Merge pull request #54 from jdolitsky/docker-socket

scanner-audit: add ability to mount docker socket when needed

Author: jdolitsky

scanner-audit/README.md

@@ -100,6 +100,24 @@ export API_SECRET="your-secret"
 go run . --env cloud-scanner
 ```
 
+#### Special Environment Variable: REQUIRES_DOCKER
+
+The `REQUIRES_DOCKER` environment variable is a special case. When this variable is defined in your audit-env.yaml file (with any value), scanner-audit will automatically mount the Docker socket into the container:
+
+```yaml
+environment:
+  environment:
+    REQUIRES_DOCKER: "true"  # Any value will trigger Docker socket mounting
+    # ... other variables ...
+```
+
+This enables scanners that need to interact with Docker (e.g., to pull images or inspect containers) to function properly. The Docker socket will be mounted as `/var/run/docker.sock:/var/run/docker.sock`.
+
+**Note:** Unlike other environment variables, `REQUIRES_DOCKER`:
+- Is not validated for empty or placeholder values
+- Is not passed to the container as an environment variable
+- Only serves to trigger the Docker socket mount
+
 ### Custom Scanner Installation
 
 You can use Melange pipelines in your audit-env.yaml to install custom tools:

scanner-audit/main.go

@@ -129,6 +129,7 @@ var testCaseDocLinks = generateTestCaseDocLinks()
 const (
 	dockerStdoutStream = 1
 	dockerStderrStream = 2
+	requiresDockerVar  = "REQUIRES_DOCKER"
 )
 
 func main() {
@@ -251,7 +252,7 @@ func runAudit(envName string, forceBuild, noRemove, noCache bool, filterDistro,
 	}
 
 	// Start a single long-running container
-	containerID, err := startLongRunningContainer(dockerClient, wrapperImage, wrapperContent, noCache)
+	containerID, err := startLongRunningContainer(dockerClient, wrapperImage, wrapperContent, noCache, requiredEnvVars)
 	if err != nil {
 		return fmt.Errorf("failed to start container: %w", err)
 	}
@@ -389,6 +390,11 @@ func validateEnvironmentVars(requiredEnvVars []string) error {
 	var invalid []string
 
 	for _, envVar := range requiredEnvVars {
+		// Skip REQUIRES_DOCKER - it's optional and not treated as a masked variable
+		if envVar == requiresDockerVar {
+			continue
+		}
+
 		value := os.Getenv(envVar)
 		if value == "" {
 			missing = append(missing, envVar)
@@ -583,7 +589,7 @@ func getCacheDir() string {
 	return filepath.Join(getBaseCacheDir(), "cache-mount")
 }
 
-func startLongRunningContainer(dockerClient *client.Client, wrapperImage string, wrapperContent []byte, noCache bool) (string, error) {
+func startLongRunningContainer(dockerClient *client.Client, wrapperImage string, wrapperContent []byte, noCache bool, requiredEnvVars []string) (string, error) {
 	ctx := context.Background()
 
 	// Create container configuration - keep it alive with a sleep command
@@ -639,6 +645,15 @@ func startLongRunningContainer(dockerClient *client.Client, wrapperImage string,
 		fmt.Printf("Mounting cache directory: %s -> /root/.cache\n", cacheDir)
 	}
 
+	// Check if REQUIRES_DOCKER is in requiredEnvVars and has a value
+	hasRequiresDocker := slices.Contains(requiredEnvVars, requiresDockerVar)
+
+	// Add Docker socket mount if REQUIRES_DOCKER is set
+	if hasRequiresDocker {
+		binds = append(binds, "/var/run/docker.sock:/var/run/docker.sock")
+		fmt.Printf("Mounting Docker socket: /var/run/docker.sock -> /var/run/docker.sock\n")
+	}
+
 	hostConfig := &container.HostConfig{
 		Binds: binds,
 	}
@@ -648,6 +663,9 @@ func startLongRunningContainer(dockerClient *client.Client, wrapperImage string,
 	if !noCache {
 		dockerCmd += fmt.Sprintf(" -v %s:/root/.cache", getCacheDir())
 	}
+	if hasRequiresDocker {
+		dockerCmd += " -v /var/run/docker.sock:/var/run/docker.sock"
+	}
 	dockerCmd += fmt.Sprintf(" %s -c 'trap : TERM INT; sleep 9999999999d & wait'", wrapperImage)
 	fmt.Printf("Running \"%s\"\n", dockerCmd)
 
@@ -750,6 +768,11 @@ func prepareEnvVarsAndCommand(requiredEnvVars []string, containerID, testImage s
 	var maskedEnvVars []string
 
 	for _, envVar := range requiredEnvVars {
+		// Skip REQUIRES_DOCKER - it's not passed to the container
+		if envVar == requiresDockerVar {
+			continue
+		}
+
 		value := os.Getenv(envVar)
 		envVars = append(envVars, fmt.Sprintf("%s=%s", envVar, value))
 		maskedEnvVars = append(maskedEnvVars, fmt.Sprintf("%s=\"$%s\"", envVar, envVar)) // Show as env var reference