docker-nancy- it's like nancy... on a boat!
Nancy is a tool to check for vulnerabilities in your Golang dependencies, powered by Sonatype OSS Index and
docker-nancy wraps the
nancy executable in a Docker image.
You can see an example of using
nancy in Travis-CI at this intentionally vulnerable repo we made.
The best way to get up and running is to clone this repository and build the image as follows and create an alias to execute against a running image:
docker build -t sonatype-nexus-community/docker-nancy:latest . alias nancy="docker run -it --rm -v $(pwd):/tmp --name nancy sonatype-nexus-community/docker-nancy:latest"
Once the image is built and the alias has been created, run
nancy in a directory containing a
go.sum file as follows:
There is a known limitation right now where the container will only process go.sum files that exist in the current directory. This is different than the implementation of the non-containerized
To view other commands and options simply run the nancy alias:
$ nancy Usage: nancy [options] </path/to/Gopkg.lock> nancy [options] </path/to/go.sum> Options: -exclude-vulnerability value Comma seperated list of CVEs to exclude -no-color indicate output should not be colorized -noColor indicate output should not be colorized (deprecated: please use no-color) -quiet indicate output should contain only packages with vulnerabilities -version prints current nancy version
We care a lot about making the world a safer place, and that's why we created
docker-nancy. If you as well want to speed up the pace of software development by working on this project, jump on in! Before you start work, create a new issue, or comment on an existing issue, to let others know you are!
nancy logo was created using a combo of Gopherize.me and good ole Photoshop. Thanks to the creators of Gopherize for an easy way to make a fun Gopher :)
Thank you to The Lonely Island for your late night inspiration about boats...
The Fine Print
It is worth noting that this is NOT SUPPORTED by Sonatype, and is a contribution of ours to the open source community (read: you!)
- Use this contribution at the risk tolerance that you have
- Do NOT file Sonatype support tickets related to
docker-nancysupport in regard to this project
- DO file issues here on GitHub, so that the community can pitch in
Looking to contribute to our code but need some help? There's a few ways to get information: