-
Notifications
You must be signed in to change notification settings - Fork 10
Expand file tree
/
Copy pathcontainer_scan.go
More file actions
276 lines (232 loc) · 8.86 KB
/
container_scan.go
File metadata and controls
276 lines (232 loc) · 8.86 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
// Package cmd implements the CLI commands for the Codacy CLI tool.
package cmd
import (
"fmt"
"os"
"os/exec"
"regexp"
"strings"
"codacy/cli-v2/utils/logger"
"github.com/fatih/color"
"github.com/sirupsen/logrus"
"github.com/spf13/cobra"
)
// validImageNamePattern validates Docker image references
// Allows: registry/namespace/image:tag or image@sha256:digest
// Based on Docker image reference specification
var validImageNamePattern = regexp.MustCompile(`^[a-zA-Z0-9][a-zA-Z0-9._\-/:@]*$`)
// lookPath is a variable to allow mocking exec.LookPath in tests
var lookPath = exec.LookPath
// exitFunc is a variable to allow mocking os.Exit in tests
var exitFunc = os.Exit
// CommandRunner interface for running external commands (allows mocking in tests)
type CommandRunner interface {
Run(name string, args []string) error
}
// ExecCommandRunner runs commands using exec.Command
type ExecCommandRunner struct{}
// Run executes a command and returns its exit error
func (r *ExecCommandRunner) Run(name string, args []string) error {
// #nosec G204 -- name comes from exec.LookPath("trivy") with a literal string,
// and args are validated by validateImageName() which checks for shell metacharacters.
// exec.Command passes arguments directly without shell interpretation.
cmd := exec.Command(name, args...)
cmd.Stdout = os.Stdout
cmd.Stderr = os.Stderr
return cmd.Run()
}
// commandRunner is the default command runner, can be replaced in tests
var commandRunner CommandRunner = &ExecCommandRunner{}
// ExitCoder interface for errors that have an exit code
type ExitCoder interface {
ExitCode() int
}
// getExitCode returns the exit code from an error if it implements ExitCoder
func getExitCode(err error) int {
if exitErr, ok := err.(ExitCoder); ok {
return exitErr.ExitCode()
}
return -1
}
// Flag variables for container-scan command
var (
severityFlag string
pkgTypesFlag string
ignoreUnfixedFlag bool
)
func init() {
containerScanCmd.Flags().StringVar(&severityFlag, "severity", "", "Comma-separated list of severities to scan for (default: HIGH,CRITICAL)")
containerScanCmd.Flags().StringVar(&pkgTypesFlag, "pkg-types", "", "Comma-separated list of package types to scan (default: os)")
containerScanCmd.Flags().BoolVar(&ignoreUnfixedFlag, "ignore-unfixed", true, "Ignore unfixed vulnerabilities")
rootCmd.AddCommand(containerScanCmd)
}
var containerScanCmd = &cobra.Command{
Use: "container-scan <IMAGE_NAME> [IMAGE_NAME...]",
Short: "Scan container images for vulnerabilities using Trivy",
Long: `Scan one or more container images for vulnerabilities using Trivy.
By default, scans for HIGH and CRITICAL vulnerabilities in OS packages,
ignoring unfixed issues. Use flags to override these defaults.
The --exit-code 1 flag is always applied (not user-configurable) to ensure
the command fails when vulnerabilities are found in any image.`,
Example: ` # Scan a single image
codacy-cli container-scan myapp:latest
# Scan multiple images
codacy-cli container-scan myapp:latest nginx:alpine redis:7
# Scan only for CRITICAL vulnerabilities across multiple images
codacy-cli container-scan --severity CRITICAL myapp:latest nginx:alpine
# Scan all severities and package types
codacy-cli container-scan --severity LOW,MEDIUM,HIGH,CRITICAL --pkg-types os,library myapp:latest
# Include unfixed vulnerabilities
codacy-cli container-scan --ignore-unfixed=false myapp:latest`,
Args: cobra.MinimumNArgs(1),
Run: runContainerScan,
}
// validateImageName checks if the image name is a valid Docker image reference
// and doesn't contain shell metacharacters that could be used for command injection
func validateImageName(imageName string) error {
if imageName == "" {
return fmt.Errorf("image name cannot be empty")
}
// Check for maximum length (Docker has a practical limit)
if len(imageName) > 256 {
return fmt.Errorf("image name is too long (max 256 characters)")
}
// Check for dangerous shell metacharacters first for specific error messages
dangerousChars := []string{";", "&", "|", "$", "`", "(", ")", "{", "}", "<", ">", "!", "\\", "\n", "\r", "'", "\""}
for _, char := range dangerousChars {
if strings.Contains(imageName, char) {
return fmt.Errorf("invalid image name: contains disallowed character '%s'", char)
}
}
// Validate against allowed pattern for any other invalid characters
if !validImageNamePattern.MatchString(imageName) {
return fmt.Errorf("invalid image name format: contains disallowed characters")
}
return nil
}
// getTrivyPath returns the path to the Trivy binary and an error if not found
func getTrivyPath() (string, error) {
trivyPath, err := lookPath("trivy")
if err != nil {
return "", err
}
logger.Info("Found Trivy", logrus.Fields{"path": trivyPath})
return trivyPath, nil
}
// handleTrivyNotFound prints error message and exits with code 2
func handleTrivyNotFound(err error) {
logger.Error("Trivy not found", logrus.Fields{"error": err.Error()})
color.Red("❌ Error: Trivy is not installed or not found in PATH")
fmt.Println("Please install Trivy to use container scanning.")
fmt.Println("Visit: https://trivy.dev/latest/getting-started/installation/")
fmt.Println("exit-code 2")
exitFunc(2)
}
func runContainerScan(_ *cobra.Command, args []string) {
exitCode := executeContainerScan(args)
exitFunc(exitCode)
}
// executeContainerScan performs the container scan and returns an exit code
// Exit codes: 0 = success, 1 = vulnerabilities found, 2 = error
func executeContainerScan(imageNames []string) int {
if code := validateAllImages(imageNames); code != 0 {
return code
}
logger.Info("Starting container scan", logrus.Fields{"images": imageNames, "count": len(imageNames)})
trivyPath, err := getTrivyPath()
if err != nil {
handleTrivyNotFound(err)
return 2
}
hasVulnerabilities := scanAllImages(imageNames, trivyPath)
if hasVulnerabilities == -1 {
return 2
}
return printScanSummary(hasVulnerabilities == 1, imageNames)
}
func validateAllImages(imageNames []string) int {
for _, imageName := range imageNames {
if err := validateImageName(imageName); err != nil {
logger.Error("Invalid image name", logrus.Fields{"image": imageName, "error": err.Error()})
color.Red("❌ Error: %v", err)
fmt.Println("exit-code 2")
return 2
}
}
return 0
}
// scanAllImages scans all images and returns: 0=no vulns, 1=vulns found, -1=error
func scanAllImages(imageNames []string, trivyPath string) int {
hasVulnerabilities := false
for i, imageName := range imageNames {
printScanHeader(imageNames, imageName, i)
args := buildTrivyArgs(imageName)
logger.Info("Running Trivy container scan", logrus.Fields{"command": fmt.Sprintf("%s %v", trivyPath, args)})
if err := commandRunner.Run(trivyPath, args); err != nil {
if getExitCode(err) == 1 {
logger.Warn("Vulnerabilities found in image", logrus.Fields{"image": imageName})
hasVulnerabilities = true
} else {
logger.Error("Failed to run Trivy", logrus.Fields{"error": err.Error(), "image": imageName})
color.Red("❌ Error: Failed to run Trivy for %s: %v", imageName, err)
fmt.Println("exit-code 2")
return -1
}
} else {
logger.Info("No vulnerabilities found in image", logrus.Fields{"image": imageName})
}
}
if hasVulnerabilities {
return 1
}
return 0
}
func printScanHeader(imageNames []string, imageName string, index int) {
if len(imageNames) > 1 {
fmt.Printf("\n📦 [%d/%d] Scanning image: %s\n", index+1, len(imageNames), imageName)
fmt.Println(strings.Repeat("-", 50))
} else {
fmt.Printf("🔍 Scanning container image: %s\n\n", imageName)
}
}
func printScanSummary(hasVulnerabilities bool, imageNames []string) int {
fmt.Println()
if hasVulnerabilities {
logger.Warn("Container scan completed with vulnerabilities", logrus.Fields{"images": imageNames})
color.Red("❌ Scanning failed: vulnerabilities found in one or more container images")
fmt.Println("exit-code 1")
return 1
}
logger.Info("Container scan completed successfully", logrus.Fields{"images": imageNames})
color.Green("✅ Success: No vulnerabilities found matching the specified criteria")
fmt.Println("exit-code 0")
return 0
}
// buildTrivyArgs constructs the Trivy command arguments based on flags
func buildTrivyArgs(imageName string) []string {
args := []string{
"image",
"--scanners", "vuln",
}
// Apply --ignore-unfixed if enabled (default: true)
if ignoreUnfixedFlag {
args = append(args, "--ignore-unfixed")
}
// Apply --severity (use default if not specified)
severity := severityFlag
if severity == "" {
severity = "HIGH,CRITICAL"
}
args = append(args, "--severity", severity)
// Apply --pkg-types (use default if not specified)
pkgTypes := pkgTypesFlag
if pkgTypes == "" {
pkgTypes = "os"
}
args = append(args, "--pkg-types", pkgTypes)
// Always apply --exit-code 1 (not user-configurable)
args = append(args, "--exit-code", "1")
// Add the image name as the last argument
args = append(args, imageName)
return args
}