This guide details steps and procedures you can follow to create, launch, and implement you own standalone container scanning solution within the AWS ecosystem. This approach uses a commercial product by Trend Micro called Deep Security Smart Check (DSSC) as a proof-of-concept and provides examples of how integrate with AWS CodePipeline.
High level overview of the pipeline architecture.
- AWS CloudFormation
- AWS ECR
- AWS EKS
- AWS ApiGateway
- AWS Lambda
- AWS Parameter Store
- AWS CodePipeline
- AWS CodeBuild
- AWS CloudWatch
This application requires a few steps that must be executed as specified. Please refer to the prerequisites section prior to running any commands contained in this article to ensure you have the required packages and software installed.
WARNING: You may incur charges with the use of some of these AWS Services, specifically EKS if you leave your cluster up and running over time.
Ensure that the following are installed or configured on your workstation before deploying DSSC.
- Git
- Docker
- AWS CLI
- eksctl
- helm
- Make
- jq
- Clone this repository
- Install and configure AWS CLI
- Install and configure eksctl
- Install and configure helm
DSSC requires a Kubernetes cluster to run on so we’ll be using AWS EKS.
make deploy-cluster
This can take upwards of 15 minutes to create.
This command uses eksctl to create the cluster and two unmanaged nodes in preparation for the DSSC deployment.
Deploy DSSC to the EKS cluster created previously. Once deployed, the default password
will be changed to allow API access.
make deploy-dssc
This command uses helm to deploy DSSC to the cluster. Detailed instructions are located at https://github.com/deep-security/smartcheck-helm.
There will be instructions output to the console on where and how to login to the DSSC administrative UI but it is not required for this example.
This command will create four AWS Parameter Store variables, all prefixed with /pipeline/example/trendmicro/dssc
.
- username - The DSSC username.
- password - The newly changed DSSC password.
- url - The URL for UI/API access.
- secret - The secret phrase used to sign the X-Scan-Events-Signature header.
We need an image repository to store our sample application image. We will be using AWS ECR.
make deploy-ecr
This command will create an AWS ECR image repository. This repository is used to house the sample app image which DSSC will use when a scan is initiated.
We need an image to scan so a sample has been provided. To build and push it to the ECR repository we just created, run the following.
make build-and-push-docker-image
This will build a docker image using the application located in ./sample_app
and push it to the ECR repository created previously.
DSSC supports webhooks, which is a way for DSSC to communicate with other processes when certain events occur, like when a scan completes. Leveraging a webhook is how we will integrate DSSC into our CI/CD pipeline. This means we need something for DSSC to call when scans are complete, so we will create a webhook for DSSC to call.
make deploy-webhook
This command creates an AWS ApiGateway, AWS Lambda, and an AWS SSM parameter storing the URL to access it.
The lambda code is in cloudformation/webhook.yaml
. This code takes the incoming JSON posted to it from DSSC and simply looks at the critical
and high
errors counts in the JSON. The code then approves or rejects the Approve Deployment
pipeline action. The code also checks the X-Scan-Event-Signature (using the DSSC Secret that was created with the deploy-dssc command) header to determine if the call is a valid one from DSSC. A 401 is returned if the signature is invalid. Refer to Securing Web Hooks for more information.
Now we are ready to create the Pipeline.
make deploy-pipeline
This command creates an AWS CodePipeline pipeline and an AWS CloudWatch event rule. The event rule will trigger the pipeline when new images are pushed to the ECR.
This pipeline has four stages
- Source: Triggered by a new image uploaded to ECR and tagged ‘latest’.
- Build: Calls DSSC API to initiate a new scan using the new image in ECR.
- Approve Deployment: A manual approval step that is automatically set to Approve/Rejected by the DSSC scan.
- Deployment: A mock deployment of the image.
The pipeline will trigger automatically upon creation. Now move on to the Verification [#Verfication] section.
We have deployed everything and created our pipeline. Now, let’s check the status. This command displays the status of the different stages in the pipeline.
make get-pipeline-status
Console output:
=== Getting trend-mirco-dssc-pipeline Status ===
-------------------------------------
| GetPipelineState |
+--------------------+--------------+
| Source | Succeeded |
| Build | InProgress |
| ApproveDeployment | None |
| Deploy | None |
+--------------------+--------------+
Once the pipeline stage ApproveDeployment
is Succeeded or Failed run the following command to get a description of the results.
make get-pipeline-stage-result
Console output:
=== Getting trend-mirco-dssc-pipeline stage 'ApproveDeployment' Summary ===
There are 3 critical issues and 22 high issues detected. Full results available at https://blah.us-east-1.elb.amazonaws.com/scans/aaf52a3d-d759-434a-a1c3-1de696197212
You can also check the scan status in DSSC at any time. This command accesses DSSC via the API and retrieves the scan status.
make get-scan-status
Console output:
=== Getting DSSC Scan Status ===
aaf52a3d-d759-434a-a1c3-1de696197212: in-progress
The output is scan_id: status
.
The scan is complete when it shows a status of ‘complete-with-findings’ in this example. You can view the full results by running the following:
make get-scan-result
Built into the Lambda code, is the ability to adjust the error tolerances for both critical and high errors. We will now relax those settings in order to allow the pipeline to succeed and execute the deployment action.
make adjust-error-tolerance
Now that the error tolerances have been adjusted, retrigger the pipeline.
make retrigger-pipeline
Once the DSSC status make get-scan-status
is showing ‘completed-with-findings’, rerun
make get-pipeline-status
Console output:
=== Getting trend-mirco-dssc-pipeline Status ===
-------------------------------------
| GetPipelineState |
+--------------------+--------------+
| Source | Succeeded |
| Build | Succeeded |
| ApproveDeployment | Succeeded |
| Deploy | InProgress |
+--------------------+--------------+
To view the pipeline stage comments, once again run
make get-pipeline-stage-result
Console output:
=== Getting trend-mirco-dssc-pipeline stage 'ApproveDeployment' Summary ===
Full results available at https://blah.us-east-1.elb.amazonaws.com/scans/6526820b-f8e8-47ce-b528-9ed7319873b1
Now, let's intentionally introduce a test virus file and see what happens. We have already relaxed the errors above to allow the pipeline to succeed.
WARNING: This could trigger the Antivirus Scanner locally if one is running! Please refer to https://www.eicar.org/?page_id=3950.
make add-eicar-test-malware
This command copies ./eicar/eicar_test_file.com
to ./sample_apps/src/eicar.com
.
Now run make build-and-deploy-docker-image
to build and deploy the image to trigger the pipeline.
Console Output for make get-pipeline-stage-result
should (eventually) resemble:
=== Getting trend-mirco-dssc-pipeline stage 'ApproveDeployment' Summary ===
There are 1 malware issue(s) and 3 critical issue(s) detected. Full results available at https://blah.us-east-1.elb.amazonaws.com/scans/54eeb2a1-3408-4f06-97b4-8fb7211bdef0
Remember to tear everything down to avoid excessive charges in your AWS account.
make teardown
None yet
None yet
MIT Licencse Copyright (c) 2019 Mphasis-Stelligent, Inc. https://stelligent.com