AWS CodeBuild example (#21)

shawnjohnson · web-flow · commit 3539982dd34c · 2022-05-16T23:18:24.000+02:00
* Example AWS CodeBuilld spec
diff --git a/new-scan-engine/aws-codebuild/README.md b/new-scan-engine/aws-codebuild/README.md
@@ -0,0 +1,3 @@
+# AWS CodeBuild Image Build and Scan example
+
+The example shows how you can use [AWS CodeBuild](https://docs.aws.amazon.com/codebuild/latest/userguide/getting-started-overview.html) to build a Docker image, then scan the image for vulnerabilities using the new Sysdig Scan Engine CLI. The build will fail if the policy evaluation fails. You can specify the `SECURE_API_TOKEN` and `SYSDIG_API_ENDPOINT` in the buildspec, however best practice would be to externalize the values in an external store as explained [here](https://docs.aws.amazon.com/codebuild/latest/userguide/create-project-console.html#create-project-console-environment).
diff --git a/new-scan-engine/aws-codebuild/build.yaml b/new-scan-engine/aws-codebuild/build.yaml
@@ -0,0 +1,34 @@
+# AWS CodeBuild example with New Sysdig Scan Engine
+# Scans image for vulnerabilities; If policy evaluation fails, then build fails
+# Must configure required 
+version: 0.2
+
+env:
+  variables:
+    # Customers should configure this variable using paramater-store or secrets-manager
+    SECURE_API_TOKEN: <your API token>
+    SYSDIG_API_ENDPOINT: <Sysdig API endpoint for your region>
+
+phases:
+  install:
+    commands:
+      # Download most recent version of Sysdig CLI Scanner
+      - curl -LO https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/$(curl -L -s https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt)/linux/amd64/sysdig-cli-scanner
+      - chmod +x ./sysdig-cli-scanner
+  pre_build:
+    commands:
+      # Build a simple NGINX image with an index file added
+      - curl -LO https://raw.githubusercontent.com/nginxinc/NGINX-Demos/master/nginx-hello/index.html
+      - |
+        cat > Dockerfile << EOF
+        FROM public.ecr.aws/nginx/nginx
+        COPY index.html /usr/share/nginx/html
+        EOF
+
+  build:
+    commands:
+      - docker build -t nginx-hello:hello1 .
+  post_build:
+    commands:
+      - pwd
+      - ./sysdig-cli-scanner --apiurl $SYSDIG_API_ENDPOINT nginx-hello:hello1

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+# AWS CodeBuild Image Build and Scan example`
	`2`	`+`
	`3`	+The example shows how you can use [AWS CodeBuild](https://docs.aws.amazon.com/codebuild/latest/userguide/getting-started-overview.html) to build a Docker image, then scan the image for vulnerabilities using the new Sysdig Scan Engine CLI. The build will fail if the policy evaluation fails. You can specify the `SECURE_API_TOKEN` and `SYSDIG_API_ENDPOINT` in the buildspec, however best practice would be to externalize the values in an external store as explained [here](https://docs.aws.amazon.com/codebuild/latest/userguide/create-project-console.html#create-project-console-environment).