From 93ecf3aeaf175cc26ae0561b057e3b81d28365c2 Mon Sep 17 00:00:00 2001
From: Christopher Desiniotis <cdesiniotis@nvidia.com>
Date: Wed, 27 Oct 2021 17:26:46 -0700
Subject: [PATCH] [ci] use pulse instead of contamer for scans

Signed-off-by: Christopher Desiniotis <cdesiniotis@nvidia.com>
---
 .nvidia-ci.yml | 27 +++++++++++++++++----------
 1 file changed, 17 insertions(+), 10 deletions(-)

diff --git a/.nvidia-ci.yml b/.nvidia-ci.yml
index 5f52749d..f3fddd0a 100644
--- a/.nvidia-ci.yml
+++ b/.nvidia-ci.yml
@@ -45,10 +45,10 @@ variables:
 # images.
 .scan:
   stage: scan
+  image: "${PULSE_IMAGE}"
   variables:
     IMAGE: "${CI_REGISTRY_IMAGE}/container-toolkit:${CI_COMMIT_SHORT_SHA}-${DIST}"
-    # SCAN_IMAGE must be a local image
-    SCAN_IMAGE: "container-toolkit:${CI_COMMIT_SHORT_SHA}-${DIST}"
+    IMAGE_ARCHIVE: "container-toolkit.tar"
   rules:
     - if: $CI_COMMIT_MESSAGE =~ /\[skip[ _-]scans?\]/i
       when: never
@@ -57,18 +57,25 @@ variables:
     - if: $CI_COMMIT_TAG == null && $CI_COMMIT_BRANCH != $RELEASE_DEVEL_BRANCH
       allow_failure: true
   before_script:
-    - apk add --no-cache git
-    - apk add --no-cache python3 python3-dev py3-pip py3-wheel libmagic
     - docker login -u "${CI_REGISTRY_USER}" -p "${CI_REGISTRY_PASSWORD}" "${CI_REGISTRY}"
     # TODO: We should specify the architecture here and scan all architectures
     - docker pull "${IMAGE}"
-    - docker tag "${IMAGE}" "${SCAN_IMAGE}"
-    - git clone https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab-master.nvidia.com/sectooling/scanning/contamer.git
-    - pip3 install -r contamer/requirements.txt
+    - docker save "${IMAGE}" -o "${IMAGE_ARCHIVE}"
+    - AuthHeader=$(echo -n $SSA_CLIENT_ID:$SSA_CLIENT_SECRET | base64 -w0)
+    - >
+      export SSA_TOKEN=$(curl --request POST --header "Authorization: Basic $AuthHeader" --header "Content-Type: application/x-www-form-urlencoded" ${SSA_ISSUER_URL} | jq ".access_token" |  tr -d '"')
+    - if [ -z "$SSA_TOKEN" ]; then exit 1; else echo "SSA_TOKEN set!"; fi
   script:
-    - cd contamer
-    - python3 contamer.py -ls --fail-on-non-os ${CONTAMER_SUPPRESS_VULNS:+--suppress-vulns ${CONTAMER_SUPPRESS_VULNS}} -- "${SCAN_IMAGE}"
-
+    - pulse-cli -n $NSPECT_ID --pss $PSS_URL --ssa $SSA_TOKEN scan -i $IMAGE_ARCHIVE -p $CONTAINER_POLICY -o
+  artifacts:
+    when: always
+    expire_in: 1 week
+    paths:
+      - pulse-cli.log
+      - licenses.json
+      - sbom.json
+      - vulns.json
+      - policy_evaluation.json
 
 # Define the scan targets
 scan-centos7: