coder icon indicating copy to clipboard operation
coder copied to clipboard
verified publisher icon coder

JFrog Xray integration

Open matifali opened this issue 2 years ago • 1 comments

Context

Coder recently published a guide on how to integrate with JFrog Xray to scan workspace images. That guide uses coder-xray utility which can be deployed to scan all workspaces in a given K8s namespace. This works great but has limitations.

  • Only works for K8s-based workspaces
  • Requires deploying coder-xray as a service

Suggested solution

Coder makes use of terraform as the provisioner to create workspaces. This gives Coder flexibility to provide a range of computing, storage, and network resources for any platform with a terraform provider. While researching, I came across xray-terraform-provider which can be used to fetch the xray-scan results of an artifact. (Thanks to @alexhung for adding this feature.)

This has the added benefit of enabling the integration of all types of workspaces where the image is being sourced from JFrog Artifactory. (See this guide on enabling Artifactory integration.)

The result then can be displayed as coder_metadata resource on the workspace page.

provider "xray" {
  url = "https://jfrt.cdr.dev/xray"
  access_token = "TOKEN"
  check_license = false
}

data "xray_artifacts_scan" "image_scan" {
  repo = "docker-local"
  repo_path = "/codercom/enterprise-base:local"
}

locals {
  vulnerabilities = data.xray_artifacts_scan.image_scan.results[0].sec_issues
}

resource "coder_metadata" "workspace_info" {
  count       = data.coder_workspace.me.start_count
  resource_id = "WORKSPACE_RESOURCE_ID"
  item {
    key   = "Critical"
    value = local.vulnerabilities.critical
  }
  item {
    key    = "High"
    value = local.vulnerabilities.high
  }
  item {
    key   = "Medium"
    value = local.vulnerabilities.medium
  }
  item {
    key   = "Low"
    value = local.vulnerabilities.low
  }
}

Which renders as image

TODO

  • [ ] xray-integration(docs): update the guide to recommend this terraform method instead of using coder-xray
  • [ ] coder/modules#244
  • [ ] #12839

matifali avatar Apr 01 '24 20:04 matifali

Optionally, a module can also be published that adds the metadata to any workspace given the image repo, name, and xray-url.

module "coder-xray" {
  source     = "registry.coder.com/modules/coder-xray/coder"
  version    = "x.x.x"
  agent_id   = coder_agent.example.id
  xray_url   = "https://example.jfrog.io"
  xray_token = "TOKEN"
  image      = "docker-local/codercom/enterprise-base:latest"
}

matifali avatar Apr 01 '24 20:04 matifali

Will reopen as we get more requests for this

bpmct avatar May 31 '24 14:05 bpmct