❗The project is ARCHIVED. We focused on joseki instead❗
image-scanner can scan a bunch of docker images for CVEs and serve scan results. It can run as web-application or as cli tool.
The scanner can audit images in a given Kubernetes cluster, or receive the list of tags as input parameter.
To scan all Kubernetes cluster images:
-
default kube-config:
docker run --rm -v $HOME:/root deepnetwork/image-scanner-cli trivy -e File -i File -
a custom k8s cluster:
docker run --rm -v $HOME:/root deepnetwork/image-scanner-cli trivy -e File -i File -k /root/.kube/custom_k8s_config
To scan a list of images:
A sample image list can be found here
docker run --rm -v $HOME:/root deepnetwork/image-scanner-cli trivy -e File -i File -l /root/Repos/image-scanner/samples/sample-image-list At the moment, image-scanner support only trivy as scanner and local file-system as persistence layer. Supporting another scanners and storage implementation is part of the roadmap.
image-scanner is developed with .NET Core 3.0.
-
Running From source code
git clone https://github.com/deepnetworkgmbh/image-scanner.git cd image-scanner/src/cli dotnet run -
Running CLI via Docker image
docker run --rm -v $HOME:/root deepnetwork/image-scanner-cli trivy -e File -i File -
Running Web application via Docker image
docker run --rm \ -p 8080:8080 \ -v $HOME:/$HOME deepnetwork/image-scanner-web \ -e IMAGE_SCANNER_CONFIG_FILE_PATH="$HOME/Repos/image-scanner/src/tests/image-scanner.config-sample.yaml"Then, navigate to http://localhost:8080/swagger/index.html address on your machine and run APIs to start scans.
TODO: add web app description and examples
The image-scanner CLI tool helps to scan a k8s cluster or a list of images. Following CLI options are used in scanning operations.
-
Select a scanner:
trivy Run trivy scanner clair Run clair scanner // not supported yet help Display more information on a specific command. version Display version information.image-scannerneeds a scanner to be selected. At the moment, only Trivy scanner is supported. -
Trivy options:
-t, --trivyBinaryPath Binary path of Trivy executable (Default: /usr/local/bin/trivy) -a, --trivyCachePath Folder path of Trivy cache files -r, --registries The path of Container Registry Credentials file -k, --kubeConfigPath File path of Kube Config file -e, --exporter Required. Exporter type (e.g, File) -i, --importer Required. Importer type (e.g, File) -f, --fileExporterPath Folder path of file exporter -b, --isBulkUpload Is bulk upload (Default: false) -m, --parallelismDegree (Default: 10) Degree of Parallelism -l, --listOfImagesPath The path of images list file --help Display this help screen. --version Display version information.
-
Scan with Trivy
-
Scan a Kubernetes cluster using local kube-config and save outputs into file exporter:
docker run --rm\ -v $HOME:/root/ \ deepnetwork/image-scanner-cli trivy -e File -i FileScan results (json) and container log files are saved under
$HOME/.image-scanner/exportsfolder. -
Using a cache directory on your machine:
docker run --rm\ -v $HOME:/root/ \ deepnetwork/image-scanner-cli trivy -a [TRIVY_CACHE_PATH] -e FileReplace [TRIVY_CACHE_PATH] with the cache directory on your machine.
-
Running against a Private Container Registry (CR):
Prepare your private CR list in a format like in this file
docker run --rm\ -v $HOME:/root/ \ deepnetwork/image-scanner-cli trivy -e File -i File -r /root/Repos/image-scanner/samples/registries.config-sample.yaml -
Saving results into a custom folder:
docker run --rm \ -v $HOME:/root/ \ deepnetwork/image-scanner-cli trivy -e File -i File -f /root/myfolderThis command runs image-scanner against default Kubernetes cluster and saves export files into folder
/root/myfolder -
Setting parallelism degree of percentage:
docker run --rm\ -v $HOME:/root/ \ deepnetwork/image-scanner-cli trivy -e File -i File -m 50The maximum parallelism degree means that the number of the scanner (e.g.Trivy) processes to be run in parallel. The default value is 10.
-
-
Scan with Clair:
// TO BE ADDED