feat: Run trivy container scan #192
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,205 @@ | ||
| // Package cmd implements the CLI commands for the Codacy CLI tool. | ||
| package cmd | ||
|
|
||
| import ( | ||
| "fmt" | ||
| "os" | ||
| "os/exec" | ||
| "regexp" | ||
| "strings" | ||
|
|
||
| "codacy/cli-v2/utils/logger" | ||
|
|
||
| "github.com/fatih/color" | ||
| "github.com/sirupsen/logrus" | ||
| "github.com/spf13/cobra" | ||
| ) | ||
|
|
||
| // validImageNamePattern validates Docker image references | ||
| // Allows: registry/namespace/image:tag or image@sha256:digest | ||
| // Based on Docker image reference specification | ||
| var validImageNamePattern = regexp.MustCompile(`^[a-zA-Z0-9][a-zA-Z0-9._\-/:@]*$`) | ||
|
|
||
| // Flag variables for container-scan command | ||
| var ( | ||
| severityFlag string | ||
| pkgTypesFlag string | ||
| ignoreUnfixedFlag bool | ||
| ) | ||
|
|
||
| func init() { | ||
| containerScanCmd.Flags().StringVar(&severityFlag, "severity", "", "Comma-separated list of severities to scan for (default: HIGH,CRITICAL)") | ||
| containerScanCmd.Flags().StringVar(&pkgTypesFlag, "pkg-types", "", "Comma-separated list of package types to scan (default: os)") | ||
| containerScanCmd.Flags().BoolVar(&ignoreUnfixedFlag, "ignore-unfixed", true, "Ignore unfixed vulnerabilities") | ||
| rootCmd.AddCommand(containerScanCmd) | ||
| } | ||
|
franciscoovazevedo marked this conversation as resolved.
|
||
|
|
||
| var containerScanCmd = &cobra.Command{ | ||
| Use: "container-scan <IMAGE_NAME> [IMAGE_NAME...]", | ||
| Short: "Scan container images for vulnerabilities using Trivy", | ||
| Long: `Scan one or more container images for vulnerabilities using Trivy. | ||
|
|
||
| By default, scans for HIGH and CRITICAL vulnerabilities in OS packages, | ||
| ignoring unfixed issues. Use flags to override these defaults. | ||
|
|
||
| The --exit-code 1 flag is always applied (not user-configurable) to ensure | ||
| the command fails when vulnerabilities are found in any image.`, | ||
| Example: ` # Scan a single image | ||
| codacy-cli container-scan myapp:latest | ||
|
|
||
| # Scan multiple images | ||
| codacy-cli container-scan myapp:latest nginx:alpine redis:7 | ||
|
|
||
| # Scan only for CRITICAL vulnerabilities across multiple images | ||
| codacy-cli container-scan --severity CRITICAL myapp:latest nginx:alpine | ||
|
|
||
| # Scan all severities and package types | ||
| codacy-cli container-scan --severity LOW,MEDIUM,HIGH,CRITICAL --pkg-types os,library myapp:latest | ||
|
|
||
| # Include unfixed vulnerabilities | ||
| codacy-cli container-scan --ignore-unfixed=false myapp:latest`, | ||
| Args: cobra.MinimumNArgs(1), | ||
| Run: runContainerScan, | ||
| } | ||
|
|
||
| // validateImageName checks if the image name is a valid Docker image reference | ||
| // and doesn't contain shell metacharacters that could be used for command injection | ||
| func validateImageName(imageName string) error { | ||
| if imageName == "" { | ||
| return fmt.Errorf("image name cannot be empty") | ||
| } | ||
|
|
||
| // Check for maximum length (Docker has a practical limit) | ||
| if len(imageName) > 256 { | ||
| return fmt.Errorf("image name is too long (max 256 characters)") | ||
| } | ||
|
|
||
| // Check for dangerous shell metacharacters first for specific error messages | ||
| dangerousChars := []string{";", "&", "|", "$", "`", "(", ")", "{", "}", "<", ">", "!", "\\", "\n", "\r", "'", "\""} | ||
| for _, char := range dangerousChars { | ||
| if strings.Contains(imageName, char) { | ||
| return fmt.Errorf("invalid image name: contains disallowed character '%s'", char) | ||
| } | ||
| } | ||
|
|
||
| // Validate against allowed pattern for any other invalid characters | ||
| if !validImageNamePattern.MatchString(imageName) { | ||
| return fmt.Errorf("invalid image name format: contains disallowed characters") | ||
| } | ||
|
Comment on lines
+136
to
+138
There was a problem hiding this comment. The validation logic at line 127 is unreachable. After checking for dangerous characters in the loop (lines 119-124), if the imageName contains any of them, the function returns an error. Therefore, the validImageNamePattern check on line 127 will never execute for strings containing those characters. This means the regex check only catches characters that aren't in the dangerousChars list. Consider either removing the redundant check or restructuring to validate with the regex first, then provide more specific error messages for dangerous characters. |
||
|
|
||
| return nil | ||
| } | ||
|
franciscoovazevedo marked this conversation as resolved.
|
||
|
|
||
| // getTrivyPath returns the path to the Trivy binary or exits if not found | ||
| func getTrivyPath() string { | ||
| trivyPath, err := exec.LookPath("trivy") | ||
| if err != nil { | ||
| logger.Error("Trivy not found", logrus.Fields{"error": err.Error()}) | ||
| color.Red("❌ Error: Trivy is not installed or not found in PATH") | ||
| fmt.Println("Please install Trivy to use container scanning.") | ||
| fmt.Println("Visit: https://trivy.dev/latest/getting-started/installation/") | ||
| fmt.Println("exit-code 2") | ||
| os.Exit(2) | ||
| } | ||
| logger.Info("Found Trivy", logrus.Fields{"path": trivyPath}) | ||
| return trivyPath | ||
| } | ||
|
|
||
| func runContainerScan(_ *cobra.Command, args []string) { | ||
| imageNames := args | ||
|
|
||
| // Validate all image names first | ||
| for _, imageName := range imageNames { | ||
| if err := validateImageName(imageName); err != nil { | ||
| logger.Error("Invalid image name", logrus.Fields{"image": imageName, "error": err.Error()}) | ||
| color.Red("❌ Error: %v", err) | ||
| fmt.Println("exit-code 2") | ||
| os.Exit(2) | ||
| } | ||
| } | ||
|
|
||
| logger.Info("Starting container scan", logrus.Fields{"images": imageNames, "count": len(imageNames)}) | ||
|
|
||
| trivyPath := getTrivyPath() | ||
| hasVulnerabilities := false | ||
|
|
||
| for i, imageName := range imageNames { | ||
| if len(imageNames) > 1 { | ||
| fmt.Printf("\n📦 [%d/%d] Scanning image: %s\n", i+1, len(imageNames), imageName) | ||
| fmt.Println(strings.Repeat("-", 50)) | ||
| } else { | ||
| fmt.Printf("🔍 Scanning container image: %s\n\n", imageName) | ||
| } | ||
|
|
||
| // #nosec G204 -- imageName is validated by validateImageName() which checks for | ||
| // shell metacharacters and enforces a strict character allowlist. Additionally, | ||
| // exec.Command passes arguments directly without shell interpretation. | ||
| trivyCmd := exec.Command(trivyPath, buildTrivyArgs(imageName)...) | ||
|
Check failure on line 137 in cmd/container_scan.go
|
||
| trivyCmd.Stdout = os.Stdout | ||
| trivyCmd.Stderr = os.Stderr | ||
|
|
||
| logger.Info("Running Trivy container scan", logrus.Fields{"command": trivyCmd.String()}) | ||
|
|
||
| if err := trivyCmd.Run(); err != nil { | ||
| if exitError, ok := err.(*exec.ExitError); ok && exitError.ExitCode() == 1 { | ||
| logger.Warn("Vulnerabilities found in image", logrus.Fields{"image": imageName}) | ||
| hasVulnerabilities = true | ||
| } else { | ||
| logger.Error("Failed to run Trivy", logrus.Fields{"error": err.Error(), "image": imageName}) | ||
| color.Red("❌ Error: Failed to run Trivy for %s: %v", imageName, err) | ||
| fmt.Println("exit-code 2") | ||
| os.Exit(2) | ||
| } | ||
| } else { | ||
| logger.Info("No vulnerabilities found in image", logrus.Fields{"image": imageName}) | ||
| } | ||
| } | ||
|
|
||
| // Print summary for multiple images | ||
| fmt.Println() | ||
| if hasVulnerabilities { | ||
| logger.Warn("Container scan completed with vulnerabilities", logrus.Fields{"images": imageNames}) | ||
| color.Red("❌ Scanning failed: vulnerabilities found in one or more container images") | ||
| fmt.Println("exit-code 1") | ||
| os.Exit(1) | ||
| } | ||
|
|
||
| logger.Info("Container scan completed successfully", logrus.Fields{"images": imageNames}) | ||
| color.Green("✅ Success: No vulnerabilities found matching the specified criteria") | ||
| fmt.Println("exit-code 0") | ||
| } | ||
|
|
||
| // buildTrivyArgs constructs the Trivy command arguments based on flags | ||
| func buildTrivyArgs(imageName string) []string { | ||
| args := []string{ | ||
| "image", | ||
| "--scanners", "vuln", | ||
| } | ||
|
|
||
| // Apply --ignore-unfixed if enabled (default: true) | ||
| if ignoreUnfixedFlag { | ||
| args = append(args, "--ignore-unfixed") | ||
| } | ||
|
|
||
| // Apply --severity (use default if not specified) | ||
| severity := severityFlag | ||
| if severity == "" { | ||
| severity = "HIGH,CRITICAL" | ||
| } | ||
| args = append(args, "--severity", severity) | ||
|
|
||
| // Apply --pkg-types (use default if not specified) | ||
| pkgTypes := pkgTypesFlag | ||
| if pkgTypes == "" { | ||
| pkgTypes = "os" | ||
| } | ||
| args = append(args, "--pkg-types", pkgTypes) | ||
|
|
||
| // Always apply --exit-code 1 (not user-configurable) | ||
| args = append(args, "--exit-code", "1") | ||
|
|
||
| // Add the image name as the last argument | ||
| args = append(args, imageName) | ||
|
|
||
| return args | ||
| } | ||
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The regex pattern allows characters that may not be valid in Docker image references. Specifically, the underscore character is not typically allowed in Docker image repository names (though it's allowed in tags). The pattern
^[a-zA-Z0-9][a-zA-Z0-9._\-/:@]*$would allow "my_invalid_repo:tag" which Docker would reject.According to the Docker image specification, repository names should follow stricter rules. While the subsequent dangerous character checks provide some protection, having an inaccurate regex could cause confusing error messages where validation passes but Docker rejects the image name.