Skip to content

Commit

Permalink
Merge pull request #64 from equinor/main
Browse files Browse the repository at this point in the history
Release radix-vulnerability-scanner
  • Loading branch information
nilsgstrabo authored Apr 19, 2024
2 parents adb03fc + a903c70 commit 41812d1
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 10 deletions.
4 changes: 2 additions & 2 deletions charts/radix-vulnerability-scanner/Chart.yaml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
apiVersion: v1
appVersion: 1.1.2
version: 1.1.2
appVersion: 1.1.3
version: 1.1.3
description: Scan images in RadixDeployments for vulnerabilities
name: radix-vulnerability-scanner
19 changes: 11 additions & 8 deletions pkg/scan/snyk.go
Original file line number Diff line number Diff line change
Expand Up @@ -41,12 +41,13 @@ func NewSnykScanner(executor executor.Executor, opts ...SnykOption) *SnykScanner
}

func (s *SnykScanner) Scan(ctx context.Context, image string, dockerConfig dockercfg.Config) (*ScanResult, error) {

logger := log.Ctx(ctx).With().Str("pkg", "scan").Str("image", image).Logger()
ctx = logger.WithContext(ctx)
auths := append(s.commonDockerAuths, &dockerConfig)
var credArgs []string
// Try to get docker creds for image from common auths
for _, auth := range auths {
tmpCreds, err := s.getCredentialArgs(image, auth)
tmpCreds, err := s.getCredentialArgs(ctx, image, auth)
if err != nil {
return nil, err
}
Expand All @@ -64,17 +65,18 @@ func (s *SnykScanner) Scan(ctx context.Context, image string, dockerConfig docke
return nil
}

log.Ctx(ctx).Debug().Str("pkg", "scan").Str("image", image).Msg("scanning image")
logger.Debug().Msg("scanning image")
testArgs := []string{"container", "test", "--json", image}
var testArgsWithCreds []string
testArgsWithCreds = append(testArgsWithCreds, testArgs...)
testArgsWithCreds = append(testArgsWithCreds, credArgs...)
buf := &bytes.Buffer{}
err := scanFn(ctx, testArgsWithCreds, buf)
log.Trace().Str("pkg", "scan").Stringer("result", buf).Strs("args", testArgsWithCreds).Err(err).Msg("scan completed")
logger.Trace().Stringer("result", buf).Strs("args", testArgsWithCreds).Err(err).Msg("scan completed")

if err != nil {
if len(credArgs) == 0 {
logger.Warn().Stringer("stdout", buf).Msg("scan failed")
return nil, err
}

Expand All @@ -85,11 +87,12 @@ func (s *SnykScanner) Scan(ctx context.Context, image string, dockerConfig docke
// parameter contains invalid credentials for docker.io. Even if redis:latest is public, the invalid credentials
// from the `auths` parameter causes the scan to fail. We'll therefore try to do a second scan
// without supplying credential arguments
log.Ctx(ctx).Debug().Str("pkg", "scan").Str("image", image).Msg("scanning image again without creds")
logger.Debug().Msg("scanning image again without creds")
buf = &bytes.Buffer{}
err = scanFn(ctx, testArgs, buf)
log.Trace().Str("pkg", "scan").Stringer("result", buf).Strs("args", testArgsWithCreds).Err(err).Msg("retry scan completed")
logger.Trace().Stringer("result", buf).Strs("args", testArgsWithCreds).Err(err).Msg("retry scan completed")
if err != nil {
logger.Warn().Stringer("stdout", buf).Msg("scan failed")
return nil, err
}
}
Expand All @@ -102,8 +105,8 @@ func (s *SnykScanner) Scan(ctx context.Context, image string, dockerConfig docke
return &result, nil
}

func (s *SnykScanner) getCredentialArgs(image string, authProvider registry.AuthProvider) ([]string, error) {
auth, err := authProvider.GetAuth(context.Background(), image)
func (s *SnykScanner) getCredentialArgs(ctx context.Context, image string, authProvider registry.AuthProvider) ([]string, error) {
auth, err := authProvider.GetAuth(ctx, image)
if err != nil {
return nil, err
}
Expand Down

0 comments on commit 41812d1

Please sign in to comment.