Add support for trivy

README.md

@@ -19,7 +19,7 @@ This is intended to:
 - Prevent deploying assets with un-pullable images
 - Localise images for faster start times
 - Potentially improve availability by reducing runtime third party service
-  dependencies (e.g. rDdockerhub)
+  dependencies (e.g. Dockerhub)
 - Help with compliance by pulling all images from registries with image
   scanning
 - Help with the use of in-cluster binary authorization
@@ -128,15 +128,23 @@ The following flags control mappings usage
 ```
 # Grafeas Vulnerability Checking
 
-NOTE: At present, Vulnerability scanning only works with google cloud container registry
+Alternatively, reimage can execute any command compatible with trivy's image scanning
+JSON output to scan images.
 
-reimage can check for Grafeas Discovery occurrences containing CVE checks for
+alternatively trivy can check for Grafeas Discovery occurrences containing CVE checks for
 the discovered images. If discovery checking is enabled, but no completed discovery
 has occurred, reimage will wait for a configurable time. Vulnerability checking
 is disabled by default, and can be enabled by setting `-vulncheck-max-cvss`. If you
 want to scan, but ignore all CVEs, use `-vulncheck-max-cvss 11`
 
+
 ```
+  -grafeas-parent string
+        value for the parent of the grafeas client (e.g. "project/my-project-id" for GCP
+  -trivy-command string
+        the command to run to retrieve vulnerability scans in trivy's JSON format (the image id will be added as an additional arg (default "trivy image -f json")
+  -vulncheck-method string
+        force the vulnerability check method, (trivy or grafeas) (default "trivy")
   -vulncheck-ignore-cve-list string
         comma separated list of vulnerabilities to ignore
   -vulncheck-ignore-images string

cmd/reimage/main.go

@@ -23,6 +23,7 @@ import (
 
 	containeranalysis "cloud.google.com/go/containeranalysis/apiv1"
 	kms "cloud.google.com/go/kms/apiv1"
+	"github.com/buildkite/shellwords"
 	"github.com/cerbos/reimage"
 	"github.com/google/go-containerregistry/pkg/crane"
 	"github.com/google/go-containerregistry/pkg/name"
@@ -53,12 +54,15 @@ type app struct {
 	StaticMappingsImg     string
 	static                *reimage.StaticRemapper
 	GrafeasParent         string
+	TrivyCommand          string
+	trivyCommand          []string
 	VulnCheckTimeout      time.Duration
 	VulnCheckMaxRetries   int
 	VulnCheckIgnoreList   []string
 	VulnCheckMaxCVSS      float64
 	VulnCheckIgnoreImages string
 	vulnCheckIgnoreImages *regexp.Regexp
+	VulnCheckMethod       string
 
 	BinAuthzAttestor string
 
@@ -101,9 +105,12 @@ func setup() (*app, error) {
 	flag.StringVar(&vulnIgnoreStr, "vulncheck-ignore-cve-list", "", "comma separated list of vulnerabilities to ignore")
 	flag.Float64Var(&a.VulnCheckMaxCVSS, "vulncheck-max-cvss", 0.0, "maximum CVSS vulnerabitility score")
 	flag.StringVar(&a.VulnCheckIgnoreImages, "vulncheck-ignore-images", "", "regexp of images to skip for CVE checks")
+	flag.StringVar(&a.VulnCheckMethod, "vulncheck-method", "trivy", "force the vulnerability check method, (trivy or grafeas)")
 
 	flag.StringVar(&a.GrafeasParent, "grafeas-parent", "", "value for the parent of the grafeas client (e.g. \"project/my-project-id\" for GCP")
 
+	flag.StringVar(&a.TrivyCommand, "trivy-command", "trivy image -f json", "the command to run to retrieve vulnerability scans in trivy's JSON format (the image id will be added as an additional arg")
+
 	flag.StringVar(&a.BinAuthzAttestor, "binauthz-attestor", "", "Google BinAuthz Attestor (e.g. projects/myproj/attestors/myattestor)")
 
 	flag.StringVar(&a.GCPKMSKey, "gcp-kms-key", "", "KMS key, defaults to the first key listed in the binauthz attestation (e.g. projects/PROJECT/locations/LOCATION/keyRings/KEYRING/cryptoKeys/KEY/cryptoKeyVersions/V)")
@@ -172,6 +179,11 @@ func setup() (*app, error) {
 		return &a, err
 	}
 
+	a.trivyCommand, err = shellwords.Split(a.TrivyCommand)
+	if err != nil {
+		return &a, fmt.Errorf("could not parse trivy command, %w", err)
+	}
+
 	return &a, nil
 }
 
@@ -376,17 +388,33 @@ func (a *app) checkVulns(ctx context.Context, imgs map[string]reimage.QualifiedI
 
 	wg := &sync.WaitGroup{}
 	wg.Add(len(imgs))
-	gc := c.GetGrafeasClient()
-	checker := reimage.GrafeasVulnChecker{
+
+	var vget reimage.VulnGetter
+
+	switch a.VulnCheckMethod {
+	case "trivy":
+		vget = &reimage.TrivyVulnGetter{
+			Command: a.trivyCommand,
+		}
+	case "grafeas":
+		gc := c.GetGrafeasClient()
+		vget = &reimage.GrafeasVulnGetter{
+			Parent:     a.GrafeasParent,
+			Grafeas:    gc,
+			RetryMax:   a.VulnCheckMaxRetries,
+			RetryDelay: a.VulnCheckTimeout,
+
+			Logger: a.log,
+		}
+	default:
+		return fmt.Errorf("unknown scanning method %q, should be grafeas or trivy", a.VulnCheckMethod)
+	}
+
+	checker := reimage.VulnChecker{
+		Getter:        vget,
 		IgnoreImages:  a.vulnCheckIgnoreImages,
-		Parent:        a.GrafeasParent,
-		Grafeas:       gc,
 		MaxCVSS:       float32(a.VulnCheckMaxCVSS),
 		CVEIgnoreList: a.VulnCheckIgnoreList,
-		RetryMax:      a.VulnCheckMaxRetries,
-		RetryDelay:    a.VulnCheckTimeout,
-
-		Logger: a.log,
 	}
 
 	res := map[string]reimage.QualifiedImage{}

go.mod

@@ -5,27 +5,28 @@ go 1.21
 toolchain go1.21.0
 
 require (
-	cloud.google.com/go/containeranalysis v0.10.1
-	cloud.google.com/go/grafeas v0.3.1
-	cloud.google.com/go/kms v1.15.2
+	cloud.google.com/go/containeranalysis v0.11.3
+	cloud.google.com/go/grafeas v0.3.4
+	cloud.google.com/go/kms v1.15.5
 	github.com/AsaiYusuke/jsonpath v1.6.0
-	github.com/google/go-containerregistry v0.16.1
+	github.com/buildkite/shellwords v0.0.0-20180315110454-59467a9b8e10
+	github.com/google/go-containerregistry v0.17.0
 	github.com/googleapis/gax-go/v2 v2.12.0
 	github.com/goreleaser/goreleaser v1.20.0
-	google.golang.org/api v0.134.0
-	google.golang.org/genproto v0.0.0-20230731193218-e0aa005b6bdf
+	google.golang.org/api v0.153.0
+	google.golang.org/genproto v0.0.0-20231127180814-3a041ad873d4
 	google.golang.org/protobuf v1.31.0
-	k8s.io/api v0.27.4
-	k8s.io/apimachinery v0.27.4
-	k8s.io/cli-runtime v0.27.4
-	k8s.io/client-go v0.27.4
+	k8s.io/api v0.28.4
+	k8s.io/apimachinery v0.28.4
+	k8s.io/cli-runtime v0.28.4
+	k8s.io/client-go v0.28.4
 )
 
 require (
-	cloud.google.com/go v0.110.7 // indirect
-	cloud.google.com/go/compute v1.23.0 // indirect
+	cloud.google.com/go v0.110.10 // indirect
+	cloud.google.com/go/compute v1.23.3 // indirect
 	cloud.google.com/go/compute/metadata v0.2.3 // indirect
-	cloud.google.com/go/iam v1.1.1 // indirect
+	cloud.google.com/go/iam v1.1.5 // indirect
 	cloud.google.com/go/storage v1.31.0 // indirect
 	code.gitea.io/sdk/gitea v0.15.1 // indirect
 	dario.cat/mergo v1.0.0 // indirect
@@ -94,7 +95,7 @@ require (
 	github.com/charmbracelet/lipgloss v0.7.1 // indirect
 	github.com/chrismellard/docker-credential-acr-env v0.0.0-20220327082430-c57b701bfc08 // indirect
 	github.com/cloudflare/circl v1.3.3 // indirect
-	github.com/containerd/stargz-snapshotter/estargz v0.14.3 // indirect
+	github.com/containerd/stargz-snapshotter/estargz v0.15.1 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
 	github.com/dghubble/go-twitter v0.0.0-20211115160449-93a8679adecb // indirect
 	github.com/dghubble/oauth1 v0.7.2 // indirect
@@ -104,10 +105,10 @@ require (
 	github.com/disgoorg/json v1.1.0 // indirect
 	github.com/disgoorg/log v1.2.1 // indirect
 	github.com/disgoorg/snowflake/v2 v2.0.1 // indirect
-	github.com/docker/cli v24.0.0+incompatible // indirect
-	github.com/docker/distribution v2.8.2+incompatible // indirect
-	github.com/docker/docker v24.0.2+incompatible // indirect
-	github.com/docker/docker-credential-helpers v0.7.0 // indirect
+	github.com/docker/cli v24.0.7+incompatible // indirect
+	github.com/docker/distribution v2.8.3+incompatible // indirect
+	github.com/docker/docker v24.0.7+incompatible // indirect
+	github.com/docker/docker-credential-helpers v0.8.0 // indirect
 	github.com/docker/go-connections v0.4.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/elliotchance/orderedmap/v2 v2.2.0 // indirect
@@ -117,7 +118,7 @@ require (
 	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
 	github.com/go-git/go-billy/v5 v5.4.1 // indirect
 	github.com/go-git/go-git/v5 v5.7.0 // indirect
-	github.com/go-logr/logr v1.2.4 // indirect
+	github.com/go-logr/logr v1.3.0 // indirect
 	github.com/go-openapi/analysis v0.21.4 // indirect
 	github.com/go-openapi/errors v0.20.3 // indirect
 	github.com/go-openapi/jsonpointer v0.19.6 // indirect
@@ -134,17 +135,17 @@ require (
 	github.com/golang-jwt/jwt/v4 v4.5.0 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
-	github.com/google/go-cmp v0.5.9 // indirect
+	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/google/go-github/v53 v53.2.0 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/ko v0.14.1 // indirect
 	github.com/google/rpmpack v0.5.0 // indirect
-	github.com/google/s2a-go v0.1.4 // indirect
+	github.com/google/s2a-go v0.1.7 // indirect
 	github.com/google/safetext v0.0.0-20220905092116-b49f7bc46da2 // indirect
-	github.com/google/uuid v1.3.0 // indirect
+	github.com/google/uuid v1.4.0 // indirect
 	github.com/google/wire v0.5.0 // indirect
-	github.com/googleapis/enterprise-certificate-proxy v0.2.5 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect
 	github.com/goreleaser/chglog v0.5.0 // indirect
 	github.com/goreleaser/fileglob v1.3.0 // indirect
 	github.com/goreleaser/nfpm/v2 v2.32.0 // indirect
@@ -165,7 +166,7 @@ require (
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/kevinburke/ssh_config v1.2.0 // indirect
-	github.com/klauspost/compress v1.16.7 // indirect
+	github.com/klauspost/compress v1.17.4 // indirect
 	github.com/klauspost/pgzip v1.2.6 // indirect
 	github.com/kylelemons/godebug v1.1.0 // indirect
 	github.com/letsencrypt/boulder v0.0.0-20221109233200-85aa52084eaf // indirect
@@ -190,7 +191,7 @@ require (
 	github.com/muesli/termenv v0.15.2 // indirect
 	github.com/oklog/ulid v1.3.1 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
-	github.com/opencontainers/image-spec v1.1.0-rc3 // indirect
+	github.com/opencontainers/image-spec v1.1.0-rc5 // indirect
 	github.com/pelletier/go-toml v1.9.5 // indirect
 	github.com/pelletier/go-toml/v2 v2.0.8 // indirect
 	github.com/pjbgf/sha1cd v0.3.0 // indirect
@@ -204,7 +205,7 @@ require (
 	github.com/sigstore/cosign/v2 v2.0.3-0.20230523133326-0544abd8fc8a // indirect
 	github.com/sigstore/rekor v1.2.0 // indirect
 	github.com/sigstore/sigstore v1.6.4 // indirect
-	github.com/sirupsen/logrus v1.9.1 // indirect
+	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/skeema/knownhosts v1.1.1 // indirect
 	github.com/slack-go/slack v0.12.2 // indirect
 	github.com/spf13/afero v1.9.5 // indirect
@@ -219,7 +220,7 @@ require (
 	github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
 	github.com/tomnomnom/linkheader v0.0.0-20180905144013-02ca5825eb80 // indirect
 	github.com/ulikunitz/xz v0.5.11 // indirect
-	github.com/vbatts/tar-split v0.11.3 // indirect
+	github.com/vbatts/tar-split v0.11.5 // indirect
 	github.com/withfig/autocomplete-tools/integrations/cobra v1.2.1 // indirect
 	github.com/xanzy/go-gitlab v0.90.0 // indirect
 	github.com/xanzy/ssh-agent v0.3.3 // indirect
@@ -228,22 +229,22 @@ require (
 	go.opencensus.io v0.24.0 // indirect
 	go.uber.org/automaxprocs v1.5.3 // indirect
 	gocloud.dev v0.33.0 // indirect
-	golang.org/x/crypto v0.14.0 // indirect
+	golang.org/x/crypto v0.16.0 // indirect
 	golang.org/x/exp v0.0.0-20230321023759-10a507213a29 // indirect
 	golang.org/x/mod v0.12.0 // indirect
-	golang.org/x/net v0.17.0 // indirect
-	golang.org/x/oauth2 v0.11.0 // indirect
-	golang.org/x/sync v0.3.0 // indirect
-	golang.org/x/sys v0.13.0 // indirect
-	golang.org/x/term v0.13.0 // indirect
-	golang.org/x/text v0.13.0 // indirect
-	golang.org/x/time v0.3.0 // indirect
+	golang.org/x/net v0.19.0 // indirect
+	golang.org/x/oauth2 v0.15.0 // indirect
+	golang.org/x/sync v0.5.0 // indirect
+	golang.org/x/sys v0.15.0 // indirect
+	golang.org/x/term v0.15.0 // indirect
+	golang.org/x/text v0.14.0 // indirect
+	golang.org/x/time v0.5.0 // indirect
 	golang.org/x/tools v0.12.0 // indirect
 	golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect
-	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20230731193218-e0aa005b6bdf // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20230731193218-e0aa005b6bdf // indirect
-	google.golang.org/grpc v1.57.0 // indirect
+	google.golang.org/appengine v1.6.8 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20231127180814-3a041ad873d4 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20231127180814-3a041ad873d4 // indirect
+	google.golang.org/grpc v1.59.0 // indirect
 	gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
@@ -252,10 +253,10 @@ require (
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/klog/v2 v2.100.1 // indirect
-	k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 // indirect
+	k8s.io/klog/v2 v2.110.1 // indirect
+	k8s.io/utils v0.0.0-20231127182322-b307cd553661 // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/kind v0.20.0 // indirect
-	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
-	sigs.k8s.io/yaml v1.3.0 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
+	sigs.k8s.io/yaml v1.4.0 // indirect
 )