Skip to content

Commit

Permalink
Updates to nextra 3 and adds docs for container scanning
Browse files Browse the repository at this point in the history
Signed-off-by: Sebastian Kawelke <[email protected]>
  • Loading branch information
seb-kw committed Nov 15, 2024
1 parent e311b08 commit 02f5549
Show file tree
Hide file tree
Showing 34 changed files with 5,693 additions and 11,384 deletions.
24 changes: 24 additions & 0 deletions .github/workflows/licenses.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
# Licenses Check Workflow Definition
# This workflow is triggered on every push to the repository
name: Licenses Check Workflow


on:
pull_request:
push:
branches:
- '*'
tags:
- '*'

jobs:
license_check:
runs-on: ubuntu-latest
name: Check for unapproved licenses
steps:
- name: Checkout the code
uses: actions/checkout@v4
- uses: ralexander-phi/license_approval@master
with:
working_directory: ${{ github.workspace }}
extra_flags: --decisions_file ./docs/dependency_decisions.yml
2 changes: 1 addition & 1 deletion next-env.d.ts
Original file line number Diff line number Diff line change
Expand Up @@ -2,4 +2,4 @@
/// <reference types="next/image-types/global" />

// NOTE: This file should not be edited
// see https://nextjs.org/docs/basic-features/typescript for more information.
// see https://nextjs.org/docs/pages/building-your-application/configuring/typescript for more information.
10 changes: 4 additions & 6 deletions next.config.js
Original file line number Diff line number Diff line change
@@ -1,10 +1,8 @@
const withNextra = require('nextra')({
import nextra from 'nextra'

const withNextra = nextra({
theme: 'nextra-theme-docs',
themeConfig: './theme.config.tsx',

})


const config = withNextra({})

module.exports = config
export default withNextra({})
16,646 changes: 5,349 additions & 11,297 deletions package-lock.json

Large diffs are not rendered by default.

28 changes: 13 additions & 15 deletions package.json
Original file line number Diff line number Diff line change
Expand Up @@ -35,33 +35,31 @@
"dependencies": {
"@headlessui/react": "^2.1.2",
"@heroicons/react": "^2.1.5",
"@tailwindcss/forms": "^0.5.7",
"dotenv": "^16.4.5",
"next": "^14.2.5",
"nextra": "latest",
"nextra-theme-docs": "latest",
"next": "^14.2.18",
"nextra": "3.2.3",
"nextra-theme-docs": "3.2.3",
"p-limit": "^6.1.0",
"react": "^18.3.1",
"react-dom": "^18.3.1",
"react-hook-form": "^7.52.1",
"react-hook-form": "^7.53.2",
"react-markdown": "^9.0.1",
"remark-gemoji": "^8.0.0",
"remark-gfm": "^4.0.0",
"sass": "^1.77.8",
"sharp": "^0.33.4",
"winston": "^3.13.1"
"sass": "^1.81.0",
"sharp": "^0.33.5",
"winston": "^3.17.0"
},
"devDependencies": {
"@types/node": "20.14.12",
"autoprefixer": "^10.4.19",
"@types/node": "22.9.0",
"autoprefixer": "^10.4.20",
"eslint-config-next": "^14.2.5",
"eslint-plugin-prettier": "^5.2.1",
"jest": "^29.7.0",
"jest-environment-jsdom": "^29.7.0",
"postcss": "^8.4.40",
"prettier-plugin-tailwindcss": "^0.6.5",
"prisma": "^5.17.0",
"tailwindcss": "^3.4.6",
"typescript": "^5.5.4"
"postcss": "^8.4.49",
"prettier-plugin-tailwindcss": "^0.6.8",
"tailwindcss": "^3.4.15",
"typescript": "^5.6.3"
}
}
Binary file added public/android-chrome-192x192.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added public/android-chrome-512x512.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added public/apple-touch-icon.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added public/bg.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
9 changes: 9 additions & 0 deletions public/browserconfig.xml
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
<?xml version="1.0" encoding="utf-8"?>
<browserconfig>
<msapplication>
<tile>
<square150x150logo src="/mstile-150x150.png"/>
<TileColor>#da532c</TileColor>
</tile>
</msapplication>
</browserconfig>
Binary file added public/favicon-16x16.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added public/favicon-32x32.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added public/favicon.ico
Binary file not shown.
Binary file removed public/logo_horizontal.png
Binary file not shown.
Binary file removed public/logo_inverse_horizontal.png
Binary file not shown.
Binary file added public/mstile-150x150.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
19 changes: 19 additions & 0 deletions public/site.webmanifest
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
{
"name": "",
"short_name": "",
"icons": [
{
"src": "/android-chrome-192x192.png",
"sizes": "192x192",
"type": "image/png"
},
{
"src": "/android-chrome-512x512.png",
"sizes": "512x512",
"type": "image/png"
}
],
"theme_color": "#ffffff",
"background_color": "#ffffff",
"display": "standalone"
}
Binary file added src/assets/container-scanning.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
17 changes: 0 additions & 17 deletions src/pages/_meta.json

This file was deleted.

18 changes: 18 additions & 0 deletions src/pages/_meta.ts
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
export default {
index: { title: 'Introduction' },
basics: { title: 'Basics' },
concepts: { title: 'Concepts' },
guides: { title: 'Guides' },
contributing: { title: 'Contributing' },
about: {
title: 'About L3montree ↗',
type: 'page',
href: 'https://l3montree.com/',
newWindow: true,
},
contact: {
title: 'Contact ↗',
type: 'page',
href: 'mailto:[email protected]',
},
}
3 changes: 0 additions & 3 deletions src/pages/about.mdx

This file was deleted.

4 changes: 0 additions & 4 deletions src/pages/basics/_meta.json

This file was deleted.

4 changes: 4 additions & 0 deletions src/pages/basics/_meta.ts
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
export default {
index: { title: 'Overview' },
'getting-started': { title: 'Getting Started' },
}
3 changes: 0 additions & 3 deletions src/pages/basics/getting-started/_meta.json

This file was deleted.

3 changes: 3 additions & 0 deletions src/pages/basics/getting-started/_meta.ts
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
export default {
'quickstart-docker': { title: 'Quickstart with Docker' },
}
3 changes: 0 additions & 3 deletions src/pages/concepts/_meta.json

This file was deleted.

3 changes: 3 additions & 0 deletions src/pages/concepts/_meta.ts
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
export default {
index: { title: 'Overview' },
}
4 changes: 0 additions & 4 deletions src/pages/contributing/_meta.json

This file was deleted.

4 changes: 4 additions & 0 deletions src/pages/contributing/_meta.ts
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
export default {
'code-of-conduct': { title: 'Code of Conduct' },
roadmap: { title: 'Roadmap' },
}
4 changes: 4 additions & 0 deletions src/pages/guides/_meta.ts
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
export default {
index: { title: 'Guides' },
'container-scanning': { title: 'Container Scanning' },
}
163 changes: 163 additions & 0 deletions src/pages/guides/container-scanning.mdx
Original file line number Diff line number Diff line change
@@ -0,0 +1,163 @@
---
sidebar_position: 2
title: Container Scanning
---
import { Steps } from 'nextra/components'
import { Tabs } from 'nextra/components'

# Container Scanning

## Handling Found Flaws: Practical Steps for Mitigation

When DevGuard's container scanning detects vulnerabilities, such as the example provided below, it’s essential to address them
promptly to maintain security and compliance. Here’s a step-by-step guide to managing identified flaws.

```md filename="Example Flaw"
# CVE-2022-41903

Git is distributed revision control system. git log can display commits in an arbitrary...

## Affected component

The vulnerability is in `pkg:deb/debian/[email protected]+deb12u1`, detected by the `container-scanning` scan.

## Recommended fix

Upgrade to version 1:2.39.1-0.1 or later.
```

### Where to Look

The `Dockerfile` of the container is typically the starting point for analysis. This file defines the container’s
base image and specifies instructions for building the containerized application. Vulnerabilities often originate
from the base image or additional packages installed during the build. Your dependencies will be checked in the
"Software Composition Analysis" (SCA) step.

### Steps to Fix

<Steps>
### Check the Base Image

Examine the base image specified in the Dockerfile. For example:

### Update the Base Image or Switch to Distroless

If the base image contains the vulnerability and a direct update is possible:
- **Update the base image:**
Replace the current base image with a patched version.

If the base image cannot be updated or you’re looking to minimize attack surface:

- **Switch to a distroless base image:**
Use distroless images, which contain only the runtime essentials, reducing potential vulnerabilities.

Example multi-stage, distroless build:

<Tabs items={['Golang', 'NodeJS']}>
<Tabs.Tab>
```docker filename="Dockerfile" copy
# Step 1 - Build the application
FROM golang:1.23.3@sha256:73f06be4578c9987ce560087e2e2ea6485fb605e3910542cadd8fa09fc5f3e31 as build
WORKDIR /go/src/app
COPY . .
RUN go mod download
RUN CGO_ENABLED=0 go build -o /go/bin/app /go/src/app/cmd/scanner
# Step 2 - Create the final image
FROM gcr.io/distroless/static-debian12:nonroot@sha256:d71f4b239be2d412017b798a0a401c44c3049a3ca454838473a4c32ed076bfea
USER 53111
COPY --from=build /go/bin/app /
EXPOSE 8080
CMD ["/app"]
```
</Tabs.Tab>
<Tabs.Tab>
```docker filename="Dockerfile" copy
# Step 1 - Build the application
FROM node:22.11.0-bookworm@sha256:5c76d05034644fa8ecc9c2aa84e0a83cd981d0ef13af5455b87b9adf5b216561 as builder
WORKDIR /usr/app/
ENV PORT 3000
ENV NODE_ENV production
COPY package.json .
COPY package-lock.json .
RUN npm ci
COPY . .
RUN npm run build
# Step 2 - Create the final image
FROM gcr.io/distroless/nodejs22-debian12:nonroot@sha256:de286271ef771e563194702ff49cc5d60e7ea59a09349cdae129e3b0c6ab396b
USER 53111
WORKDIR /usr/app/
ENV PORT 3000
ENV NODE_ENV production
EXPOSE 3000
COPY --from=builder --chown=53111:53111 /usr/app/.next /usr/app/.next
COPY --from=builder /usr/app/node_modules /usr/app/node_modules
COPY --from=builder /usr/app/package.json /usr/app/package.json
COPY --from=builder --chown=53111:53111 /usr/app/public /usr/app/public
CMD [ "./node_modules/next/dist/bin/next", "start" ]
```
</Tabs.Tab>
</Tabs>

### Manually Update Vulnerable Packages

If reproducibility is not a strict requirement or the base image cannot be updated:
Use the package manager during the build to patch the specific vulnerability.
Example for Debian-based containers:

```docker filename="Dockerfile" copy
RUN apt-get update && apt-get install --only-upgrade git -y
```

**Disclaimer:** This approach may hinder reproducibility, as future builds may result in different package versions if repositories change.

### Alternative Measures

If none of the above fixes are feasible:
- **Risk Acceptance**: Temporarily accept the risk using DevGuard’s risk management feature.
- Document the accepted risk by providing a justification. Use the UI or slash commands in the issue.
- Set a reminder for future review; DevGuard will automatically notify you after a predefined period.

- **Avoidance**: Disable risky functionality or service.

</Steps>

## What is a Container?

A container is a lightweight, standalone, and executable software package that includes everything
needed to run a piece of software: code, runtime, system tools, libraries, and settings. Containers
are built on the concept of virtualization but are more resource-efficient because they share the
host system’s operating system kernel (basically, they are an encapsulated “normal process”).

They are widely used in modern software development to ensure consistency across different environments,
such as development, testing, and production, as they encapsulate the application and its dependencies.
Popular containerization tools include Docker and Kubernetes for container management.

## What Happens During Container Scanning?

![Container Scanning](../../assets/container-scanning.png)

Container scanning is a crucial process in a security assessment, designed to uncover vulnerabilities
and security risks within containerized applications. With tools like DevGuard, the scanning process
involves the following key steps:

1. **Generating a Software Bill of Materials (SBOM)**

An SBOM is a detailed inventory of all components and dependencies within the container. During this phase:
- The container image is analysed to identify the software packages, libraries, and tools it contains.
- Version information for each component is extracted.

This SBOM provides a transparent view of the container’s contents, serving as the foundation for further
security analysis.

2. **Checking for Known Vulnerabilities**

DevGuard leverages its vulnerability database to detect known security flaws in the components listed in the SBOM:
- The identified software packages are cross-referenced with vulnerability databases, such as CVE (Common Vulnerabilities and Exposures) lists, and DevGuard’s extended database.
- The scanning process flags outdated or insecure versions of software.
- Vulnerabilities are categorized by severity, enabling prioritization of remediation efforts.

By detecting known vulnerabilities, container scanning helps prevent the exploitation of weaknesses in production environments.
6 changes: 6 additions & 0 deletions src/pages/guides/index.mdx
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
---
sidebar_position: 1
title: Guides
---

# Guides
Loading

0 comments on commit 02f5549

Please sign in to comment.