npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

@w3sec/w3security-cr-monitor

v0.5.0

Published

monitor artifactory container images for vulns in w3security

Downloads

4

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

sulaiman-codersulaiman-codernextlinuxnextlinux

Keywords

Readme

w3security-cr-monitor

CircleCI Known Vulnerabilities

Basic Flow

  • Query the Artifactory API to gather Docker repos to test
  • Iterate through results, running w3security monitor against each *repo* for either the *latest* image tag, or all tags using the --all-tags option
  • Provides mechanism to run multiple jobs simultaneously that is configurable

Note that w3security monitor will run a docker pull behind-the-scenes.

Please use the W3SECURITY_CR_MONITOR_MAX_JOBS and W3SECURITY_CR_MONITOR_JOB_SPACING variables, as describe below, to control the throughput to your docker repos, as pulling too many images at once may be taxing on the system.

Usage

Usage: ./w3security-cr-monitor [OPTIONS]
              If no arguments are specified, values will be picked up from
              environment variables

Options:
  --version               Show version number                          [boolean]
  --w3security-token            W3Security API Key, if not specified $W3SECURITY_TOKEN
  --w3security-org              W3Security Organization ID to post test results, if not
                          specified $W3SECURITY_ORG
  --artifactory-api-host  Artifactory API HOST, if not specified
                          $ARTIFACTORY_API_HOST
  --artifactory-cli-host  Artifactory host used for docker login/pull, if not
                          specified $ARTIFACTORY_CLI_HOST
  --artifactory-user      Artifactory API User, if not speciied
                          $ARTIFACTORY_USER
  --artifactory-key       Artifactory API Key, if not specified $ARTIFACTORY_KEY
  --all-tags              Process all image tags, if omitted then "latest" tags
                          are processed                                [boolean]
  --docker-repo           Optionally process only the docker repo with a given
                          name
  --max-jobs              Number of simultaneous jobs to run
  --job-spacing           milliseconds in between job launches
  --help                  Show help                                    [boolean]

set environment

required (if not set at command line)

# Your W3Security Api Key (General Settings -> API Token, or Settings -> Service Accounts)
export W3SECURITY_TOKEN=<w3security_api_key>

# the W3Security Org ID to post results to (Settings -> General -> Organization ID)
export W3SECURITY_ORG=<w3security_org_id> 

# The hostname (and optional port) of the on-premise artifactory instance, where the API will be accessible
# example: onpremartifactory.example.com, or onpremartifactory.example.com:8443
export ARTIFACTORY_API_HOST=<api_hostname> 

# The hostname (and optional port) of the host used with docker login
# This is separate from the API host because they may be different, 
# for example onpremartifactory.example.com:5000
export ARTIFACTORY_CLI_HOST=<cli_endpoint_hostname>

# The username for which the api key being used is created for
# This is needed in the docker pull command.
export ARTIFACTORY_USER=<artifactory_user_for_key>

# Artficatory API Key
export ARTIFACTORY_KEY=<artifactory_api_key>

optional:

# Number of container scanning jobs that may be simultaneously running
# if unspecified, default is 5
export W3SECURITY_CR_MONITOR_MAX_JOBS=<num-jobs>

# Number of milliseconds between job launches to space requests out
# If unspecified, default is 1500 (1.5 seconds)
export W3SECURITY_CR_MONITOR_JOB_SPACING=<milliseconds-between-job-launches>

If connecting to an on-prem Artifactory instance over HTTPS with a self-signed certificate, you will need to set

export NODE_TLS_REJECT_UNAUTHORIZED=0

or

export NODE_EXTRA_CA_CERTS=[your CA certificate file path]

Running as a container

docker build -t w3security-cr-monitor .
docker run -v /var/run/docker.sock:/var/run/docker.sock \
           -e W3SECURITY_TOKEN=$W3SECURITY_TOKEN \
           -e W3SECURITY_ORG=$W3SECURITY_ORG \
           -e ARTIFACTORY_USER=$ARTIFACTORY_USER \
           -e ARTIFACTORY_KEY=$ARTIFACTORY_KEY \
           -e ARTIFACTORY_API_HOST=$ARTIFACTORY_API_HOST \
           -e ARTIFACTORY_CLI_HOST=$ARTIFACTORY_CLI_HOST \
           -e W3SECURITY_CR_MONITOR_MAX_JOBS=$W3SECURITY_CR_MONITOR_MAX_JOBS \
           -e W3SECURITY_CR_MONITOR_JOB_SPACING=$W3SECURITY_CR_MONITOR_JOB_SPACING
       w3security-cr-monitor
  • If extra environment variables are needed for self-signed certs, add them to the command above or the script below.

Use bash wrapper script

modify arguments as needed for your environment

$ chmod +x w3security-cr-monitor
$ ./w3security-cr-monitor

Running natively

requires node, docker, w3security

$ npm install -g 
$ w3security-cr-monitor

References

API Documentation Artificatory APIs

TODO

  • add support for AQL file option for customer image tag searches