templates(lacework): add initial version of lacework template

# Changelog

All notable changes to this job will be documented in this file.

## [0.1.0] - 2023-03-22

* Initial version

## Objective

This template runs [lacework-vulnerability-scanner](https://github.com/lacework/lacework-vulnerability-scanner) to scan and assess Docker container image for vulnerabilities.

## How to use it

1. Copy/paste the quick use above in your `.gitlab-ci.yml` file

1. Add `LW_ACCOUNT_NAME` and `LW_ACCESS_TOKEN` variables in your project CI/CD variables

1. If you want to scan a specific image, override variables `IMAGE`, `TAG` and `REGISTRY`

1. If this image come from a private registry, `REGISTRY_USER` and `REGISTRY_PASSWORD` variables in your project CI/CD variables

1. Well done, your job is ready to work ! 😀

## Examples

### Run a Lacework check on an image from `grc.io` without authentication

Prerequisites:

    - Set `LW_ACCOUNT_NAME` variable in your project CI/CD variables

    - Set `LW_ACCESS_TOKEN` variable in your project CI/CD variables

```yaml

stages:

  - tests

include:

  - remote: 'https://api.r2devops.io/job/r/gitlab/r2devops/hub/lacework@latest.yaml'

lacework:

  variables:

    REGISTRY: gcr.io

    IMAGE: kaniko-project/executor

    TAG: latest

```

### Run a Lacework check on an image from Docker Hub with authentication

Prerequisites:

    - Set `LW_ACCOUNT_NAME` variable in your project CI/CD variables

    - Set `LW_ACCESS_TOKEN` variable in your project CI/CD variables

    - Set `REGISTRY_PASSWORD` variable in your project CI/CD variables

```yaml

stages:

  - tests

include:

  - remote: 'https://api.r2devops.io/job/r/gitlab/r2devops/hub/lacework@latest.yaml'

lacework:

  variables:

    REGISTRY: docker.io

    REGISTRY_USER: <your username>

    IMAGE: <private image>

    TAG: <tag>

```

### Build an image, publish it in GitLab registry and check it with Lacework

Prerequisites:

    - Set `LW_ACCOUNT_NAME` variable in your project CI/CD variables

    - Set `LW_ACCESS_TOKEN` variable in your project CI/CD variables

    - Nothing to do about authentication, it is done automatically

```yaml

stages:

  - build

  - tests

include:

  - remote: 'https://api.r2devops.io/job/r/gitlab/r2devops/hub/docker_build@latest.yaml'

  - remote: 'https://api.r2devops.io/job/r/gitlab/r2devops/hub/lacework@latest.yaml'

```

## Variables

| Name | Description | Default |

| ---- | ----------- | ------- |

| `LW_ACCOUNT_NAME` | (**Mandatory**) Lacework account name. It should be set in GitLab CI/CD variables. | ` ` |

| `LW_ACCESS_TOKEN` | (**Mandatory**) Lacework access token. It should be set in GitLab CI/CD variables. | ` ` |

| `IMAGE` | Image to scan | `$CI_PROJECT_PATH` |

| `TAG` | Tag of image to scan  | `$CI_COMMIT_TAG` or `$CI_COMMIT_SHA` |

| `REGISTRY` | Registry of image to scan | `$CI_REGISTRY` |

| `REGISTRY_USER` | Registry user | `$CI_REGISTRY_USER` if `REGISTRY`==`$CI_REGISTRY` |

| `REGISTRY_PASSWORD` | Registry password. It should be set in GitLab CI/CD variables. | `$CI_REGISTRY_PASSWORD` if `REGISTRY`==`$CI_REGISTRY` |

| `LW_ADDITIONAL_OPTIONS` | Additional option to use in `lacework-inline-scanner` CLI | ` ` |

| `LW_VERSION` | Version of `lacework-inline-scanner` | `0.20.0` |

| `DIND_VERSION` | Version of `docker-in-docker` | `20.10.16-dind` |

# Job from R2Devops hub --> r2devops.io

stages:

  - tests

lacework:

  stage: tests

  image:

    name: lacework/lacework-inline-scanner:$IMAGE_TAG

    entrypoint: [""]

  services:

    - name: docker:$DIND_VERSION

      alias: docker

  variables:

    DOCKER_HOST: tcp://docker:2375

    IMAGE_TAG: 0.20.0

    DIND_VERSION: 20.10.16-dind

    LW_ADDITIONAL_OPTIONS: ""

    REGISTRY: $CI_REGISTRY

    REGISTRY_USER: ""

    REGISTRY_PASSWORD: ""

    IMAGE: $CI_PROJECT_PATH

    TAG: ""

  before_script:

    # This before_script do the authentication to the registry

    # If registry is the GitLab project registry, auto-set user and password

    - if [ ! -z ${REGISTRY} ] && [ ${REGISTRY} = ${CI_REGISTRY} ]; then

    -   export REGISTRY_USER=$CI_REGISTRY_USER

    -   export REGISTRY_PASSWORD=$CI_REGISTRY_PASSWORD

    - fi

    # Login to registry if needed

    - if [ ! -z ${REGISTRY} ] && [ ! -z ${REGISTRY_USER} ] && [ ! -z ${REGISTRY_PASSWORD} ]; then

    -   echo $REGISTRY_PASSWORD | docker login --password-stdin -u $REGISTRY_USER $REGISTRY

    - fi

  script:

    # If tag is empty, set it to COMMIT_TAG if it is a pipeline for tag, else

    # COMMIT_SHA

    - if [ -z ${TAG} ]; then

    -   if [ ! -z ${CI_COMMIT_TAG} ]; then

    -     TAG="$CI_COMMIT_TAG"

    -   else

    -     TAG="$CI_COMMIT_SHA"

    -   fi

    - fi

    # If registry is not empty and not set in IMAGE, add it

    - if [ ! -z ${REGISTRY} ] && [ ! $(echo $IMAGE | grep $REGISTRY) ]; then

    -   IMAGE="$REGISTRY/$IMAGE"

    - fi

    # Prepare output folders

    - mkdir -p lw_output/data lw_output/log

    # Pull the image before running the scan. It prevents some issues.

    - docker pull $IMAGE:$TAG

    # Display command that will be launched as debug

    - echo "#### Command that will be run => lw-scanner evaluate $IMAGE $TAG -s --policy --critical-violation-exit-code 1 --data-directory lw_output/data --log-directory lw_output/log --html --html-file lw_report.html $LW_ADDITIONAL_OPTIONS"

    # Run the lacework scan

    - lw-scanner evaluate $IMAGE $TAG -s --policy --critical-violation-exit-code 1 --data-directory lw_output/data --log-directory lw_output/log --html --html-file lw_report.html $LW_ADDITIONAL_OPTIONS

  artifacts:

    when: always

    name: "lacework_report"

    paths:

      - lw_report.html

      - lw_output

    expose_as: "lacework_report"

files:

    template: ./jobs/lacework/lacework.yml

    documentation: ./jobs/lacework/README.md

    changelog: ./jobs/lacework/CHANGELOG.md

data:

    description: "Run lacework scanner on docker image"

    icon: 🔎

    public: true

    labels:

    - Security

    - Docker

    license:

    deprecated: false