
+configauditreports     configaudit   aquasecurity.github.io   true         ConfigAuditReport
+kubehunterreports      kubehunter    aquasecurity.github.io   false        KubeHunterReport
+vulnerabilityreports   vulns,vuln    aquasecurity.github.io   true         VulnerabilityReport
 ```
 
 > There's also a `starboard cleanup` subcommand, which can be used to remove all resources created by Starboard.
@@ -197,6 +198,38 @@ vulnerabilities as well as configuration issues that might affect stability, rel
 To learn more about the available Starboard commands and scanners, such as [kube-bench][aqua-kube-bench] or
 [kube-hunter][aqua-kube-hunter], use `starboard help`.
 
+## Configuration
+
+The `starboard init` command creates the `starboard` ConfigMap in the `starboard` namespace, which contains the default
+configuration parameters. You can change the default config values with `kubectl patch` or `kubectl edit` commands.
+
+For example, by default Trivy displays vulnerabilities with all severity levels (`UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL`).
+However, you can opt in to display only `HIGH` and `CRITICAL` vulnerabilities by patching the `trivy.severity` value
+in the `starboard` ConfigMap:
+
+```
+$ kubectl patch configmap starboard -n starboard \
+  --type merge \
+  -p '{"data": {"trivy.severity":"HIGH,CRITICAL"}}'
+```
+
+The following table lists available configuration parameters.
+
+| CONFIGMAP KEY         | DEFAULT                                                | DESCRIPTION |
+| --------------------- | ------------------------------------------------------ | ----------- |
+| `trivy.httpProxy`     | N/A                                                    | The HTTP proxy used by Trivy to download the vulnerabilities database from GitHub |
+| `trivy.severity`      | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL`                     | A comma separated list of severity levels reported by Trivy |
+| `polaris.config.yaml` | [Check the default value here][default-polaris-config] | Polaris configuration file |
+
+> **Note:** You can find it handy to delete a configuration key, which was not created by default by the
+> `starboard init` command. For example, the following `kubectl patch` command deletes the `trivy.httpProxy` key:
+>
+> ```
+> $ kubectl patch configmap starboard -n starboard \
+>   --type json \
+>   -p '[{"op": "remove", "path": "/data/trivy.httpProxy"}]'
+> ```
+
 ## Custom Security Resources Definitions
 
 This project houses CustomResourceDefinitions (CRDs) related to security and compliance checks along with the code
@@ -311,3 +344,5 @@ This repository is available under the [Apache License 2.0][license].
 [kubectl-plugins]: https://kubernetes.io/docs/tasks/extend-kubectl/kubectl-plugins
 
 [krew]: https://github.com/kubernetes-sigs/krew
+
+[default-polaris-config]: ./kube/init/starboard-cm.yaml
diff --git a/pkg/find/vulnerabilities/trivy/scanner.go b/pkg/find/vulnerabilities/trivy/scanner.go
index 7fecbaffd..d58285533 100644
--- a/pkg/find/vulnerabilities/trivy/scanner.go
+++ b/pkg/find/vulnerabilities/trivy/scanner.go
@@ -139,6 +139,20 @@ func (s *Scanner) PrepareScanJob(_ context.Context, workload kube.Object, spec c
 			Image:                    trivyImageRef,
 			ImagePullPolicy:          core.PullIfNotPresent,
 			TerminationMessagePolicy: core.TerminationMessageFallbackToLogsOnError,
+			Env: []core.EnvVar{
+				{
+					Name: "HTTP_PROXY",
+					ValueFrom: &core.EnvVarSource{
+						ConfigMapKeyRef: &core.ConfigMapKeySelector{
+							LocalObjectReference: core.LocalObjectReference{
+								Name: kube.ConfigMapStarboard,
+							},
+							Key:      "trivy.httpProxy",
+							Optional: pointer.BoolPtr(true),
+						},
+					},
+				},
+			},
 			Command: []string{
 				"trivy",
 			},
@@ -165,18 +179,31 @@ func (s *Scanner) PrepareScanJob(_ context.Context, workload kube.Object, spec c
 
 		var envs []core.EnvVar
 
-		envs = append(envs, core.EnvVar{
-			Name: "TRIVY_SEVERITY",
-			ValueFrom: &core.EnvVarSource{
-				ConfigMapKeyRef: &core.ConfigMapKeySelector{
-					LocalObjectReference: core.LocalObjectReference{
-						Name: kube.ConfigMapStarboard,
+		envs = append(envs,
+			core.EnvVar{
+				Name: "TRIVY_SEVERITY",
+				ValueFrom: &core.EnvVarSource{
+					ConfigMapKeyRef: &core.ConfigMapKeySelector{
+						LocalObjectReference: core.LocalObjectReference{
+							Name: kube.ConfigMapStarboard,
+						},
+						Key:      "trivy.severity",
+						Optional: pointer.BoolPtr(true),
+					},
+				},
+			}, core.EnvVar{
+				Name: "HTTP_PROXY",
+				ValueFrom: &core.EnvVarSource{
+					ConfigMapKeyRef: &core.ConfigMapKeySelector{
+						LocalObjectReference: core.LocalObjectReference{
+							Name: kube.ConfigMapStarboard,
+						},
+						Key:      "trivy.httpProxy",
+						Optional: pointer.BoolPtr(true),
 					},
-					Key:      "trivy.severity",
-					Optional: pointer.BoolPtr(true),
 				},
 			},
-		})
+		)
 
 		if dockerConfig, ok := credentials[c.Image]; ok {
 			registryUsernameKey := fmt.Sprintf("%s.username", c.Name)