JFrog Xray integration #12838
Description
Context
Coder recently published a guide on how to integrate with JFrog Xray to scan workspace images. That guide uses coder-xray utility which can be deployed to scan all workspaces in a given K8s namespace. This works great but has limitations.
- Only works for K8s-based workspaces
- Requires deploying
coder-xrayas a service
Suggested solution
Coder makes use of terraform as the provisioner to create workspaces. This gives Coder flexibility to provide a range of computing, storage, and network resources for any platform with a terraform provider. While researching, I came across xray-terraform-provider which can be used to fetch the xray-scan results of an artifact. (Thanks to @alexhung for adding this feature.)
This has the added benefit of enabling the integration of all types of workspaces where the image is being sourced from JFrog Artifactory. (See this guide on enabling Artifactory integration.)
The result then can be displayed as coder_metadata resource on the workspace page.
provider "xray" {
url = "https://jfrt.cdr.dev/xray"
access_token = "TOKEN"
check_license = false
}
data "xray_artifacts_scan" "image_scan" {
repo = "docker-local"
repo_path = "/codercom/enterprise-base:local"
}
locals {
vulnerabilities = data.xray_artifacts_scan.image_scan.results[0].sec_issues
}
resource "coder_metadata" "workspace_info" {
count = data.coder_workspace.me.start_count
resource_id = "WORKSPACE_RESOURCE_ID"
item {
key = "Critical"
value = local.vulnerabilities.critical
}
item {
key = "High"
value = local.vulnerabilities.high
}
item {
key = "Medium"
value = local.vulnerabilities.medium
}
item {
key = "Low"
value = local.vulnerabilities.low
}
}Which renders as
TODO
- xray-integration(docs): update the guide to recommend this terraform method instead of using
coder-xray - JFrog xray scanning module to list workspace image vulnerabilities registry#65
- xray-integration(frontend): update frontend to parse the terraform output and display the vulnerabilities natively. #12839