aactl

module

v0.4.12 Latest Latest Go to latest Published: Jun 7, 2023 License: Apache-2.0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/GoogleCloudPlatform/aactl

Links

Open Source Insights

README ¶

aactl

Google Container Analysis (AA) service data import utility, supports OSS vulnerability scanner reports, SLSA provenance, and sigstore attestations.

Installation instruction with support for Go, Homebrew, RHEL/CentOS, Debian/Ubuntu, and Binary are available here.

Usage

aactl supports imports of two data types: vulnerability and attestation.

In addition to CLI, aactl can also be used in your CI/CD pipeline as a Google Cloud Build builder (example) or GitHub Actions action (examples).

Vulnerability

To import vulnerabilities output by either grype, snyk, trivy scanners, start by exporting the report in JSON format:

grype

grype --add-cpes-if-none -s AllLayers -o json --file report.json $image
snyk

snyk container test --app-vulns --json-file-output=report.json $image
trivy

trivy image --format json --output report.json $image

Once you have the vulnerability file, importing that file into AA using aactl:

aactl vulnerability --project $project \
                    --source $image \
                    --file report.json

The $image variable in the above example is the fully qualified URI of the image including its digest (e.g. us-docker.pkg.dev/project/repo/image@sha256:397d453...).

To review the imported vulnerabilities in GCP:

gcloud artifacts docker images list $repo \
  --show-occurrences \
  --format json \
  --occurrence-filter "kind=\"VULNERABILITY\" AND resource_url=\"https://$image\""

You can also navigate to Artifact Registry to view the vulnerabilities there.

Attestation

In addition to vulnerabilities, aactl can also import sigstore attestations:

aactl attestation --project $project --source $image

The $image variable in the above example is the fully qualified URI of the image including its digest (e.g. us-docker.pkg.dev/project/repo/image@sha256:397d453...).

The imported data can be accessed using gcloud:

gcloud artifacts docker images describe $image --show-provenance --format json

The resulting JSON will look something like this:

The data can also be viewed in Software Delivery Shield side panel:

SLSA level is currently not parsed properly, WIP.

Contributing

Entirely new samples are not accepted. Bug fixes are welcome, either as pull requests or as GitHub issues.

See CONTRIBUTING.md for details on how to contribute.

Licensing

Code in this repository is licensed under the Apache 2.0. See LICENSE.

Directories ¶

Path	Synopsis
cmd
aactl
aactl/cli
pkg
attestation
attestation/convert
attestation/convert/provenance02
container
dsse
provenance
types
utils
vul
vul/convert
vul/convert/grype
vul/convert/snyk
vul/convert/trivy

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL