Skip to content
No description, website, or topics provided.
Branch: master
Clone or download
Pull request Compare This branch is 23 commits ahead, 1 commit behind simon3z:master.
nimrodshn Merge pull request #106 from bagnaram/master
Fix XML Parse Result Order
Latest commit c5b06d1 Jun 5, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
cmd Add option to scan an existing container Oct 2, 2017
examples/openshift/clamav add example and update README Jun 28, 2017
hack Fix go version check to accept go1.10+ Feb 7, 2019
kubernetes
pkg Bugfix Jan 3, 2019
test/end-to-end
vendor downgrading webdav to db8e4de5 Jan 26, 2018
.dockerignore build: ignoring the generated lib files Apr 28, 2016
.gitignore add basic building and testing scripts Sep 28, 2016
.travis.sh add integration tests and run them with travis Aug 23, 2017
.travis.yml Use context in the scanner Sep 20, 2017
Dockerfile yum install each package individually to fail immediately if not found Feb 6, 2019
Dockerfile.travis yum install each package individually to fail immediately if not found Feb 6, 2019
LICENSE Initial commit May 21, 2015
Makefile golang: use vendor path for dependencies Jun 22, 2017
README.md update readme with --scan-type argument Oct 5, 2017
cccp.yml Fix-88 Starts building image-inspector image at registry.centos.org Jan 8, 2018
vendor.conf downgrading webdav to db8e4de5 Jan 26, 2018

README.md

Image Inspector

Image Inspector can extract docker images to a target directory and (optionally) serve the content through webdav.

$ image-inspector --image=fedora:22 --serve 0.0.0.0:8080 --scan-type=openscap
2015/12/10 19:24:44 Image fedora:22 is available, skipping image pull
2015/12/10 19:24:44 Extracting image fedora:22 to
                    /var/tmp/image-inspector-121627917
2015/12/10 19:24:46 Serving image content
                    /var/tmp/image-inspector-121627917 on
                    webdav://0.0.0.0:8080/api/v1/content/

$ cadaver http://localhost:8080/api/v1/content
dav:/api/v1/content/> ls
Listing collection `/api/v1/content/': succeeded.
Coll:   boot                                4096  Dec 10 20:24
Coll:   dev                                 4096  Dec 10 20:24
Coll:   etc                                 4096  Dec 10 20:24
Coll:   home                                4096  Dec 10 20:24
Coll:   lost+found                          4096  Dec 10 20:24
...

OpenSCAP support

Image Inspector can inspect images using OpenSCAP and serve the scan result. The OpenSCAP scan report will be served on <serve_path>/api/v1/openscap and the status of the scan will be available on <serve_path>/api/v1/metadata in the OpenSCAP section. An HTML OpenSCAP scan report will be served on <serve_path>/api/v1/openscap-report if the --openscap-html-report option is used.

$ sudo image-inspector --image=fedora:22 --path=/tmp/image-content --scan-type=openscap
		--serve 0.0.0.0:8080 --chroot
2016/05/25 16:12:04 Image fedora:22 is available, skipping image pull
2016/05/25 16:12:04 Extracting image fedora:22 to /tmp/image-content
2016/05/25 16:12:14 OpenSCAP scanning /tmp/image-content. Placing results in /var/tmp/image-inspector-scan-results-845509636
2016/05/25 16:12:20 Serving image content /tmp/image-content on webdav://0.0.0.0:8080/api/v1/content/

ClamAV support

Image Inspector can inspect images using ClamAV. To use the ClamAV scan you first have to install the ClamAV server. To initiate the scan you need to provide location of the ClamAV socket file using the -clam-socket flag:

$ sudo image-inspector --image=mfojtik/virus-test:latest --scan-type=clamav --clam-socket=/var/run/clamd.socket
2017/06/20 19:40:48 Pulling image docker.io/mfojtik/virus-test:latest
2017/06/20 19:40:51 Extracting image docker.io/mfojtik/virus-test:latest to /var/tmp/image-inspector-992373344
2017/06/20 19:40:55 clamav scan took 1s (1 problems found)

Integration with third-party services

To retrieve the compacted scan results, you can provide the -post-results-url option which will cause the Image Inspector to HTTP POST the results in JSON form to the given URL. To make sure you only process results from the Image Inspector you trust, you can provide the -post-results-token-file option and point it to a file with shared token.

Building

To build the image-inspector you can run this command:

$ make

Running as a container

$ docker run -ti --rm --privileged -p 8080:8080 \
  -v /var/run/docker.sock:/var/run/docker.sock \
  openshift/image-inspector --image=registry.access.redhat.com/rhel7:latest \
  --path=/tmp/image-content --scan-type=openscap --serve 0.0.0.0:8080
You can’t perform that action at this time.