Merge branch 'main' into ag-server-enhancement

Author: ashwiniag

Dockerfile

@@ -20,8 +20,6 @@ SHELL ["/bin/ash", "-o", "pipefail", "-c"]
 # Install build dependencies
 RUN apk add --no-cache git bash gcc sqlite-dev musl-dev libc-dev
 
-# Set CGO_ENABLED for sqlite3 compatibility
-# ENV CGO_ENABLED=1
 ENV CGO_CFLAGS="-D_LARGEFILE64_SOURCE"
 
 # Set the working directory
@@ -38,48 +36,20 @@ COPY . .
 
 COPY --from=frontend /webapp/dist /app/webapp/dist
 
-# Run the tests
-RUN go test -v ./...
+# Run the tests.CGO is needed for using sqlite3 in tests
+RUN CGO_ENABLED=1 go test -v ./...
 
 # Build the Go binary for amd64
-RUN GOARCH=amd64 go build -o gokakashi
+RUN CGO_ENABLED=0 GOARCH=amd64 go build -o gokakashi
 
 FROM alpine:3.20
 
-# Ensure the build fails on any command failure
-SHELL ["/bin/ash", "-o", "pipefail", "-c"]
-
-# Install Docker CLI and other dependencies
-RUN apk add --no-cache docker-cli curl bash ca-certificates python3
-
-# Install Trivy
-RUN curl -sfL https://github.com/aquasecurity/trivy/releases/download/v0.55.1/trivy_0.55.1_Linux-64bit.tar.gz | tar -xz -C /usr/local/bin
-
-# Install minimal gcloud CLI
-RUN curl -sS -o /tmp/google-cloud-cli.tar.gz https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-cli-494.0.0-linux-x86_64.tar.gz \
-    && tar -xvf /tmp/google-cloud-cli.tar.gz \
-    && ./google-cloud-sdk/install.sh --quiet
-
-# Add gcloud to the PATH
-ENV PATH=$PATH:/google-cloud-sdk/bin
-
 # Set working directory
 WORKDIR /app
 
-RUN mkdir -p /app/website
-
 # Copy the Go binary from the builder stage
 COPY --from=builder /app/gokakashi /app/gokakashi
 
-# Expose ports
-EXPOSE 8080
-EXPOSE 9090
-
-# Set environment variables
-ENV DOCKER_USERNAME="your-dockerhub-username"
-ENV DOCKER_PASSWORD="your-dockerhub-password"
-ENV LINEAR_API_KEY="your-linear-api-key"
-
 # Make sure the binary is executable
 RUN chmod +x /app/gokakashi
 

Readme.md

@@ -1,170 +1,72 @@
-# gokakashi - The Centralized Image Vulnerability Platform 🔍🚀
-
-[![Build](https://github.com/shinobistack/gokakashi/actions/workflows/build.yml/badge.svg)](https://github.com/shinobistack/gokakashi/actions/workflows/build.yml)
-
-🚧 Heavy work in progress 🚧
-
-Make vulnerability management effortless with **gokakashi**! 
-This tool simplifies the process of pulling, scanning, reporting, and notifying across all your container images. Gone are the days of manually juggling multiple tools and managing disparate processes—**gokakashi** brings everything under one roof.
-
-## Key Features
-1. **Multi-Platform Image Aggregation**
-   Pull images from Dockerhub, ECR, GCR, ACR or private hosted repositories—all in one place!  
-   _Current Support:_ Dockerhub integration. \
-   **Continuously developing** to support more platforms.
-
-2. **Comprehensive Image Scanning**
-   Use gokakashi’s multi-scanner support to detect vulnerabilities in your images.
-   You have the flexibility to scan based on severity levels like CRITICAL or HIGH or both CRITICAL AND HIGH. By default, gokakashi scans all severities.\
-   _Current Support:_ Trivy scanner for detailed vulnerability scans.\
-   **Continuously developing** to support more scanners.
-
-4. **Scheduled Scans with Cron Jobs**
-   Automate your scans with cron jobs. Schedule scans as needed or run them on-demand, eliminating manual work and setting up schedules. 
-
-5. **Custom Notifications & Ticketing**
-   Customize notifications to suit your needs, including where to get notified and control over priority, assignment, due dates etc.\
-   Automatically create and assign issues based on the severity of detected vulnerabilities. gokakashi ensures that new issues are only created when relevant, helping you avoid unnecessary noise.\
-   Meaningful tracking is maintained by creating new issues when key details change, such as Vulnerability (CVE), Severity, Installed Version, or Fixed Version\
-   Here's an example of the information you'll receive in a notification:
-   ```
-       Image: ashwiniag/xxx:v2.36.0
-       
-       Library: libnghttp2-14
-       Vulnerability: CVE-2023-44487
-       Severity: HIGH
-       Status: fixed
-       Installed Version: 1.43.0-1build3
-       Fixed Version: 1.43.0-1ubuntu0.1
-       Title: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)
-       More details: https://avd.aquasec.com/nvd/cve-2023-44487
-   ```
-   _Current Support:_ Linear.\
-   Continuously developing to support more platforms like Jira, slack.
-5. **Reporting**
-   You can define which severity levels to report on, ensuring you only receive the most relevant information. This makes tracking vulnerabilities streamlined and focused. By default, scans for all severity.\
-   Enjoy the flexibility to host reports wherever you need, with full control over access—whether through Cloudflare tunnels, SSO login, or other methods.\
-   Seamlessly share reports via hosted endpoints, enabling smooth collaboration and quick discussions with your team or clients.\
-   Serves scan reports for both public and private access under a unified path `/reports`. Public and private servers run on different ports and can be accessed as follows:
-   ```
-      
-      - Public reports: `http://localhost:Port/reports`
-      - Private reports: `http://localhost:Port/reports`
-      
-      To view an individual report:
-      - `/view?file=<filename>`
-   ```
-
-7. **API Integrations**
-   Need to scan an image during development? Use our API endpoint to scan and get reports on the fly!\
-   _Current Support:_ Under development.
-
-## Why Use gokakashi?
-- **Reduce Engineering Overhead:** By centralizing the scanning process, gokakashi removes the need for multiple tools and need for managing and collaborating at multiple places.
-- **Streamline Release Management:** Automate the detection, reporting, and discussing resolution of vulnerabilities, reducing last-minute firefights. 
-- **Increase Security Proactivity:** Catch vulnerabilities before your customers do and maintain their trust with proactive management.
-- **Scalability:** Designed to support long-term solutions for managing large-scale image vulnerability detection, gokakashi streamlines everything into a single, centralized platform.
-- **Unified Platform:** One tool to rule them all—be it for vulnerability scanning, reporting, or even access and communicating directly with your team!
-
-
-## Getting Started
-1. **Setup Credentials:** Provide your ECR, GCR, Dockerhub, or self-registry credentials. You have the flexibility on how you would like pass it to gokakashi.
-   _Current Support:_ Dockerhub.
-2. **Schedule Scans:** Set up a cron job to scan your images periodically.
-3. **Choose Notification Integration:** Customize your notifications—integrate with Linear Jira or slack to get vulnerability alerts directly in your workflow.
-   _Current Support:_ Linear.
-4. **Check Reports:** Access both public and private reports via the endpoints and where to store generated reports, defined by gokakashi. Go crazy and customize how you share them internally or with your clients.
-
-**Configuration Example:**
-The gokakashi tool is highly configurable, giving you the flexibility to manage different scanning use cases. 
-Below is an example of a typical config file:\
-```
-scan_targets:
-  - registry: dockerhub # <current support dockerhub registry>
-    auth:
-      username: ${DOCKER_USERNAME}
-      password: ${DOCKER_PASSWORD}
-    images:
-      - name: <registry>
-        tags:
-          - v2.08.0
-          - v2.36.3
-        scan_policy:
-          severity:
-            - CRITICAL
-            - HIGH
-          notify:
-            Linear:
-              api_key: ${LINEAR_API_KEY}
-              project_id: UUID
-              team_id: UUID
-              issue_title: "Vulnerability Report"
-              issue_priority: 2 # INT
-              issue_assignee_id: UUID of Assignee
-              issue_state_id: UUID of Backlog, Triage, In Progress, etc.
-              issue_due_date: 2024-12-01  # YYYY-MM-DD
-      - name: <registry>
-        tags:
-          - v2.36.4
-          - v2.11.8
-        scan_policy:
-          severity:
-            - CRITICAL
-          notify:
-            Linear:
-              api_key: ${LINEAR_API_KEY}
-              project_id: UUID
-              team_id: UUID
-              issue_title: "Vulnerability Report"
-              issue_priority: 2 # INT
-              issue_assignee_id: UUID of Assignee
-              issue_state_id: UUID of Backlog, Triage, In Progress, etc.
-              issue_due_date: 2024-12-01  # YYYY-MM-DD
-    scanner:
-      - tool: Trivy
-website:
-  hostname: localhost
-  files_path: /app/website  # absolute
-  public:
-    port: 8080
-  private:
-    port: 9090
+<p align="center">
+   <img src="https://github.com/user-attachments/assets/d5a52847-eeac-4cbc-a047-7991a003a523">
+  <br><br>
+  <span><b>gokakashi</b></span>
+  <br><br>
+  <i>The Centralized Security Platform 🔍 🚀</i>
+  <br><br>
+  <span>🚧 Heavy work in progress 🚧</span>
+  <br><br>
+  <a href="https://github.com/shinobistack/gokakashi/actions/workflows/build.yml"><image src="https://github.com/shinobistack/gokakashi/actions/workflows/build.yml/badge.svg" /></a>
+</p>
 
-```
-**Current Support:** Continuously developing.
+&nbsp;
 
-## Execution
-```
-#binary
-./gokakshi --config=/config/config.yaml
-# Or docker run with mount
-docker run -it -v /Users/ashwiniag/config:/app/config -v /var/run/docker.sock:/var/run/docker.sock -v /usr/bin/docker:/usr/bin/docker -p 8080:8080 -p 9090:9090 gokakashi:latest --config=/app/config/config.yaml
+gokakashi is a security platform to help ship secure software.
 
-``` 
+## Motivation 🔥
 
-## Roadmap
-- Jira Integration
-- Slack Notifications
-- API Endpoints for CI/CD to scan during development phase
-- GCR, ACR, and Self-hosted registry integration
-<more to be dumped from notes>
+- Be vendor-agnostic and open(-sourced).
+- Centralized: You need one place to understand your security posture.
+- Help teams adopt industry standards like [SLSA](https://slsa.dev/).
+- Educate: Security is not an afterthought.
+- Any team, any size.
 
-## Current Phase
-gokakashi is currently in active development. Right now, we support:
+## Features 🎁
 
-- Dockerhub Integration
-- Trivy for Vulnerability Scanning
-- Linear Notifications and Issue Management
-- Cron Functionality
-- avoids Deduplication of Issues
+### Container Image Scanning
 
-More features are on the way! 🚀 Stay tuned as we continue to build and improve. Your feedback and pain points are highly appreciated! 🌻 
+Find, analyze, and remediate vulnerabilities present in your container images.
 
-## Transparency & Feedback ✨
-We’re excited to share gokakashi early with the community to gather feedback and improve quickly.\
-Whether you're curious, have suggestions, or if your team is looking for a fast and efficient way to streamline vulnerability scanning (and get back to enjoying that extra ice cream or your favorite anime), we’d love to hear from you. Feel free to open an issue or submit a pull request or request any features that would help on GitHub. Let’s build something awesome together!
+- Multiple registries support - scan images from various container image registries — all in one place!
+- Vulnerability scanner of your choice.
+- Custom notifications - Customize notifications to suit your needs, including where to get notified and control over priority, assignment, due dates etc.
+- Scheduled and on-demand scans - Automate your scans with in-built cron jobs or trigger them from your CI.
+
+#### Image Registries
+
+| Regisry | Status |
+|--------------|:-----------------:|
+| Docker Hub | [In progress ⏳](https://github.com/shinobistack/gokakashi/issues/81) |
+| Google Artifact Registry | [In progress ⏳](https://github.com/shinobistack/gokakashi/issues/82) |
+| GitHub Container Registry | [In progress ⏳](https://github.com/shinobistack/gokakashi/issues/83) |
+| Amazon Elastic Container Registry | [Open for contribution](https://github.com/shinobistack/gokakashi/issues/84)  |
+| Azure Container Registry | [Open for contribution](https://github.com/shinobistack/gokakashi/issues/85) |
+
+#### Image Scanners
+
+| Scanner | Status |
+|---------|:------:|
+| Trivy | [In progress ⏳](https://github.com/shinobistack/gokakashi/issues/86) |
+| Snyk  | [Open for contribution](https://github.com/shinobistack/gokakashi/issues/87) |
+| Clair | [Open for contribution](https://github.com/shinobistack/gokakashi/issues/88) |
 
-## Reach Out 💭
-If you have any questions, ideas, or just want to connect, feel free to reach me on X (formerly Twitter) at [@AshwiniGaddagi](https://x.com/AshwiniGaddagi). I'd love to hear from you!
 
+## Install 🛠️
 
+### Server
+
+```sh
+docker run -d ghcr.io/shinobistack/gokakashi server 
+```
+
+### Agent
+
+```sh
+docker run --rm -it ghcr.io/shinobistack/gokakashi agent
+```
+
+## Transparency & Feedback ✨
+We’re excited to share gokakashi early with the community to gather feedback and improve quickly.
+
+Whether you're curious, have suggestions, or if your team is looking for a fast and efficient way to streamline vulnerability scanning (and get back to enjoying that extra ice cream or your favorite anime), we’d love to hear from you. Feel free to open an issue or submit a pull request or request any features that would help on GitHub. Let’s build something awesome together!