diff --git a/.claude-plugin/marketplace.json b/.claude-plugin/marketplace.json index ea95a38f..1f24949b 100644 --- a/.claude-plugin/marketplace.json +++ b/.claude-plugin/marketplace.json @@ -39,6 +39,11 @@ "source": "./plugins/session", "description": "A plugin for Claude session management and persistence" }, + { + "name": "security", + "source": "./plugins/security", + "description": "CVE analysis and container image vulnerability scanning for Red Hat ecosystem" + }, { "name": "sosreport", "source": "./plugins/sosreport", diff --git a/PLUGINS.md b/PLUGINS.md index 64d16086..f8f076fa 100644 --- a/PLUGINS.md +++ b/PLUGINS.md @@ -15,6 +15,7 @@ This document lists all available Claude Code plugins and their commands in the - [Olm](#olm-plugin) - [Openshift](#openshift-plugin) - [Prow Job](#prow-job-plugin) +- [Security](#security-plugin) - [Session](#session-plugin) - [Sosreport](#sosreport-plugin) - [Utils](#utils-plugin) @@ -176,6 +177,16 @@ A plugin to analyze and inspect Prow CI job results See [plugins/prow-job/README.md](plugins/prow-job/README.md) for detailed documentation. +### Security Plugin + +Container vulnerability grade reporting using container-grade-reporter tool + +**Commands:** +- **`/security:image-grades` ` [--grade ] [--email]`** - Generate container vulnerability grade report using container-grade-reporter +- **`/security:set-image-grade-tool-path` ``** - Configure the path to container-grade-reporter tool + +See [plugins/security/README.md](plugins/security/README.md) for detailed documentation. + ### Session Plugin A plugin to save and resume conversation sessions across long time intervals diff --git a/docs/data.json b/docs/data.json index af54da22..5781f5a3 100644 --- a/docs/data.json +++ b/docs/data.json @@ -301,6 +301,34 @@ "hooks": [], "has_readme": true }, + { + "name": "security", + "description": "CVE analysis and container image vulnerability scanning for Red Hat ecosystem", + "version": "0.1.0", + "commands": [ + { + "name": "image-grades", + "description": "Generate container vulnerability grade report using container-grade-reporter", + "synopsis": "/security:image-grades [--grade ] [--email]", + "argument_hint": " [--grade ] [--email]" + }, + { + "name": "set-image-grade-tool-path", + "description": "Configure the path to container-grade-reporter tool", + "synopsis": "/security:set-image-grade-tool-path ", + "argument_hint": "" + } + ], + "skills": [ + { + "name": "Container Grade Reporter Integration", + "id": "container-grade-reporter", + "description": "Integration guide for using the container-grade-reporter tool to fetch and process container vulnerability grades" + } + ], + "hooks": [], + "has_readme": true + }, { "name": "sosreport", "description": "Analyze sosreport archives for system diagnostics and troubleshooting", diff --git a/plugins/security/.claude-plugin/plugin.json b/plugins/security/.claude-plugin/plugin.json new file mode 100644 index 00000000..aefffa1f --- /dev/null +++ b/plugins/security/.claude-plugin/plugin.json @@ -0,0 +1,9 @@ +{ + "_comment": "Generated by Claude", + "name": "security", + "description": "Container vulnerability grade reporting using container-grade-reporter tool", + "version": "0.1.0", + "author": { + "name": "github.com/openshift-eng" + } +} \ No newline at end of file diff --git a/plugins/security/README.md b/plugins/security/README.md new file mode 100644 index 00000000..99cb1504 --- /dev/null +++ b/plugins/security/README.md @@ -0,0 +1,545 @@ + + +# Security Plugin + +Container vulnerability grade reporting for Red Hat ecosystem using the container-grade-reporter tool. + +## Overview + +The Security plugin provides automated vulnerability grade assessment for container images directly within Claude Code. It integrates with the container-grade-reporter tool, which fetches vulnerability data from Red Hat's Pyxis API, to provide instant vulnerability analysis without leaving your development environment. + +**Key capabilities:** +- **Container vulnerability grading** using Red Hat Pyxis API +- **Multi-architecture support** (amd64, arm64, ppc64le, s390x) +- **Release-based tracking** for OSSM and other Red Hat products +- **Automated reporting** with grade-focused summaries +- **Corporate environment compatibility** with Kerberos authentication + +This plugin simplifies the workflow of checking container vulnerability grades by providing a single command interface to the powerful container-grade-reporter tool. + +## Commands + +### `/security:set-image-grade-tool-path` + +Configure the location of the container-grade-reporter tool. + +**Usage:** +```text +/security:set-image-grade-tool-path +``` + +**Examples:** +```bash +# Configure tool path after cloning +/security:set-image-grade-tool-path ~/Code/container-grade-reporter + +# Configure with absolute path +/security:set-image-grade-tool-path /home/user/projects/container-grade-reporter + +# Configure workspace-relative path +/security:set-image-grade-tool-path ./container-grade-reporter +``` + +**What it does:** +- Validates the tool directory exists and contains required files +- Saves the path to `~/.config/ai-helpers/security-config.json` +- Enables `/security:image-grades` to locate the tool automatically + +### `/security:image-grades` + +Generate container vulnerability grade report for configured releases and components. + +**Usage:** +```text +/security:image-grades [--grade ] [--email] +``` + +**Examples:** +```bash +# Generate report for OSSM releases +/security:image-grades ~/ossm-releases.yaml + +# Generate report with specific configuration +/security:image-grades ./configs/security-check.yaml + +# Filter to show only high-risk grades (C, D, F) +/security:image-grades ~/ossm-releases.yaml --grade c,d,f + +# Generate and email the vulnerability report +/security:image-grades ./configs/security-check.yaml --email + +# Filter and email critical vulnerabilities only +/security:image-grades ~/ossm-releases.yaml --grade d,f --email +``` + +**Optional Arguments:** + +- **`--grade `**: Filter output to specific vulnerability grades + - Accepts comma-separated list of grades: A, B, C, D, F (case-insensitive) + - Examples: `--grade b`, `--grade c,d,f`, `--grade D,F` + - Useful for focusing on high-risk containers or specific grade ranges + +- **`--email`**: Send HTML email report instead of terminal output + - Requires SMTP configuration in the container-grade-reporter tool + - Generates professional HTML report with Red Hat branding + - Can be combined with `--grade` for filtered email alerts + +**Features:** +- **Automated execution**: Runs container-grade-reporter tool via Makefile +- **Grade visualization**: Color-coded grades (A-F scale with ✅⚠️❌ indicators) +- **Grade filtering**: Focus on specific vulnerability levels (--grade option) +- **Email reporting**: Professional HTML reports with Red Hat branding (--email option) +- **Multi-architecture analysis**: Shows architecture support and grade consistency +- **Release organization**: Groups results by release for clarity +- **Summary statistics**: Grade distribution and action items + +**Sample Output:** +```text +🛡️ Container Vulnerability Report +Generated: 2025-11-10 15:45:23 + +Release: OSSM 3.1 +════════════════════════════════════════ + +openshift-service-mesh/istio-cni-rhel9 + 1.26 → Grade: B ✅ | v1.26.5 | amd64,arm64,ppc64le,s390x | End: 2025-08-22 + +openshift-service-mesh/kiali-rhel9 + v2.11 → Grade: C ⚠️ | v2.11.3 | amd64,arm64 | End: 2025-06-15 + +════════════════════════════════════════ +Summary: 2 repositories | Grades: 1×B, 1×C +``` + +## Installation + +### Prerequisites + +1. **Container Grade Reporter Tool** + - Clone from: [container-grade-reporter](https://gitlab.cee.redhat.com/istio/servicemesh-qe/container-grade-reporter) + - Requires Red Hat internal network access + +2. **Kerberos Authentication** + - Service account keytab file (base64-encoded) + - Default location: `~/ossm-report-sa.keytab` + - Or set `KEYTAB_PATH` environment variable + - Note: The tool expects base64 format, not binary + +3. **System Requirements** + - Python 3.11+ (Python 3.12 recommended) + - Git, curl, make + - Access to Red Hat Pyxis API + +### Setup + +#### Step 1: Install Security Plugin + +```bash +# Add ai-helpers marketplace +/plugin marketplace add openshift-eng/ai-helpers + +# Install security plugin +/plugin install security@ai-helpers +``` + +#### Step 2: Clone Container Grade Reporter + +```bash +# Clone to your preferred location +cd ~/Code +git clone https://gitlab.cee.redhat.com/istio/servicemesh-qe/container-grade-reporter.git +``` + +#### Step 3: Configure Tool Path + +```bash +# Set the tool location +/security:set-image-grade-tool-path ~/Code/container-grade-reporter +``` + +#### Step 4: Verify Keytab + +Ensure your keytab file is available: +```bash +ls ~/ossm-report-sa.keytab + +# Or set custom location +export KEYTAB_PATH=/path/to/your/keytab +``` + +## Configuration + +### YAML Configuration File Format + +Create a YAML file defining the releases and components to track: + +```yaml +releases: + "OSSM 3.1": + components: + - repository: openshift-service-mesh/istio-cni-rhel9 + minimal_tag: ["1.26"] + - repository: openshift-service-mesh/istio-pilot-rhel9 + minimal_tag: ["1.26"] + - repository: openshift-service-mesh/kiali-rhel9 + minimal_tag: ["v2.11"] + skip_tag: ["v2.10"] + + "OSSM 2.6": + components: + - repository: openshift-service-mesh/pilot-rhel8 + minimal_tag: ["2.6"] + - repository: openshift-service-mesh/kiali-rhel8 + minimal_tag: ["v1.73"] +``` + +**Configuration Fields:** + +- `releases`: Top-level container for release definitions +- `"Release Name"`: User-friendly name (e.g., "OSSM 3.1", "RHEL 9.3") +- `components`: List of container repositories to check +- `repository`: Repository path (registry.access.redhat.com is implied) +- `minimal_tag`: Minimum version tags to include (filters older versions) +- `skip_tag`: (Optional) Specific tags to exclude + +**Tag Filtering:** + +- `minimal_tag: ["1.26"]` includes versions >= 1.26 +- `skip_tag: ["v2.10"]` excludes v2.10 and all patch versions +- Both v-prefixed and non-prefixed variants are matched + +## Authentication Setup + +### Keytab Configuration + +The container-grade-reporter tool requires Kerberos authentication via keytab file. + +**Default keytab location:** +```bash +~/ossm-report-sa.keytab +``` + +**Custom keytab location:** +```bash +export KEYTAB_PATH=/path/to/your/keytab +``` + +**Obtaining and preparing a keytab:** + +1. Request service account from Red Hat IT via ServiceNow +2. Generate keytab using Red Hat's IPA process (produces binary .keytab file) +3. Convert to base64 format for the container-grade-reporter tool: + ```bash + base64 your-keytab.keytab > ~/ossm-report-sa.keytab + ``` + +**Important**: The base64-encoded keytab is used by the tool's Makefile, which automatically decodes it before authentication. + +**Testing authentication:** + +```bash +# The Makefile handles authentication automatically +cd ~/Code/container-grade-reporter +make auth-setup +``` + +### Keytab Format Notes + +**Why base64 encoding?** + +The container-grade-reporter tool uses base64-encoded keytab files for: +- Easier storage in configuration management systems +- Compatibility with secret management tools (Vault, AWS Secrets Manager) +- Text-safe transmission and environment variable usage +- Automated CI/CD integration + +**The Makefile workflow:** +1. Reads base64 keytab from `~/ossm-report-sa.keytab` or `$KEYTAB_PATH` +2. Decodes to temporary binary file +3. Runs `kinit` with binary keytab +4. Cleans up temporary files + +**Manual testing:** +If you need to test Kerberos authentication manually outside the tool: +```bash +# Decode base64 keytab to binary for kinit +base64 -d ~/ossm-report-sa.keytab > /tmp/test.keytab +kinit -kt /tmp/test.keytab your-principal@IPA.REDHAT.COM +klist # Verify Kerberos ticket +rm /tmp/test.keytab # Cleanup +``` + +Note: Never use `kinit -kt` directly with the base64-encoded keytab - it will fail. + +## Usage Patterns + +### Basic Workflow + +```bash +# 1. Create configuration file +cat > my-releases.yaml << 'EOF' +releases: + "OSSM 3.1": + components: + - repository: openshift-service-mesh/istio-cni-rhel9 + minimal_tag: ["1.26"] +EOF + +# 2. Generate report +/security:image-grades my-releases.yaml +``` + +### Security Review Workflow + +```bash +# Check vulnerability grades before release +/security:image-grades ./releases/ossm-3.1.yaml + +# Review output for any grade C, D, or F containers +# Take action based on grades +``` + +### Continuous Monitoring + +```bash +# Regular weekly checks +/security:image-grades ~/configs/production-images.yaml + +# Compare results over time +# Track grade improvements or degradations +``` + +### Multi-Release Tracking + +```yaml +# all-releases.yaml +releases: + "OSSM 3.1": + components: + - repository: openshift-service-mesh/istio-cni-rhel9 + minimal_tag: ["1.26"] + + "OSSM 3.0": + components: + - repository: openshift-service-mesh/istio-cni-rhel9 + minimal_tag: ["1.24"] + + "OSSM 2.6": + components: + - repository: openshift-service-mesh/istio-cni-rhel8 + minimal_tag: ["2.6"] +``` + +```bash +/security:image-grades all-releases.yaml +``` + +## Grade Interpretation + +The vulnerability grading system uses Red Hat's A-F scale: + +| Grade | Meaning | Indicator | Action | +|-------|---------|-----------|--------| +| **A** | Excellent - No known vulnerabilities | ✅ | Production ready | +| **B** | Good - Minor vulnerabilities | ✅ | Acceptable for production | +| **C** | Moderate - Some vulnerabilities | ⚠️ | Review and plan updates | +| **D** | Poor - Significant vulnerabilities | ❌ | Update soon | +| **F** | Critical - Severe vulnerabilities | ❌ | Immediate action required | + +**Recommendations by grade:** + +- **A-B**: Low risk, production ready. Monitor for updates. +- **C**: Moderate risk, review recommended. Plan security updates. +- **D**: High risk, address soon. Schedule immediate patching. +- **F**: Critical risk, immediate attention required. Block deployments. + +## Multi-Architecture Support + +The plugin displays architecture information for each container image: + +**Grouped architectures** (when all have same grade/version): + +```text +openshift-service-mesh/istio-cni-rhel9 + 1.26 → Grade: B ✅ | v1.26.5 | amd64,arm64,ppc64le,s390x | End: 2025-08-22 +``` + +**Separate architectures** (when grades/versions differ): + +```text +openshift-service-mesh/example-repo + 2.6 → Grade: B ✅ | v2.6.5 | amd64 | End: 2025-08-20 + 2.6 → Grade: C ⚠️ | v2.6.4 | arm64 | End: 2025-08-15 +``` + +This helps identify: +- Architecture-specific vulnerabilities +- Update inconsistencies across architectures +- Deployment considerations for different platforms + +## Troubleshooting + +### Tool Not Found + +```text +Error: Container Grade Reporter not found +``` + +**Solutions:** + +1. Clone the repository: `git clone https://gitlab.cee.redhat.com/istio/servicemesh-qe/container-grade-reporter.git` +2. Configure path: `/security:set-image-grade-tool-path /path/to/container-grade-reporter` +3. Or clone into workspace: `./container-grade-reporter/` + +### Authentication Failure + +```text +Error: Kerberos authentication failed +``` + +**Solutions:** + +1. Verify keytab exists: `ls ~/ossm-report-sa.keytab` +2. Check keytab is base64 encoded: `file ~/ossm-report-sa.keytab` should show "ASCII text" +3. Test by decoding: `base64 -d ~/ossm-report-sa.keytab | file -` should show "data" +4. For manual authentication testing, decode first: + ```bash + base64 -d ~/ossm-report-sa.keytab > /tmp/test.keytab + kinit -kt /tmp/test.keytab your-principal@IPA.REDHAT.COM + klist # Verify ticket + rm /tmp/test.keytab + ``` +5. Contact Red Hat IT for keytab issues + +### Network Issues + +```text +Error: Cannot connect to pyxis.engineering.redhat.com +``` + +**Solutions:** + +1. Connect to Red Hat VPN +2. Verify network access: `curl -k https://pyxis.engineering.redhat.com/v1/` +3. Check proxy configuration + +### Invalid YAML + +```text +Error: Invalid YAML configuration file +``` + +**Solutions:** + +1. Validate YAML syntax: `python -c "import yaml; yaml.safe_load(open('config.yaml'))"` +2. Check indentation (use spaces, not tabs) +3. Verify structure matches releases/components format + +### Python Version + +```text +Error: Python 3.12 not found +``` + +**Solutions:** + +1. Install Python 3.12: `sudo dnf install python3.12` +2. Or use available Python 3.x (Makefile will fallback automatically) + +## Skills Reference + +### Container Grade Reporter Integration Skill + +**Location:** `skills/container-grade-reporter/SKILL.md` + +Comprehensive implementation guidance for: +- Tool installation and setup +- Authentication configuration (Kerberos keytab) +- YAML configuration format +- Manual tool execution +- JSON parsing and formatting +- Advanced troubleshooting +- Integration patterns + +**Use cases:** +- First-time tool setup +- Custom integration development +- Advanced configuration scenarios +- Troubleshooting complex issues + +## Advanced Usage + +### Manual Tool Execution + +For debugging or custom workflows: + +```bash +cd ~/Code/container-grade-reporter + +# Generate JSON output +make run-output OUTPUT=/tmp/grades.json CONFIG=~/my-config.yaml + +# Generate HTML email report +make dry-run-email + +# Filter by grade +make run-grade GRADES='C,D,F' +``` + +### JSON Output + +The tool generates JSON output that can be parsed for custom reporting: + +```bash +# Generate report and save JSON +/security:image-grades my-config.yaml + +# JSON is saved to /tmp/security-image-grades-/grades.json +# Parse with jq or Python for custom analysis +``` + +### Environment Variables + +Customize tool behavior: + +```bash +# Custom keytab location +export KEYTAB_PATH=/path/to/keytab + +# Custom registry (default: registry.access.redhat.com) +export REGISTRY=custom.registry.com + +# SSL verification (for corporate environments) +export VERIFY_SSL=false +``` + +## Contributing + +### Adding New Features + +Follow the ai-helpers command definition format: + +1. Create command file: `commands/new-command.md` +2. Include required sections: Name, Synopsis, Description, Implementation +3. Add examples and comprehensive argument documentation +4. Test with `make lint` to validate structure + +### Extending Capabilities + +Potential enhancements: +- **Historical tracking**: Compare grades over time +- **Automated alerting**: Notify on grade changes +- **Custom filtering**: More advanced repository selection +- **Batch processing**: Multiple configuration files +- **Integration**: Export to other systems (JIRA, spreadsheets) + +## Support + +- **Issues**: [openshift-eng/ai-helpers/issues](https://github.com/openshift-eng/ai-helpers/issues) +- **Documentation**: ai-helpers repository README and AGENTS.md +- **Authentication**: Contact Red Hat IT for keytab and API access +- **Tool Repository**: [container-grade-reporter](https://gitlab.cee.redhat.com/istio/servicemesh-qe/container-grade-reporter) + +## License + +This plugin is part of the ai-helpers repository and follows the same licensing terms. See the main repository LICENSE file for details. diff --git a/plugins/security/commands/image-grades.md b/plugins/security/commands/image-grades.md new file mode 100644 index 00000000..93dd7e39 --- /dev/null +++ b/plugins/security/commands/image-grades.md @@ -0,0 +1,530 @@ +--- +description: Generate container vulnerability grade report using container-grade-reporter +argument-hint: [--grade ] [--email] +--- + + + +## Name + +security:image-grades + +## Synopsis + +```text +/security:image-grades [--grade ] [--email] +``` + +## Description + +The `security:image-grades` command generates a vulnerability grade report for container images using the Red Hat Pyxis API via the container-grade-reporter tool. It processes a YAML configuration file containing releases and components, fetches vulnerability grades, and presents a formatted report. + +This command is useful for: + +- **Release vulnerability assessment**: Check grades for all images in a release +- **Multi-architecture analysis**: View grades across different architectures +- **Security monitoring**: Track vulnerability grades over time +- **Compliance reporting**: Generate reports for security reviews + +The command uses the container-grade-reporter tool which must be installed and configured using `/security:set-image-grade-tool-path` or cloned into the workspace. + +## Implementation + +1. **Validate YAML Configuration File**: Check that the input file exists and is readable + + - Error if file path not provided + - Error if file does not exist + - Verify file is readable + +2. **Locate Container Grade Reporter Tool**: Find the tool installation + + **Priority order:** + - Check saved path in `~/.config/ai-helpers/security-config.json` + - Check `./container-grade-reporter/` in current directory + - Check `../container-grade-reporter/` in parent directory + + **If not found:** + - Display error: "Container Grade Reporter not found. Please run /security:set-image-grade-tool-path or clone the repository into your workspace" + - Provide clone command: `git clone https://gitlab.cee.redhat.com/istio/servicemesh-qe/container-grade-reporter.git` + +3. **Verify Prerequisites**: Check for required tools and configuration + + - Verify keytab file exists at `~/ossm-report-sa.keytab` or `$KEYTAB_PATH` + - If keytab not found, provide setup instructions + - Verify Makefile exists in tool directory + +4. **Prepare Output Location**: Create temporary output directory + + - Use `/tmp/security-image-grades-/` for output + - Ensure directory is created with appropriate permissions + +5. **Execute Container Grade Reporter**: Run the tool using Makefile + + **Execution mode depends on `--email` flag:** + + **Without `--email` (default - generate JSON output):** + ```bash + cd + make run-output OUTPUT=/grades.json CONFIG= + ``` + + **With `--email` (send email report):** + + Without grade filter: + ```bash + cd + make email CONFIG= + ``` + + With grade filter: + ```bash + cd + make email-grade GRADES='' CONFIG= + ``` + Example: `make email-grade GRADES='B,C,D' CONFIG=/path/to/config.yaml` + + **Note:** The Makefile automatically handles: + - Python version detection (3.12+ or fallback to available Python 3.x) + - Virtual environment setup + - Dependency installation + - Kerberos authentication with keytab + - Email delivery (when using `make email`) + + Display progress messages while tool runs (this may take several minutes for multiple repositories) + +6. **Parse JSON Output**: Read and parse the generated JSON file (skipped if `--email` is used) + + **Only when `--email` is NOT specified:** + - Read `grades.json` from output directory + - Parse JSON structure + - Handle malformed JSON gracefully + + **When `--email` IS specified:** + - Email is sent directly by the script + - Skip JSON parsing and formatting steps + - Proceed to confirmation message + +7. **Apply Grade Filter** (if `--grade` argument provided): Filter results by specified grades + + - Check if `--grade` argument was provided + - Parse grade values: split by comma, normalize to uppercase (e.g., "b,c" → ["B", "C"]) + - Validate each grade is in the valid set: A, B, C, D, F + - If invalid grade found, display error and list valid options + + **When `--email` is NOT specified:** + - Filter JSON data to only include entries where `grade` matches the filter + - If no matches found after filtering, display informative message + - Store filter information for report formatting + + **When `--email` IS specified:** + - Pass grade filter to the script using the `email-grade` make target + - Script handles filtering internally before sending email + - Format: `make email-grade GRADES='B,C,D' CONFIG=` + +8. **Format Vulnerability Report**: Convert JSON to readable text format (skipped if `--email` is used) + + **Only performed when `--email` is NOT specified.** + + **Output format depends on whether grade filter is active:** + + **Without filter (default):** + + **For each release in the configuration:** + - Display release name as header + - For each repository: + - Repository name + - For each tag: + - Tag version + - Vulnerability grade (A-F) with color indicator + - Latest patch version + - Architecture support (grouped if all architectures have same grade/version) + - End date + + **Summary section:** + - Total repositories processed + - Grade distribution (count by grade: A, B, C, D, F) + - Highlight any critical grades (D, F) + + **With filter (when `--grade` is specified):** + + Display simplified summary listing only matching images: + - Header showing filtered grade(s) + - For each matching image: + - Format: `repository:tag → Grade: X | version | architectures` + - Group entries by grade for readability + - Summary: Count of images per grade + +9. **Display Results**: Present formatted report to user + + **When `--email` is NOT specified:** + - Use clear visual separators + - Color-code grades: A/B=✅, C=⚠️, D/F=❌ + - Include actionable summary + - Show JSON output location + + **When `--email` IS specified:** + - Display confirmation message + - Include email recipients and subject + - Note that HTML report was sent + - Provide location of generated HTML file for reference + +10. **Cleanup**: Remove temporary files but preserve JSON for reference + + - Keep JSON output for debugging: inform user of location + - Remove any temporary copied configuration files + +## Return Value + +- **Format**: Formatted text report with vulnerability grades + +**Example Output:** +```text +🛡️ Container Vulnerability Report +Generated: 2025-11-10 15:45:23 + +Release: OSSM 3.1 +════════════════════════════════════════ + +openshift-service-mesh/istio-cni-rhel9 + 1.26 → Grade: B ✅ | v1.26.5 | amd64,arm64,ppc64le,s390x | End: 2025-08-22 + +openshift-service-mesh/istio-pilot-rhel9 + 1.26 → Grade: B ✅ | v1.26.4 | amd64,arm64,ppc64le,s390x | End: 2025-08-20 + +openshift-service-mesh/kiali-rhel9 + v2.11 → Grade: C ⚠️ | v2.11.3 | amd64,arm64 | End: 2025-06-15 + +Release: OSSM 2.6 +════════════════════════════════════════ + +openshift-service-mesh/pilot-rhel8 + 2.6 → Grade: D ❌ | v2.6.8 | amd64,arm64,ppc64le,s390x | End: 2024-12-31 + +════════════════════════════════════════ +Summary: + Total repositories: 4 + Grade distribution: 2×B, 1×C, 1×D + ⚠️ Action required: 1 repository with grade D needs immediate attention + +JSON output saved: /tmp/security-image-grades-20251110-154523/grades.json +``` + +**Filtered Output Example (with `--grade b`):** +```text +🛡️ Filtered Container Vulnerability Report (Grade: B) +Generated: 2025-11-10 15:45:23 + +Grade B Images: +════════════════════════════════════════ +openshift-service-mesh/istio-cni-rhel9:1.26 → Grade: B | v1.26.5 | amd64,arm64,ppc64le,s390x +openshift-service-mesh/istio-pilot-rhel9:1.26 → Grade: B | v1.26.4 | amd64,arm64,ppc64le,s390x + +════════════════════════════════════════ +Summary: 2 images with grade B + +JSON output saved: /tmp/security-image-grades-20251110-154523/grades.json +``` + +**Filtered Output Example (with `--grade c,d,f`):** +```text +🛡️ Filtered Container Vulnerability Report (Grades: C, D, F) +Generated: 2025-11-10 15:45:23 + +Grade C Images: +════════════════════════════════════════ +openshift-service-mesh/kiali-rhel9:v2.11 → Grade: C | v2.11.3 | amd64,arm64 + +Grade D Images: +════════════════════════════════════════ +openshift-service-mesh/pilot-rhel8:2.6 → Grade: D | v2.6.8 | amd64,arm64,ppc64le,s390x + +════════════════════════════════════════ +Summary: 2 images (1×C, 1×D) +⚠️ Action required: 1 repository with grade D needs immediate attention + +JSON output saved: /tmp/security-image-grades-20251110-154523/grades.json +``` + +**Email Output Example (with `--email`):** +```text +🛡️ Container Vulnerability Report - Email Sent +Generated: 2025-11-10 15:45:23 + +✉️ Email report has been sent successfully! + +Recipients: [configured in script] +Subject: Container Vulnerability Report - 2025-11-10 + +The HTML report includes: +- 4 repositories analyzed +- Grade distribution: 2×B, 1×C, 1×D +- Detailed vulnerability information +- Architecture-specific data + +HTML report saved: /tmp/security-image-grades-20251110-154523/vulnerability_report_20251110.html +JSON data saved: /tmp/security-image-grades-20251110-154523/grades.json +``` + +**Email Output Example (with `--grade` and `--email`):** +```text +🛡️ Filtered Container Vulnerability Report - Email Sent +Generated: 2025-11-10 15:45:23 + +Filter: Grades D, F + +✉️ Email report has been sent successfully! + +Recipients: [configured in script] +Subject: Container Vulnerability Report (Grades: D, F) - 2025-11-10 + +The HTML report includes: +- 1 repository with critical vulnerabilities +- Only showing grades: D, F +- Detailed vulnerability information + +HTML report saved: /tmp/security-image-grades-20251110-154523/vulnerability_report_20251110.html +``` + +## Examples + +1. **Generate report for OSSM releases**: + ```bash + /security:image-grades ~/ossm-releases.yaml + ``` + +2. **Generate report with specific configuration**: + ```bash + /security:image-grades ./configs/ossm-3.1.yaml + ``` + +3. **Generate report after setting tool path**: + ```bash + /security:set-image-grade-tool-path ~/Code/container-grade-reporter + /security:image-grades ./my-releases.yaml + ``` + +4. **Filter by specific grade**: + ```bash + /security:image-grades ~/releases.yaml --grade b + ``` + +5. **Filter by multiple grades**: + ```bash + /security:image-grades ~/releases.yaml --grade c,d,f + ``` + +6. **Check for critical vulnerabilities only**: + ```bash + /security:image-grades ./configs/ossm-3.1.yaml --grade d,f + ``` + +7. **Send email report**: + ```bash + /security:image-grades ~/releases.yaml --email + ``` + +8. **Send filtered email report**: + ```bash + /security:image-grades ~/releases.yaml --grade c,d,f --email + ``` + +9. **Email only critical vulnerabilities to team**: + ```bash + /security:image-grades ./configs/ossm-3.1.yaml --grade d,f --email + ``` + +## Arguments + +- **$1**: YAML configuration file path + - Required: Yes + - Format: Path to YAML file with releases/components structure + - Example: `~/configs/ossm.yaml`, `./releases.yaml` + +- **$2**: Grade filter (optional) + - Required: No + - Format: `--grade ` where grades are a comma-separated list + - Valid grades: A, B, C, D, F (case-insensitive) + - Examples: `--grade b`, `--grade c,d,f`, `--grade D,F` + - When specified, only images with matching grades are displayed in simplified format + - When omitted, all grades are shown in detailed format + +- **$3**: Email flag (optional) + - Required: No + - Format: `--email` + - When specified, sends an HTML email report instead of displaying results in terminal + - Can be combined with `--grade` to send filtered reports + - Requires SMTP configuration in the container-grade-reporter tool + - Email recipients and SMTP settings are configured in the tool's configuration + +## Configuration File Format + +The YAML configuration file must follow this structure: + +```yaml +releases: + "OSSM 3.1": + components: + - repository: openshift-service-mesh/istio-cni-rhel9 + minimal_tag: ["1.26"] + - repository: openshift-service-mesh/kiali-rhel9 + minimal_tag: ["v2.11"] + skip_tag: ["v2.10"] + + "OSSM 2.6": + components: + - repository: openshift-service-mesh/pilot-rhel8 + minimal_tag: ["2.6"] +``` + +**Fields:** +- `releases`: Top-level key containing release definitions +- `"Release Name"`: Name of the release (e.g., "OSSM 3.1") +- `components`: List of repositories to check +- `repository`: Full repository path +- `minimal_tag`: List of minimum tags to include (filters out older versions) +- `skip_tag`: (Optional) List of tags to exclude + +## Error Handling + +**Common errors:** + +1. **Missing configuration file**: + ```text + Error: Configuration file not found: /path/to/config.yaml + Usage: /security:image-grades + ``` + +2. **Tool not found**: + ```text + Error: Container Grade Reporter not found. + + Please either: + 1. Set tool path: /security:set-image-grade-tool-path + 2. Clone into workspace: git clone https://gitlab.cee.redhat.com/istio/servicemesh-qe/container-grade-reporter.git + + Searched locations: + - Config: ~/.config/ai-helpers/security-config.json (not found) + - Workspace: ./container-grade-reporter/ (not found) + - Parent: ../container-grade-reporter/ (not found) + ``` + +3. **Missing keytab**: + ```text + Error: Keytab file not found: ~/ossm-report-sa.keytab + + The container-grade-reporter requires Kerberos authentication. + Please ensure your keytab file is available at: + - ~/ossm-report-sa.keytab (default) + - Or set KEYTAB_PATH environment variable + + Contact Red Hat IT for keytab access. + ``` + +4. **Invalid YAML format**: + ```text + Error: Invalid YAML configuration file. + + The configuration file must follow this structure: + releases: + "Release Name": + components: + - repository: path/to/repo + minimal_tag: ["tag"] + + Please check your configuration file syntax. + ``` + +5. **Tool execution failure**: + ```text + Error: Container Grade Reporter execution failed. + + Check the tool output above for details. + Common issues: + - Authentication failure (check keytab) + - Network connectivity to Pyxis API + - Invalid repository names in configuration + + For manual troubleshooting, run: + cd && make run + ``` + +6. **Invalid grade filter**: + ```text + Error: Invalid grade specified: 'X' + + Valid grades are: A, B, C, D, F + Examples: + - /security:image-grades config.yaml --grade b + - /security:image-grades config.yaml --grade c,d,f + ``` + +7. **No images matching filter**: + ```text + No images found matching grade filter: B + + The scan completed successfully but no images have grade B. + Try running without --grade filter to see all results: + /security:image-grades config.yaml + + JSON output saved: /tmp/security-image-grades-20251110-154523/grades.json + ``` + +8. **Email configuration not set**: + ```text + Error: Email delivery failed - SMTP not configured + + The --email flag requires SMTP configuration in the container-grade-reporter tool. + Please configure email settings in the tool's configuration file. + + Configuration location: /config/email_config.yaml + See tool documentation for SMTP setup instructions. + ``` + +9. **Email delivery failure**: + ```text + Error: Failed to send email report + + The report was generated successfully but email delivery failed. + Possible causes: + - SMTP server unreachable + - Authentication failure + - Invalid recipient addresses + + HTML report saved locally: /tmp/security-image-grades-20251110-154523/vulnerability_report.html + You can manually share this file with recipients. + ``` + +## Prerequisites + +1. **Container Grade Reporter Tool**: + - Clone: `git clone https://gitlab.cee.redhat.com/istio/servicemesh-qe/container-grade-reporter.git` + - Configure: `/security:set-image-grade-tool-path /path/to/container-grade-reporter` + +2. **Kerberos Authentication**: + - Keytab file at `~/ossm-report-sa.keytab` or `$KEYTAB_PATH` + - Contact Red Hat IT for keytab access + +3. **Network Access**: + - Access to Red Hat Pyxis API (pyxis.engineering.redhat.com) + - Corporate network or VPN connection may be required + +4. **Email Configuration** (only required when using `--email` flag): + - SMTP server configuration in container-grade-reporter tool + - Email recipients list configured + - SMTP authentication credentials (if required) + - See container-grade-reporter documentation for email setup + +## Notes + +- The tool execution may take several minutes depending on the number of repositories +- Progress is shown in real-time during execution +- JSON output is preserved for debugging and further processing +- The Makefile handles all Python setup, dependencies, and authentication automatically +- Multi-architecture data is grouped when all architectures have identical grades and versions +- When using `--email`, the report is sent as HTML and no terminal output is displayed +- Email reports can be combined with `--grade` filtering to send targeted alerts +- The script uses `make email` (without filter) or `make email-grade GRADES='X,Y,Z'` (with filter) +- To preview HTML email without sending, run: `cd && make dry-run-email CONFIG=` +- All make targets automatically handle virtual environment setup, dependencies, and Kerberos auth + + diff --git a/plugins/security/commands/set-image-grade-tool-path.md b/plugins/security/commands/set-image-grade-tool-path.md new file mode 100644 index 00000000..d74bd22b --- /dev/null +++ b/plugins/security/commands/set-image-grade-tool-path.md @@ -0,0 +1,117 @@ +--- +description: Configure the path to container-grade-reporter tool +argument-hint: +--- + + + +## Name + +security:set-image-grade-tool-path + +## Synopsis + +```text +/security:set-image-grade-tool-path +``` + +## Description + +The `security:set-image-grade-tool-path` command configures the location of the container-grade-reporter tool on your system. This is a one-time setup step that saves the tool's path to a configuration file, eliminating the need to specify it for each run. + +The path is stored in `~/.config/ai-helpers/security-config.json` and is used by the `/security:image-grades` command to locate the tool. + +This command is useful for: + +- **Initial setup**: Configure tool location after cloning the repository +- **Flexible deployment**: Support multiple installations or custom locations +- **Persistent configuration**: Set once and use across all projects + +## Implementation + +1. **Validate Input Path**: Check that the provided path argument exists + + - Error if path is not provided + - Error if path does not exist + - Expand tilde (~) in paths to absolute paths + +2. **Verify Tool Installation**: Confirm the path contains container-grade-reporter + + - Check for `main.py` file + - Check for `requirements.txt` file + - Check for `Makefile` file + - If validation fails, provide helpful error message + +3. **Create Configuration Directory**: Ensure config directory exists + + - Create `~/.config/ai-helpers/` if it doesn't exist + - Set appropriate permissions (755) + +4. **Save Configuration**: Write tool path to config file + + - File location: `~/.config/ai-helpers/security-config.json` + - Format: `{"tool_path": "/absolute/path/to/container-grade-reporter"}` + - Use JSON format for easy parsing + +5. **Confirm Success**: Display confirmation message + + - Show the configured path + - Suggest next step: using `/security:image-grades` + +## Return Value + +- **Format**: Confirmation message with configured path + +**Example Output:** +```text +✅ Container Grade Reporter path configured successfully! + +Path: /home/user/Code/container-grade-reporter + +Next steps: +1. Ensure keytab file exists: ~/ossm-report-sa.keytab +2. Create a YAML config file with your releases/components +3. Run: /security:image-grades path/to/config.yaml +``` + +## Examples + +1. **Configure tool path**: + ```bash + /security:set-image-grade-tool-path ~/Code/container-grade-reporter + ``` + +2. **Configure with absolute path**: + ```bash + /security:set-image-grade-tool-path /home/user/projects/container-grade-reporter + ``` + +3. **Configure workspace-relative path**: + ```bash + /security:set-image-grade-tool-path ./container-grade-reporter + ``` + +## Arguments + +- **$1**: Path to container-grade-reporter directory + - Required: Yes + - Format: Absolute or relative directory path + - Examples: `~/Code/container-grade-reporter`, `/opt/container-grade-reporter`, `./container-grade-reporter` + +## Error Handling + +**Common errors:** + +- **Missing argument**: "Error: Path argument required. Usage: /security:set-image-grade-tool-path " +- **Path not found**: "Error: Path does not exist: /path/to/tool" +- **Invalid tool directory**: "Error: Path does not contain container-grade-reporter files (main.py, requirements.txt, Makefile)" +- **Permission issues**: "Error: Cannot create config directory ~/.config/ai-helpers/" + +## Notes + +- The configuration is stored per-user in `~/.config/ai-helpers/` +- Paths are stored as absolute paths for consistency +- Running this command again will overwrite the previous configuration +- The `/security:image-grades` command will fall back to workspace-relative paths if config is not found + + diff --git a/plugins/security/skills/container-grade-reporter/SKILL.md b/plugins/security/skills/container-grade-reporter/SKILL.md new file mode 100644 index 00000000..ff9e3285 --- /dev/null +++ b/plugins/security/skills/container-grade-reporter/SKILL.md @@ -0,0 +1,499 @@ +--- +name: Container Grade Reporter Integration +description: Integration guide for using the container-grade-reporter tool to fetch and process container vulnerability grades +--- + + + +# Container Grade Reporter Integration + +This skill provides comprehensive guidance for integrating with the container-grade-reporter tool, which fetches vulnerability grades for container images from the Red Hat Pyxis API and generates detailed reports. + +## When to Use This Skill + +Use this skill when you need to: + +- Set up the container-grade-reporter tool for the first time +- Configure authentication with Red Hat Pyxis API using Kerberos keytab +- Create YAML configuration files for release tracking +- Run the tool to generate vulnerability reports +- Parse and format JSON output from the tool +- Troubleshoot common issues (authentication, dependencies, Python versions) + +## Prerequisites + +1. **Access to Red Hat Internal Systems** + + - Red Hat corporate network access or VPN + - Access to gitlab.cee.redhat.com + - Access to pyxis.engineering.redhat.com + +2. **Kerberos Authentication** + + - Service account with Pyxis API access + - Keytab file for automated authentication + - Contact Red Hat IT if you need keytab access + +3. **System Requirements** + + - Python 3.11+ (Python 3.12 recommended) + - Git for cloning the repository + - curl (for Kerberos authentication) + - make (for build automation) + +## Implementation Steps + +### Step 1: Clone the Repository + +Clone the container-grade-reporter repository from GitLab: + +```bash +# Clone to your preferred location +cd ~/Code +git clone https://gitlab.cee.redhat.com/istio/servicemesh-qe/container-grade-reporter.git + +# Or clone into your current workspace +git clone https://gitlab.cee.redhat.com/istio/servicemesh-qe/container-grade-reporter.git +``` + +**Repository structure:** +```text +container-grade-reporter/ +├── main.py # Entry point +├── Makefile # Build automation +├── requirements.txt # Python dependencies +├── tags.yaml # Configuration file +├── src/ # Source code +│ ├── api/ # Pyxis API client +│ ├── config/ # Configuration loading +│ ├── core/ # Core business logic +│ └── email/ # Email reporting +└── output/ # Generated reports (created at runtime) +``` + +### Step 2: Configure Tool Path + +Use the `/security:set-image-grade-tool-path` command to configure the tool location: + +```bash +# Set the path to where you cloned the repository +/security:set-image-grade-tool-path ~/Code/container-grade-reporter +``` + +This saves the configuration to `~/.config/ai-helpers/security-config.json`: +```json +{ + "tool_path": "/home/user/Code/container-grade-reporter" +} +``` + +### Alternative: Workspace-relative installation + +If you don't use `/security:set-image-grade-tool-path`, the `/security:image-grades` command will search: +1. `./container-grade-reporter/` (current directory) +2. `../container-grade-reporter/` (parent directory) + +### Step 3: Authentication Setup + +The tool requires Kerberos authentication to access the Red Hat Pyxis API. + +**Keytab file location:** + +The tool looks for the keytab file at: +- Default: `~/ossm-report-sa.keytab` +- Custom: Set `KEYTAB_PATH` environment variable + +**Obtaining a keytab:** + +1. Request service account from Red Hat IT via ServiceNow +2. Follow Red Hat's IPA keytab generation process +3. Convert keytab to base64 format for the tool: + ```bash + base64 your-keytab.keytab > ~/ossm-report-sa.keytab + ``` + **Why base64?** The Makefile expects base64 and handles decoding automatically. + +**Testing authentication:** + +```bash +# If you have the original binary keytab: +kinit -kt ~/your-keytab.keytab your-principal@IPA.REDHAT.COM + +# If you only have the base64 version, decode first: +base64 -d ~/ossm-report-sa.keytab > /tmp/test.keytab +kinit -kt /tmp/test.keytab your-principal@IPA.REDHAT.COM +klist # Verify ticket is valid +rm /tmp/test.keytab # Cleanup +``` + +**Note:** The Makefile automatically handles keytab decoding and kinit when running the tool. + +### Step 4: Create YAML Configuration + +Create a YAML configuration file defining the releases and components to track: + +```yaml +releases: + "OSSM 3.1": + components: + - repository: openshift-service-mesh/istio-cni-rhel9 + minimal_tag: ["1.26"] + - repository: openshift-service-mesh/istio-pilot-rhel9 + minimal_tag: ["1.26"] + - repository: openshift-service-mesh/kiali-rhel9 + minimal_tag: ["v2.11"] + skip_tag: ["v2.10"] + + "OSSM 2.6": + components: + - repository: openshift-service-mesh/pilot-rhel8 + minimal_tag: ["2.6"] + - repository: openshift-service-mesh/kiali-rhel8 + minimal_tag: ["v1.73"] +``` + +**Configuration fields:** + +- `releases`: Top-level container for release definitions +- `"Release Name"`: User-friendly name for the release (e.g., "OSSM 3.1") +- `components`: List of container repositories to check +- `repository`: Full path to the repository (registry is implied as registry.access.redhat.com) +- `minimal_tag`: Array of minimum version tags to include (filters out older versions) +- `skip_tag`: (Optional) Array of tags to exclude from results + +**Tag filtering behavior:** + +- `minimal_tag: ["1.26"]` includes versions >= 1.26 (e.g., 1.26, 1.27, 1.28) +- `skip_tag: ["v2.10"]` excludes v2.10 and all patch versions (v2.10.0, v2.10.1, etc.) +- Both v-prefixed and non-prefixed variants are matched (v1.26 matches 1.26.x) + +### Step 5: Run the Tool + +**Using the Claude command (recommended):** + +```bash +/security:image-grades ~/my-config.yaml +/security:image-grades ~/my-config.yaml --grade b +/security:image-grades ~/my-config.yaml --grade d,f --email +``` + +### Manual execution using Makefile + +```bash +cd ~/Code/container-grade-reporter + +# Generate JSON output (default) +make run CONFIG=tags.yaml + +# Generate JSON with custom output path +make run-output OUTPUT=/tmp/grades.json CONFIG=~/my-config.yaml + +# Filter by grades +make run-grade GRADES='B,C,D' CONFIG=tags.yaml + +# Send email report +make email CONFIG=tags.yaml + +# Send filtered email report +make email-grade GRADES='D,F' CONFIG=tags.yaml +``` + +**What the Makefile does automatically:** + +1. Detects Python version (3.12+ or falls back to available Python 3.x) +2. Creates virtual environment in `/tmp/ossm-grade-reporter-venv` +3. Installs dependencies from requirements.txt (including premailer for email) +4. Decodes base64 keytab file +5. Runs kinit for Kerberos authentication +6. Executes main.py with specified parameters +7. Cleans up temporary keytab files +8. Handles all script execution via helper scripts in `scripts/` directory + +**Execution time:** + +The tool queries the Pyxis API for each repository. Expect: +- 1-2 seconds per repository +- 30-60 seconds for 20-30 repositories +- Progress is shown in real-time + +### Step 6: Parse JSON Output + +The tool generates JSON output with vulnerability grades: + +```json +{ + "openshift-service-mesh/istio-cni-rhel9": { + "repository_id": "abc123", + "grades": { + "1.26": { + "grade": "B", + "architectures": ["amd64", "arm64", "ppc64le", "s390x"], + "latest_tag": "1.26.5", + "end_date": "2025-08-22T05:06:37+00:00" + } + } + } +} +``` + +**JSON structure:** + +- **Repository key**: Full repository path +- `repository_id`: Pyxis internal repository ID +- `grades`: Object containing Y-version tags (major.minor) +- **Tag key**: Y-version tag (e.g., "1.26", "v2.11") +- `grade`: Vulnerability grade (A, B, C, D, F) +- `architectures`: Array of architectures (when all have same grade/version) +- `architecture`: Single architecture string (when grades/versions differ) +- `latest_tag`: Latest patch version for this Y-version +- `end_date`: ISO 8601 timestamp when this grade expires/downgrades + +**Multi-architecture handling:** + +- **Grouped format** (`architectures` array): All architectures have identical grade and version +- **Separate format** (`architecture` string): Architectures have different grades or versions + +### Step 7: Format the Report + +Convert JSON to human-readable format: + +```python +import json +from datetime import datetime + +# Read JSON output +with open('/tmp/grades.json', 'r') as f: + data = json.load(f) + +# Grade indicators +grade_indicator = { + 'A': '✅', 'B': '✅', + 'C': '⚠️', + 'D': '❌', 'F': '❌' +} + +# Format report +print("🛡️ Container Vulnerability Report") +print(f"Generated: {datetime.now().strftime('%Y-%m-%d %H:%M:%S')}\n") + +for repo_name, repo_data in data.items(): + print(f"\n{repo_name}") + grades = repo_data.get('grades', {}) + + for tag, grade_info in grades.items(): + grade = grade_info['grade'] + indicator = grade_indicator.get(grade, '❓') + latest = grade_info['latest_tag'] + + # Handle multi-architecture + if 'architectures' in grade_info: + archs = ','.join(grade_info['architectures']) + else: + archs = grade_info.get('architecture', 'unknown') + + # Parse end date + end_date = grade_info.get('end_date', 'Unknown') + if end_date != 'Unknown': + end_date = end_date.split('T')[0] # Get just the date + + print(f" {tag} → Grade: {grade} {indicator} | {latest} | {archs} | End: {end_date}") + +# Summary +print("\n" + "=" * 40) +grade_counts = {} +for repo_data in data.values(): + for grade_info in repo_data.get('grades', {}).values(): + grade = grade_info['grade'] + grade_counts[grade] = grade_counts.get(grade, 0) + 1 + +grade_summary = ', '.join([f"{count}×{grade}" for grade, count in sorted(grade_counts.items())]) +print(f"Summary: {len(data)} repositories | Grades: {grade_summary}") +``` + +## Error Handling + +### Common Issues and Solutions + +### 1. Authentication Failure + +```text +Error: Kerberos authentication failed +``` + +**Solutions:** +- Verify keytab file exists: `ls ~/ossm-report-sa.keytab` +- Check keytab is base64 encoded +- Verify principal name is correct +- Test manual kinit: `kinit -kt ~/keytab.keytab principal@IPA.REDHAT.COM` +- Contact Red Hat IT for keytab issues + +### 2. Network Connectivity + +```text +Error: Cannot connect to pyxis.engineering.redhat.com +``` + +**Solutions:** +- Verify VPN connection to Red Hat network +- Check network access: `curl -k https://pyxis.engineering.redhat.com/v1/` +- Verify no proxy issues blocking API access + +### 3. Python Version Issues + +```text +Error: Python 3.12 not found +``` + +**Solutions:** +- Install Python 3.12: `sudo dnf install python3.12` +- Or let Makefile use available Python 3.x (it will fallback automatically) +- Check Python version: `python3 --version` + +### 4. Missing Dependencies + +```text +Error: ModuleNotFoundError: No module named 'yaml' +``` + +**Solutions:** +- Let Makefile handle installation: `make install` +- Or manual install: `pip install -r requirements.txt` + +### 5. Invalid YAML Configuration + +```text +Error: Invalid YAML syntax +``` + +**Solutions:** +- Validate YAML syntax: `python -c "import yaml; yaml.safe_load(open('config.yaml'))"` +- Check indentation (use spaces, not tabs) +- Verify structure matches releases/components format + +### 6. Repository Not Found + +```text +Warning: Repository not found: path/to/repo +``` + +**Solutions:** +- Verify repository name is correct in Pyxis +- Check repository exists: browse to registry.access.redhat.com +- Ensure no typos in repository path + +## Advanced Usage + +### Filtering by Grade + +Generate reports for only specific grades: + +```bash +cd ~/Code/container-grade-reporter + +# Filter by specific grades +make run-grade GRADES='C,D,F' CONFIG=tags.yaml + +# Convenience targets for common filters +make run-critical CONFIG=tags.yaml # Grades C, D, F only +make run-safe CONFIG=tags.yaml # Grades A, B only +``` + +### Filtering by Release + +Process only a specific release: + +```bash +# In your configuration, use --release flag (requires code modification) +# Or create separate config files per release +``` + +### Email Reports + +Generate HTML email reports (requires SMTP configuration): + +```bash +# Preview HTML without sending +make dry-run-email CONFIG=tags.yaml + +# Send email report (all grades) +make email CONFIG=tags.yaml + +# Send email with grade filtering +make email-grade GRADES='C,D,F' CONFIG=tags.yaml + +# Send critical vulnerabilities only +make email-critical CONFIG=tags.yaml +``` + +### Manual Python Execution + +For debugging or custom usage: + +```bash +cd ~/Code/container-grade-reporter +source venv/bin/activate # If venv exists + +# Run with custom parameters +python main.py --config my-config.yaml --output results.json --print +``` + +## Integration with Claude Commands + +The `/security:image-grades` command implements this skill by: + +1. Locating the tool using saved configuration or workspace search +2. Validating YAML configuration file +3. Checking for keytab authentication +4. Running `make run-output` with appropriate parameters +5. Parsing JSON output +6. Formatting results as readable text report + +**Complete workflow:** + +```bash +# One-time setup +git clone https://gitlab.cee.redhat.com/istio/servicemesh-qe/container-grade-reporter.git ~/Code/container-grade-reporter +/security:set-image-grade-tool-path ~/Code/container-grade-reporter + +# Create config file (my-releases.yaml) +# Then generate report +/security:image-grades ~/my-releases.yaml +``` + +## Testing + +**Verify tool installation:** + +```bash +cd ~/Code/container-grade-reporter +ls -la # Should see main.py, Makefile, requirements.txt + +# Test authentication +make auth-setup + +# Test full execution +make dry-run-email # Generates HTML without sending +``` + +**Expected output locations:** + +- JSON: `output/vulnerability_grades_YYYYMMDD.json` +- Logs: `logs/container_grade_reporter_YYYYMMDD_HHMMSS.log` +- HTML: `output/vulnerability_report_YYYYMMDD.html` + +## References + +- **Repository**: [container-grade-reporter](https://gitlab.cee.redhat.com/istio/servicemesh-qe/container-grade-reporter) +- **Pyxis API**: [https://pyxis.engineering.redhat.com/v1/](https://pyxis.engineering.redhat.com/v1/) +- **Red Hat Registry**: [https://registry.access.redhat.com](https://registry.access.redhat.com) +- **Red Hat IT Support**: For keytab and authentication issues + +## Notes + +- The tool uses base64-encoded keytab files for security +- Virtual environment is created in `/tmp/` to avoid cluttering project directory +- All API calls are authenticated via Kerberos (no hardcoded credentials) +- Multi-architecture data is automatically grouped when grades match +- The tool respects API rate limits with appropriate delays + + diff --git a/scripts/build-website.py b/scripts/build-website.py index b03483c3..1897c71c 100644 --- a/scripts/build-website.py +++ b/scripts/build-website.py @@ -25,7 +25,8 @@ def parse_frontmatter(content: str) -> Dict[str, str]: def extract_synopsis(content: str) -> str: """Extract synopsis from command markdown""" - match = re.search(r'## Synopsis\s*```\s*([^\n]+)', content, re.MULTILINE) + # Match Synopsis header, optional language identifier, then capture the next non-empty line + match = re.search(r'## Synopsis\s*```(?:\w+)?\s*\n([^\n]+)', content, re.MULTILINE) if match: return match.group(1).strip() return ""