devtron-labs · prakash100198 · Jan 27, 2025 · Jan 13, 2025 · Jan 13, 2025 · Jan 13, 2025
@@ -5,7 +5,7 @@ go 1.22.4
 toolchain go1.22.6
 
 replace (
-	github.com/devtron-labs/common-lib => github.com/devtron-labs/devtron-services/common-lib v0.0.0-20250116095544-33cda6744e2e
+	github.com/devtron-labs/common-lib => github.com/devtron-labs/devtron-services/common-lib v0.0.0-20250124110806-5242f640f4e7
 	helm.sh/helm/v3 v3.14.3 => github.com/devtron-labs/helm/v3 v3.14.1-0.20240401080259-90238cf69e42
 )
 

@@ -54,8 +54,8 @@ github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/devtron-labs/devtron-services/common-lib v0.0.0-20250116095544-33cda6744e2e h1:VoqeZNqIWXGPhyNb8VMVJycOebYb96mGnIm3hejL/ro=
-github.com/devtron-labs/devtron-services/common-lib v0.0.0-20250116095544-33cda6744e2e/go.mod h1:1QJJLpgJSkb5Jm9xPeKAk+kXb0QgBOOOgJj0cgYhAVA=
+github.com/devtron-labs/devtron-services/common-lib v0.0.0-20250124110806-5242f640f4e7 h1:kXWh+Wtf8oLeWlZTMUxANjdI2GK4GXotqoXAneFWYLg=
+github.com/devtron-labs/devtron-services/common-lib v0.0.0-20250124110806-5242f640f4e7/go.mod h1:1QJJLpgJSkb5Jm9xPeKAk+kXb0QgBOOOgJj0cgYhAVA=
 github.com/devtron-labs/helm/v3 v3.14.1-0.20240401080259-90238cf69e42 h1:pJmK44QaSztOiZe0iQHNf0sdy5KwkAeceydyhOG4RaY=
 github.com/devtron-labs/helm/v3 v3.14.1-0.20240401080259-90238cf69e42/go.mod h1:v6myVbyseSBJTzhmeE39UcPLNv6cQK6qss3dvgAySaE=
 github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/rVNCu3HqELle0jiPLLBs70cWOduZpkS1E78=

@@ -93,7 +93,7 @@ github.com/containerd/platforms
 # github.com/davecgh/go-spew v1.1.1
 ## explicit
 github.com/davecgh/go-spew/spew
-# github.com/devtron-labs/common-lib v0.0.0 => github.com/devtron-labs/devtron-services/common-lib v0.0.0-20250116095544-33cda6744e2e
+# github.com/devtron-labs/common-lib v0.0.0 => github.com/devtron-labs/devtron-services/common-lib v0.0.0-20250124110806-5242f640f4e7
 ## explicit; go 1.21
 github.com/devtron-labs/common-lib/git-manager/util
 github.com/devtron-labs/common-lib/helmLib/registry
@@ -789,4 +789,4 @@ sigs.k8s.io/structured-merge-diff/v4/value
 # sigs.k8s.io/yaml v1.3.0
 ## explicit; go 1.12
 sigs.k8s.io/yaml
-# github.com/devtron-labs/common-lib => github.com/devtron-labs/devtron-services/common-lib v0.0.0-20250116095544-33cda6744e2e
+# github.com/devtron-labs/common-lib => github.com/devtron-labs/devtron-services/common-lib v0.0.0-20250124110806-5242f640f4e7
@@ -144,6 +144,9 @@ func (impl *StageExecutorImpl) RunCiCdStep(stepType helper.StepType, ciCdRequest
 	var vars []*commonBean.VariableObject
 	if stepType == helper.STEP_TYPE_REF_PLUGIN {
 		vars, err = deduceVariables(step.InputVars, scriptEnvVariables, nil, nil, stageVariable)
+	} else if stepType == helper.STEP_TYPE_SCANNING {
+		// only global variables are supported here in image scanning step
+		vars, err = deduceVariables(step.InputVars, scriptEnvVariables, nil, nil, nil)
 	} else {
 		log.Printf("running step : %s\n", step.Name)
 		if stepType == helper.STEP_TYPE_PRE {

@@ -17,6 +17,8 @@
 package adaptor
 
 import (
+	bean2 "github.com/devtron-labs/ci-runner/executor/stage/bean"
+	util2 "github.com/devtron-labs/ci-runner/executor/util"
 	"github.com/devtron-labs/ci-runner/helper"
 	"github.com/devtron-labs/common-lib/constants"
 	"github.com/devtron-labs/common-lib/imageScan/bean"
@@ -42,3 +44,14 @@ func GetImageScanEvent(dest, digest string, commonWorkflowRequest *helper.Common
 		ImageScanRetryDelay: commonWorkflowRequest.ImageScanRetryDelay,
 	}
 }
+func GetImageScannerExecutorBean(ciCdRequest *helper.CiCdTriggerEvent, scriptEnvs *util2.ScriptEnvVariables, refStageMap map[int][]*helper.StepObject, metrics *helper.CIMetrics, artifactUploaded bool, dest string, digest string) *bean2.ImageScanningExecutorBean {
+	return &bean2.ImageScanningExecutorBean{
+		CiCdRequest:      ciCdRequest,
+		ScriptEnvs:       scriptEnvs,
+		RefStageMap:      refStageMap,
+		Metrics:          metrics,
+		ArtifactUploaded: artifactUploaded,
+		Dest:             dest,
+		Digest:           digest,
+	}
+}
@@ -0,0 +1,7 @@
+package helper
+
+import util2 "github.com/devtron-labs/ci-runner/executor/util"
+
+func SetKeyValueInGlobalSystemEnv(scriptEnvs *util2.ScriptEnvVariables, key, value string) {
+	scriptEnvs.SystemEnv[key] = value
+}
@@ -16,15 +16,28 @@
 
 package bean
 
-import "github.com/devtron-labs/common-lib/utils/bean"
+import (
+	util2 "github.com/devtron-labs/ci-runner/executor/util"
+	"github.com/devtron-labs/ci-runner/helper"
+)
 
 const (
 	ExternalCiArtifact = "externalCiArtifact"
 	ImageDigest        = "imageDigest"
 	UseAppDockerConfig = "useAppDockerConfig"
 	CiProjectDetails   = "ciProjectDetails"
 )
+const (
+	DigestGlobalEnvKey     = "DIGEST"
+	ScanToolIdGlobalEnvKey = "SCAN_TOOL_ID"
+)
 
-type DockerBuildStageMetadata struct {
-	TargetPlatforms []*bean.TargetPlatform `json:"targetPlatforms"`
+type ImageScanningExecutorBean struct {
+	CiCdRequest      *helper.CiCdTriggerEvent
+	ScriptEnvs       *util2.ScriptEnvVariables
+	RefStageMap      map[int][]*helper.StepObject
+	Metrics          *helper.CIMetrics
+	ArtifactUploaded bool
+	Dest             string
+	Digest           string
 }
@@ -24,6 +24,7 @@ import (
 	"github.com/devtron-labs/ci-runner/executor"
 	adaptor2 "github.com/devtron-labs/ci-runner/executor/adaptor"
 	cicxt "github.com/devtron-labs/ci-runner/executor/context"
+	helper2 "github.com/devtron-labs/ci-runner/executor/helper"
 	bean2 "github.com/devtron-labs/ci-runner/executor/stage/bean"
 	util2 "github.com/devtron-labs/ci-runner/executor/util"
 	"github.com/devtron-labs/ci-runner/helper"
@@ -257,6 +258,8 @@ func (impl *CiStage) runCIStages(ciContext cicxt.CiContext, ciCdRequest *helper.
 			return artifactUploaded, err
 		}
 	}
+	// setting digest in global env
+	helper2.SetKeyValueInGlobalSystemEnv(scriptEnvs, bean2.DigestGlobalEnvKey, digest)
 	var postCiDuration float64
 	start = time.Now()
 	metrics.PostCiStartTime = start
@@ -299,7 +302,7 @@ func (impl *CiStage) runCIStages(ciContext cicxt.CiContext, ciCdRequest *helper.
 	// scan only if ci scan enabled
 	if helper.IsEventTypeEligibleToScanImage(ciCdRequest.Type) &&
 		ciCdRequest.CommonWorkflowRequest.ScanEnabled {
-		err = runImageScanning(dest, digest, ciCdRequest, metrics, artifactUploaded)
+		err = impl.runImageScanning(adaptor2.GetImageScannerExecutorBean(ciCdRequest, scriptEnvs, refStageMap, metrics, artifactUploaded, dest, digest))
 		if err != nil {
 			return artifactUploaded, err
 		}
@@ -439,7 +442,12 @@ func (impl *CiStage) runPostCiSteps(ciCdRequest *helper.CiCdTriggerEvent, script
 	return pluginArtifactsFromFile, resultsFromPlugin, nil
 }
 
-func runImageScanning(dest string, digest string, ciCdRequest *helper.CiCdTriggerEvent, metrics *helper.CIMetrics, artifactUploaded bool) error {
+func (impl *CiStage) runImageScanning(imageScannerExecutor *bean2.ImageScanningExecutorBean) error {
+	ciCdRequest := imageScannerExecutor.CiCdRequest
+	dest, digest := imageScannerExecutor.Dest, imageScannerExecutor.Digest
+	metrics, artifactUploaded := imageScannerExecutor.Metrics, imageScannerExecutor.ArtifactUploaded
+	scriptEnvs, refStageMap := imageScannerExecutor.ScriptEnvs, imageScannerExecutor.RefStageMap
+
 	imageScanningStage := func() error {
 		log.Println("Image Scanning Started for digest", digest)
 		scanEvent := adaptor2.GetImageScanEvent(dest, digest, ciCdRequest.CommonWorkflowRequest)
@@ -454,7 +462,31 @@ func runImageScanning(dest string, digest string, ciCdRequest *helper.CiCdTrigge
 		log.Println("Image scanning completed with scanEvent", scanEvent)
 		return nil
 	}
-
+	imageScanningTaskExecution := func() error {
+		log.Println("Image Scanning Started")
+		for _, allSteps := range ciCdRequest.CommonWorkflowRequest.ImageScanningSteps {
+			scanToolId := allSteps.ScanToolId
+			tasks := allSteps.Steps
+			//setting scan tool id in script env
+			scriptEnvs.SystemEnv[bean2.ScanToolIdGlobalEnvKey] = strconv.Itoa(scanToolId)
+			// run image scanning steps
+			_, _, _, err := impl.stageExecutorManager.RunCiCdSteps(helper.STEP_TYPE_SCANNING, ciCdRequest.CommonWorkflowRequest, tasks, refStageMap, scriptEnvs, nil, true)
+			if err != nil {
+				log.Println("error in running pre Ci Steps", "err", err)
+				return helper.NewCiStageError(err).
+					WithMetrics(metrics).
+					WithFailureMessage(workFlow.ScanFailed.String()).
+					WithArtifactUploaded(artifactUploaded)
+			}
+		}
+		//unset scan tool id in script env
+		delete(scriptEnvs.SystemEnv, bean2.ScanToolIdGlobalEnvKey)
+		log.Println("Image scanning completed")
+		return nil
+	}
+	if ciCdRequest.CommonWorkflowRequest.ExecuteImageScanningVia.IsScanMediumExternal() {
+		return util.ExecuteWithStageInfoLog(util.IMAGE_SCAN, imageScanningTaskExecution)
+	}
 	return util.ExecuteWithStageInfoLog(util.IMAGE_SCAN, imageScanningStage)
 }
 

@@ -115,6 +115,7 @@ func GetGlobalEnvVariables(ciCdRequest *helper.CiCdTriggerEvent) (*ScriptEnvVari
 		RegistryCredentials, _ := json.Marshal(ciCdRequest.CommonWorkflowRequest.RegistryCredentialMap)
 		envs["REGISTRY_DESTINATION_IMAGE_MAP"] = string(RegistryDestinationImage)
 		envs["REGISTRY_CREDENTIALS"] = string(RegistryCredentials)
+		envs["AWS_INSPECTOR_CONFIG"] = ciCdRequest.CommonWorkflowRequest.AwsInspectorConfig
 	} else {
 		envs["DOCKER_IMAGE"] = ciCdRequest.CommonWorkflowRequest.CiArtifactDTO.Image
 		envs["DOCKER_IMAGE_TAG"] = ciCdRequest.CommonWorkflowRequest.DockerImageTag

@@ -4,7 +4,7 @@ go 1.21
 
 toolchain go1.21.8
 
-replace github.com/devtron-labs/common-lib => github.com/devtron-labs/devtron-services/common-lib v0.0.0-20250122105919-b869ca3870fd
+replace github.com/devtron-labs/common-lib => github.com/devtron-labs/devtron-services/common-lib v0.0.0-20250124110806-5242f640f4e7
 
 require (
 	github.com/Knetic/govaluate v3.0.0+incompatible

@@ -57,8 +57,8 @@ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/devtron-labs/devtron-services/common-lib v0.0.0-20250122105919-b869ca3870fd h1:FMNCRCl/WTsiHylGF0FBPhhMWaIDn5RdKNMCYMP53Es=
-github.com/devtron-labs/devtron-services/common-lib v0.0.0-20250122105919-b869ca3870fd/go.mod h1:1QJJLpgJSkb5Jm9xPeKAk+kXb0QgBOOOgJj0cgYhAVA=
+github.com/devtron-labs/devtron-services/common-lib v0.0.0-20250124110806-5242f640f4e7 h1:kXWh+Wtf8oLeWlZTMUxANjdI2GK4GXotqoXAneFWYLg=
+github.com/devtron-labs/devtron-services/common-lib v0.0.0-20250124110806-5242f640f4e7/go.mod h1:1QJJLpgJSkb5Jm9xPeKAk+kXb0QgBOOOgJj0cgYhAVA=
 github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
 github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
 github.com/docker/cli v24.0.6+incompatible h1:fF+XCQCgJjjQNIMjzaSmiKJSCcfcXb3TWTcc7GAneOY=

@@ -30,7 +30,8 @@ import (
 	"github.com/aws/aws-sdk-go/service/ecr"
 	"github.com/caarlos0/env"
 	cicxt "github.com/devtron-labs/ci-runner/executor/context"
-	bean2 "github.com/devtron-labs/ci-runner/executor/stage/bean"
+	bean2 "github.com/devtron-labs/ci-runner/helper/bean"
+
 	"github.com/devtron-labs/ci-runner/util"
 	"github.com/devtron-labs/common-lib/utils"
 	"github.com/devtron-labs/common-lib/utils/bean"

@@ -190,6 +190,9 @@ type CommonWorkflowRequest struct {
 	AsyncBuildxCacheExport        bool                           `json:"asyncBuildxCacheExport"`
 	UseDockerApiToGetDigest       bool                           `json:"useDockerApiToGetDigest"`
 	HostUrl                       string                         `json:"hostUrl"`
+	ImageScanningSteps            []*ImageScanningSteps          `json:"imageScanningSteps,omitempty"`
+	ExecuteImageScanningVia       bean2.ScanExecutionMedium      `json:"executeImageScanningVia,omitempty"`
+	AwsInspectorConfig            string                         `json:"awsInspectorConfig,omitempty"`
 }
 
 func (c *CommonWorkflowRequest) IsPreCdStage() bool {
@@ -208,7 +211,6 @@ func (c *CommonWorkflowRequest) GetCdStageType() PipelineType {
 	}
 	return ""
 }
-
 func (c *CommonWorkflowRequest) GetCloudHelperBaseConfig(blobStorageObjectType string) *util.CloudHelperBaseConfig {
 	return &util.CloudHelperBaseConfig{
 		StorageModuleConfigured: c.BlobStorageConfigured,
@@ -771,6 +773,11 @@ func GetImageScanningEvent(ciCdRequest CommonWorkflowRequest) ImageScanningEvent
 	return event
 }
 
+type ImageScanningSteps struct {
+	Steps      []*StepObject `json:"steps"`
+	ScanToolId int           `json:"scanToolId"`
+}
+
 func GetPrePostStageDisplayName(stageName string, stepType StepType) string {
 	if stepType == STEP_TYPE_PRE {
 		return fmt.Sprintf("%s (Pre-Build Task)", stageName)

@@ -0,0 +1,7 @@
+package bean
+
+import "github.com/devtron-labs/common-lib/utils/bean"
+
+type DockerBuildStageMetadata struct {
+	TargetPlatforms []*bean.TargetPlatform `json:"targetPlatforms"`
+}
@@ -39,6 +39,7 @@ const (
 	STEP_TYPE_REF_PLUGIN StepType = "REF_PLUGIN"
 	STEP_TYPE_PRE        StepType = "PRE"
 	STEP_TYPE_POST       StepType = "POST"
+	STEP_TYPE_SCANNING   StepType = "SCANNING"
 )
 
 type StepObject struct {