diff --git a/CloudSecurity/AzureDevOps Pipelines - TMAS/README.md b/CloudSecurity/AzureDevOps Pipelines - TMAS/README.md new file mode 100644 index 0000000..b1494c5 --- /dev/null +++ b/CloudSecurity/AzureDevOps Pipelines - TMAS/README.md @@ -0,0 +1,80 @@ +# Vision One Infrastructure as Code Scan Integration with Azure DevOps Pipelines + +This guide explains how to integrate the Trend Micro Artifact Scanner (TMAS) Scan into Azure DevOps Pipelines. + +> For more information about the Vision One platform, you can check the official documentation [here](https://docs.trendmicro.com/en-us/documentation/article/trend-vision-one-artifact-scanner-tmas). + +--- + +## 1. Create an API Key in Vision One + +- Refer to the [API Key Creation Guide](https://docs.trendmicro.com/en-us/documentation/article/trend-vision-one-platform-api-keys). +- For best practices, it is recommended to create a custom role with the following minimum permissions: + +![Permissions Example](../img/artifact_scanner_role.png) + +--- + +## 2. Configure the API Key in Azure DevOps + +- In your Azure DevOps Pipeline, create an environment variable named `TM_API_KEY` and assign it the value of the API Key created in the previous step. +- Make sure to mark the variable as secret. + +![Pipeline Variables](../img/azure_pipeline_variable.png) +![Create Variable](../img/azure_pipeline_create_variable.png) + +--- + +## 3. Add the following code snippet to your pipeline + +```yaml +# Example pipeline snippet + - script: | + tar --version + wget https://cli.artifactscan.cloudone.trendmicro.com/tmas-cli/latest/tmas-cli_Linux_x86_64.tar.gz + displayName: Get Latest Version of TMAS + - task: ExtractFiles@1 + inputs: + archiveFilePatterns: '**/tmas-cli_Linux_x86_64.tar.gz' + destinationFolder: 'tmas-cli' + cleanDestinationFolder: true + overwriteExistingFiles: true + - task: Bash@3 + displayName: Save Docker Image + inputs: + targetType: 'inline' + script: | + docker save $(repository):$(tag) -o image.tar + - task: Bash@3 + displayName: "Scan from Registry to Json" + inputs: + targetType: 'inline' + script: ./tmas-cli/tmas scan docker-archive:image.tar -VMS --saveSBOM > result.json + env: + TMAS_API_KEY: $(TMAS_API_KEY) +``` + +## 4. Save and run your pipeline +## 5. The scan results can be reviewed in directly in Vision One +## 6. [Optional] if you want create a Report in Excel format, you can use the following code snippet: + +```yaml + - script: | + git clone https://github.com/XeniaP/CS-ArtifactScanner-Report.git + pip install -r ./CS-ArtifactScanner-Report/requirements.txt + python ./CS-ArtifactScanner-Report/export_report_tmas.py $(imageName) --resultFile ./result.json + FILE=$(ls *.xlsx | head -n 1) + echo "##vso[task.setvariable variable=excelFileName]$FILE" + displayName: Create Excel Report with Vulnerabilities + - task: PublishPipelineArtifact@1 + inputs: + targetPath: '$(System.DefaultWorkingDirectory)/$(excelFileName)' + publishLocation: 'pipeline' +``` + +## 🤝 Contributing + +Contributions are welcome! +If you encounter any issues, bugs, or have suggestions for improvements, please feel free to [open an issue](https://github.com/xeniap/TM_CodeSecurity_CI_Integration/issues). + +We appreciate your feedback and collaboration to make this integration better for everyone. diff --git a/CloudSecurity/AzureDevOps Pipelines - TMAS/azure-pipelines.yml b/CloudSecurity/AzureDevOps Pipelines - TMAS/azure-pipelines.yml new file mode 100644 index 0000000..d95693a --- /dev/null +++ b/CloudSecurity/AzureDevOps Pipelines - TMAS/azure-pipelines.yml @@ -0,0 +1,49 @@ +trigger: +- main + +resources: +- repo: self + +variables: + repository: '' # Set this to your Docker repository, e.g., 'mydockerhub/myimage' + tag: '$(Build.BuildId)' + imageName: '' # Set this to your image name, e.g., 'myimage' + +stages: +- stage: Build + displayName: Build image + jobs: + - job: Build + displayName: Build + pool: + vmImage: ubuntu-latest + steps: + - task: Docker@2 + inputs: + containerRegistry: 'dockerhub' + repository: $(repository) + command: 'buildAndPush' + Dockerfile: '**/Dockerfile' + - script: | + tar --version + wget https://cli.artifactscan.cloudone.trendmicro.com/tmas-cli/latest/tmas-cli_Linux_x86_64.tar.gz + displayName: Get Latest Version of TMAS + - task: ExtractFiles@1 + inputs: + archiveFilePatterns: '**/tmas-cli_Linux_x86_64.tar.gz' + destinationFolder: 'tmas-cli' + cleanDestinationFolder: true + overwriteExistingFiles: true + - task: Bash@3 + displayName: Save Docker Image + inputs: + targetType: 'inline' + script: | + docker save $(repository):$(tag) -o image.tar + - task: Bash@3 + displayName: "Scan from Registry to Json" + inputs: + targetType: 'inline' + script: ./tmas-cli/tmas scan docker-archive:image.tar -VMS --saveSBOM > result.json + env: + TMAS_API_KEY: $(TMAS_API_KEY) \ No newline at end of file diff --git a/CloudSecurity/img/artifact_scanner_role.png b/CloudSecurity/img/artifact_scanner_role.png new file mode 100644 index 0000000..4ff0467 Binary files /dev/null and b/CloudSecurity/img/artifact_scanner_role.png differ diff --git a/CloudSecurity/img/azure_pipeline_create_variable.png b/CloudSecurity/img/azure_pipeline_create_variable.png new file mode 100644 index 0000000..f31a66a Binary files /dev/null and b/CloudSecurity/img/azure_pipeline_create_variable.png differ diff --git a/CloudSecurity/img/azure_pipeline_variable.png b/CloudSecurity/img/azure_pipeline_variable.png new file mode 100644 index 0000000..940df66 Binary files /dev/null and b/CloudSecurity/img/azure_pipeline_variable.png differ diff --git a/CloudSecurity/img/iac_scan_results.png b/CloudSecurity/img/iac_scan_results.png new file mode 100644 index 0000000..4e18cb7 Binary files /dev/null and b/CloudSecurity/img/iac_scan_results.png differ diff --git a/CloudSecurity/img/template_scanner_role.png b/CloudSecurity/img/template_scanner_role.png new file mode 100644 index 0000000..3a8f0ce Binary files /dev/null and b/CloudSecurity/img/template_scanner_role.png differ