Skip to content

Commit

Permalink
docs: add website categories (#483)
Browse files Browse the repository at this point in the history
Signed-off-by: Sertac Ozercan <sozercan@gmail.com>
  • Loading branch information
sozercan authored Jan 23, 2024
1 parent fc6b96b commit 8d6e4aa
Show file tree
Hide file tree
Showing 14 changed files with 427 additions and 301 deletions.
8 changes: 4 additions & 4 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,8 @@

`copa` is a CLI tool written in [Go](https://golang.org) and based on [buildkit](https://github.com/moby/buildkit) that can be used to directly patch container images given the vulnerability scanning results from popular tools like [Trivy](https://github.com/aquasecurity/trivy).

For more details and how to get started, please refer to [full documentation](https://project-copacetic.github.io/copacetic/).

## Demo

![intro](demo/copa-demo.gif)
Expand All @@ -18,7 +20,7 @@ We needed the ability to patch containers quickly without going upstream for a f
- inherited from base images several levels deep and waiting on updated releases to percolate through the supply chain is not an option
- found in 3rd party app images you don't maintain with update cadences that don't meet your security SLAs.

![direct image patching](./docs/imgs/direct-image-patching.png)
![direct image patching](./website/static/img/direct-image-patching.png)

In addition to filling the operational gap not met by left-shift security practices and tools, the ability of `copa` to patch a container without requiring a rebuild of the container image provides other benefits:

Expand All @@ -35,7 +37,7 @@ The `copa` tool is an extensible engine that:
2. Obtains and processes the needed update packages using the appropriate package manager tools such as apt, apk, etc. New adapters can be written to support more package managers.
3. Applies the resulting update binaries to the container image using buildkit.

![report-driven vulnerability patching](./docs/imgs/vulnerability-patch.png)
![report-driven vulnerability patching](./website/static/img/vulnerability-patch.png)

This approach is motivated by the core principles of making direct container patching broadly applicable and accessible:

Expand All @@ -47,8 +49,6 @@ This approach is motivated by the core principles of making direct container pat
- **Copa reduces the technical expertise needed and waiting on dependencies needed to patch an image**.
- For OS package vulnerabilities, no specialized knowledge about a specific image is needed to be patch it as Copa relies on the vulnerability remediation knowledge already embedded in the reports produced by popular container scanning tools today.

For more details refer to the [full documentation](https://project-copacetic.github.io/copacetic/).

## Contributing
There are several ways to get involved:
* Join the [mailing list](https://groups.google.com/g/project-copa) to get notifications for releases, security announcements, etc.
Expand Down
Binary file removed docs/imgs/direct-image-patching.png
Binary file not shown.
Binary file removed docs/imgs/graph-execution.png
Binary file not shown.
Binary file removed docs/imgs/oci-patch.png
Binary file not shown.
Binary file removed docs/imgs/vulnerability-patch.png
Binary file not shown.
82 changes: 0 additions & 82 deletions docs/vulnerability-driven-patching.md

This file was deleted.

File renamed without changes.
97 changes: 3 additions & 94 deletions website/docs/github-action.md
Original file line number Diff line number Diff line change
@@ -1,98 +1,7 @@
---
title: Copa Github Action
title: Github Action
---

## Overview
The [Copa Github Action](https://github.com/project-copacetic/copa-action) allows you patch vulnerable containers in your GitHub Actions workflows using Copa.

The [Copa Github Action](https://github.com/project-copacetic/copa-action) allows you patch vulnerable containers in your workflows using Copa.

## Inputs

## `image`

**Required** The image reference to patch.

## `image-report`

**Required** The trivy json vulnerability report of the image to patch.

## `patched-tag`

**Required** The new patched image tag.

## `buildkit-version`

**Optional** The buildkit version used in the action, default is latest.

## `copa-version`

**Optional** The Copa version used in the action, default is latest.

## Output

## `patched-image`

Image reference of the resulting patched image.

## Example Workflow

```
on: [push]
jobs:
test:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
# provide relevant list of images to scan on each run
images: ['docker.io/library/nginx:1.21.6', 'docker.io/openpolicyagent/opa:0.46.0', 'docker.io/library/hello-world:latest']
steps:
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@dedd61cf5d839122591f5027c89bf3ad27691d18
- name: Generate Trivy Report
uses: aquasecurity/trivy-action@69cbbc0cbbf6a2b0bab8dcf0e9f2d7ead08e87e4
with:
scan-type: 'image'
format: 'json'
output: 'report.json'
ignore-unfixed: true
vuln-type: 'os'
image-ref: ${{ matrix.images }}
- name: Check Vuln Count
id: vuln_count
run: |
report_file="report.json"
vuln_count=$(jq '.Results | length' "$report_file")
echo "vuln_count=$vuln_count" >> $GITHUB_OUTPUT
- name: Copa Action
if: steps.vuln_count.outputs.vuln_count != '0'
id: copa
uses: project-copacetic/copa-action@v1
with:
image: ${{ matrix.images }}
image-report: 'report.json'
patched-tag: 'patched'
buildkit-version: 'v0.11.6'
# optional, default is latest
copa-version: '0.4.1'
- name: Login to Docker Hub
if: steps.copa.conclusion == 'success'
id: login
uses: docker/login-action@b4bedf8053341df3b5a9f9e0f2cf4e79e27360c6
with:
username: 'user'
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Docker Push Patched Image
if: steps.login.conclusion == 'success'
run: |
docker push ${{ steps.copa.outputs.patched-image }}
```
Please refer to [Copa Github Action](https://github.com/project-copacetic/copa-action) for more details on how to use it.
File renamed without changes.
51 changes: 37 additions & 14 deletions website/sidebars.js
Original file line number Diff line number Diff line change
Expand Up @@ -14,20 +14,43 @@
/** @type {import('@docusaurus/plugin-content-docs').SidebarsConfig} */
const sidebars = {
sidebar: [
'introduction',
'installation',
'quick-start',
'custom-address',
'output',
'troubleshooting',
'design',
'faq',
'scanner-plugins',
'contributing',
'code-of-conduct',
'github-action',
'release'
]
{
type: 'category',
label: 'Getting Started',
collapsed: false,
items: [
'introduction',
'installation',
'quick-start',
'troubleshooting',
'faq',
],
},
{
type: 'category',
label: 'Features',
collapsed: false,
items: [
'github-action',
'custom-address',
'output',
'scanner-plugins',
],
},
{
type: 'category',
label: 'Contributing',
collapsed: false,
items: [
'contributing',
'code-of-conduct',
'design',
'development-tips',
'maintainer-guidelines',
'release',
],
},
],
};

module.exports = sidebars;
Loading

0 comments on commit 8d6e4aa

Please sign in to comment.