Skip to content
This repository was archived by the owner on Nov 27, 2023. It is now read-only.

Scan suggest message when compose build / compose up#1351

Merged
gtardif merged 6 commits intodocker-archive:mainfrom
gtardif:scan_suggest
Feb 26, 2021
Merged

Scan suggest message when compose build / compose up#1351
gtardif merged 6 commits intodocker-archive:mainfrom
gtardif:scan_suggest

Conversation

@gtardif
Copy link
Copy Markdown
Contributor

@gtardif gtardif commented Feb 24, 2021
edited
Loading

What I did

  • Add scan suggest message at the end of docker compose build, and end of build section when docker compose up
  • check scan plugin is available before displaying message
  • Allow users to turn this off setting DOCKER_SCAN_SUGGEST = false
  • Do not display message if user has already used scan command
$ ./bin/docker compose -f ./local/e2e/compose/fixtures/build-test/compose.yml build
...
=> [build-test_nginx] exporting to image  
=> => exporting layers            
=> => writing image sha256:f727547da0e5aa30472c3705fd70bfe02ce300e50be0665eca05b6482bdd1aa9        
=> => naming to docker.io/gtardif/custom-nginx:1.0 
=> => naming to docker.io/library/build-test_nginx       
Try scanning the image you have just built to identify vulnerabilities with Docker’s new security tool: 
docker scan myorg/custom-nginx:1.0
docker scan build-test_nginx
$

and compose up:

$ ./bin/docker compose -f ./local/e2e/compose/fixtures/build-test/compose.yml up -d
...
=> => writing image sha256:f727547da0e5aa30472c3705fd70bfe02ce300e50be0665eca05b6482bdd1aa9
=> => naming to docker.io/library/build-test_nginx                 
=> => naming to docker.io/library/custom-nginx    
Try scanning the image you have just built to identify vulnerabilities with Docker’s new security tool: 
docker scan build-test_nginx
docker scan custom-nginx
[+] Running 3/3
 ⠿ Network "build-test_default"   Created    
 ⠿ Container build-test_nginx_1   Started    
 ⠿ Container build-test_nginx2_1  Started   
$

Related issue

(not mandatory) A picture of a cute animal, if possible in relation with what you did

@gtardif gtardif marked this pull request as draft February 24, 2021 17:39
@github-actions github-actions Bot added the local Local context (moby) label Feb 24, 2021
@gtardif gtardif force-pushed the scan_suggest branch 2 times, most recently from 82ffe5b to 17f8c02 Compare February 24, 2021 17:48
@gtardif
Scan suggest message in docker compose build
156efb8 
Signed-off-by: Guillaume Tardif <guillaume.tardif@gmail.com>
@gtardif
scan message in compose build and compose up
30631ee 
Signed-off-by: Guillaume Tardif <guillaume.tardif@gmail.com>
@gtardif
Allow users to turn off scan suggest with env var
81acdba 
Signed-off-by: Guillaume Tardif <guillaume.tardif@gmail.com>
@gtardif
Check scan plugin is available before suggesting to use it
fa3a08e 
Signed-off-by: Guillaume Tardif <guillaume.tardif@gmail.com>
@gtardif gtardif marked this pull request as ready for review February 25, 2021 08:58
aiordache
aiordache reviewed Feb 25, 2021
View reviewed changes
Comment thread local/compose/scan_suggest.go Outdated
for _, image := range builtImages {
commands = append(commands, fmt.Sprintf("docker scan %s", image))
}
allCommands := strings.Join(commands, ", ")
Copy link
Copy Markdown
Contributor

@aiordache aiordache Feb 25, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe output one scan command per line. Having all commands on one line would be confusing (unless we can pass all images to one scan command).

Copy link
Copy Markdown
Contributor Author

@gtardif gtardif Feb 25, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

updated with this

aiordache
aiordache reviewed Feb 25, 2021
View reviewed changes
Comment thread local/compose/scan_suggest.go Outdated
type scanOptin struct {
Optin bool `json:"optin"`
}
data, err := ioutil.ReadFile("/tmp/dat")
Copy link
Copy Markdown
Contributor

@aiordache aiordache Feb 25, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this filepath be scan/config.json?

Copy link
Copy Markdown
Contributor Author

@gtardif gtardif Feb 25, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

outch, of course, cp/paste error...

@gtardif
Check if scan has already been invoked before suggesting using it
accc65a 
Signed-off-by: Guillaume Tardif <guillaume.tardif@gmail.com>
@gtardif
Update confirmed scan suggest message
c1373d2 
Signed-off-by: Guillaume Tardif <guillaume.tardif@gmail.com>
@gtardif
Copy link
Copy Markdown
Contributor Author

gtardif commented Feb 26, 2021

Updated message after sync/confirmation by various teams: 'Use 'docker scan' to run Snyk tests against images to find vulnerabilities and learn how to fix them'

@gtardif gtardif merged commit f6354e5 into docker-archive:main Feb 26, 2021
@gtardif gtardif deleted the scan_suggest branch February 26, 2021 09:12
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@chris-crone chris-crone Awaiting requested review from chris-crone

1 more reviewer

@aiordache aiordache aiordache approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

local Local context (moby)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@gtardif @aiordache