-
Notifications
You must be signed in to change notification settings - Fork 1
132 lines (113 loc) · 5.18 KB
/
cs-ecs-fargate-demo.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
name: CrowdStrike ECS Fargate Demo
on:
# ## scheduled job at 5:30 UTC every sunday
# schedule:
# - cron: '30 5 * * 0'
## on push
push:
branches: [ main ]
## manual trigger
workflow_dispatch:
permissions:
id-token: write
contents: read
security-events: write
jobs:
crowdstrike-ecs-fargate-demo:
runs-on: ubuntu-latest
env:
ECR_REGISTRY: ${{ secrets.AWS_ACCOUNT_ID}}.dkr.ecr.ca-central-1.amazonaws.com
FALCON_IMAGE: ecs-pipeline-demo/falcon-sensor:7.10.0-4906.container.x86_64.Release.US-1
ECR_REPO: ecs-pipeline-demo/app-images
GITHUB_SHA: ${{ github.sha }}
FCS_IAC_ZIP: fcs_0.34.0_Linux_x86_64.tar.gz
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v2
with:
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID}}:role/${{ secrets.ROLE_NAME }}
role-session-name: ${{ secrets.ROLE_NAME }}
aws-region: ca-central-1
- name: Scan repository with CrowdStrike FCS IAC Scanner
run: |
aws s3api get-object --bucket ${{ secrets.UTILITIESBUCKETNAME }} --key ${{ env.FCS_IAC_ZIP }} ${{ env.FCS_IAC_ZIP }}
tar xvzf ${{ env.FCS_IAC_ZIP }}
chmod +x fcs
./fcs iac scan \
--fail-on "high=50,medium=50,low=50,info=50" \
--report-formats sarif \
--output-path $PWD \
--path $PWD | tee scansummary.txt
SARIFFILE=$(grep 'Results saved to file:' scansummary.txt | sed 's/.*file: //')
jq '.runs[].tool.driver.informationUri = "https://www.crowdstrike.com"' $SARIFFILE > results.sarif
- name: Upload SARIF file
if: always()
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: results.sarif
category: crowdstrike-fcs-iac-scanner
- name: Docker build & tag image
run: |
docker build -t $ECR_REGISTRY/$ECR_REPO:$GITHUB_SHA -t $ECR_REGISTRY/$ECR_REPO:latest .
- name: Scan Container Image with CrowdStrike
uses: CrowdStrike/container-image-scan-action@main
with:
container_repository: ${{ env.ECR_REGISTRY }}/${{ env.ECR_REPO }}
container_tag: ${{ env.GITHUB_SHA }}
crowdstrike_region: us-1
crowdstrike_score: 500000
retry_count: 30
env:
FALCON_CLIENT_SECRET: ${{ secrets.FALCON_CLIENT_SECRET }}
FALCON_CLIENT_ID: ${{ secrets.FALCON_CLIENT_ID }}
JSON_REPORT: /tmp/report.json
- name: Print CrowdStrike Full Image Scan Report
if: always()
run: |
jq '.' /tmp/report.json
- name: ECR Login
uses: aws-actions/amazon-ecr-login@v2
- name: Push image to AWS ECR
run: |
docker push $ECR_REGISTRY/$ECR_REPO:latest
- name: Pull CrowdStrike Falcon Container Image
run: |
docker pull $ECR_REGISTRY/$FALCON_IMAGE
# Patch ECS Task Definition Format (sed used to prevent commiting AWS Account ID)
- name: Patch ECS Task Defintion with CrowdStrike Falcon ECS Patching utility
run: |
sed -i 's/#AWSACCOUNTID#/${{ secrets.AWS_ACCOUNT_ID }}/g' taskdefinition.json
docker run \
--mount type=bind,source=$(pwd)/taskdefinition.json,target=/root/taskdefinition.json \
--rm $ECR_REGISTRY/$FALCON_IMAGE \
-cid ${{ secrets.FALCON_CID }} \
-image $ECR_REGISTRY/$FALCON_IMAGE \
-pulltoken $(echo "{\"auths\":{\"${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.ca-central-1.amazonaws.com\":{\"auth\":\"$(echo AWS:$(aws ecr get-login-password)|base64 -w 0)\"}}}" | base64 -w 0) \
-ecs-spec-file /root/taskdefinition.json > taskdefinitionwithfalcon.json
cat taskdefinitionwithfalcon.json
- name: Upload CrowdStrike Falcon Patched ECS Task Definition to ECS
run: |
aws ecs register-task-definition --cli-input-json file://taskdefinitionwithfalcon.json 1>/dev/null
# Patch CloudFormation Format Sample using Parameters for Image URI (Requires Falcon Container 6.53+)
- name: Patch CloudFormation with CrowdStrike Falcon ECS Patching utility
run: |
docker run \
--mount type=bind,source=$(pwd)/cloudformation.yaml,target=/root/cloudformation.yaml \
--rm $ECR_REGISTRY/$FALCON_IMAGE \
-cid ${{ secrets.FALCON_CID }} \
-image $ECR_REGISTRY/$FALCON_IMAGE \
-pulltoken $(echo "{\"auths\":{\"${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.ca-central-1.amazonaws.com\":{\"auth\":\"$(echo AWS:$(aws ecr get-login-password)|base64 -w 0)\"}}}" | base64 -w 0) \
-cloudformationParams "ParameterKey=AppImagePath,ParameterValue=${ECR_REGISTRY}/${ECR_REPO}:latest" \
-ecs-spec-file /root/cloudformation.yaml > cloudformationwithfalcon.yaml
cat cloudformationwithfalcon.yaml
- name: Create CloudFormation Change Set
run: |
aws cloudformation create-change-set \
--stack-name crowdstrike-ecs-fargate-demo \
--change-set-type CREATE \
--change-set-name "crowdstrike-ecs-fargate-demo-commit-${{ env.GITHUB_SHA }}" \
--template-body file://cloudformationwithfalcon.yaml \
--parameters "ParameterKey=AppImagePath,ParameterValue=${ECR_REGISTRY}/${ECR_REPO}:latest" \
--capabilities CAPABILITY_IAM