Skip to content

feat: implement docker-compose image analysis #16

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
Sep 26, 2025
Merged

feat: implement docker-compose image analysis #16

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
2ff22cb
feat: add compose-ast-parser
tembleking Sep 24, 2025
c8de783
feat: add code actions and code lens for docker-compose
tembleking Sep 24, 2025
c969d2b
refactor: make the server send the command with image name to scan
tembleking Sep 26, 2025
6750527
feat: receive the image in the command
tembleking Sep 26, 2025
8a33613
feat: receive the range in the command
tembleking Sep 26, 2025
e47893d
docs: add documentation
tembleking Sep 26, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
82 changes: 81 additions & 1 deletion Cargo.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 3 additions & 1 deletion Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
[package]
name = "sysdig-lsp"
version = "0.5.1"
version = "0.6.0"
edition = "2024"
authors = [ "Sysdig Inc." ]
readme = "README.md"
Expand All @@ -18,12 +18,14 @@ clap = { version = "4.5.34", features = ["derive"] }
dirs = "6.0.0"
futures = "0.3.31"
itertools = "0.14.0"
marked-yaml = { version = "0.8.0", features = ["serde"] }
rand = "0.9.0"
regex = "1.11.1"
reqwest = "0.12.14"
semver = "1.0.26"
serde = { version = "1.0.219", features = ["alloc", "derive"] }
serde_json = "1.0.135"
serde_yaml = "0.9.34"
serial_test = { version = "3.2.0", features = ["file_locks"] }
tar = "0.4.44"
thiserror = "2.0.12"
Expand Down
20 changes: 10 additions & 10 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,16 +15,16 @@ helping you detect vulnerabilities and misconfigurations earlier in the developm

## Features

| Feature | **[VSCode Extension](https://github.com/sysdiglabs/vscode-extension)** | **[Sysdig LSP](./docs/features/README.md)** |
|---------------------------------|------------------------------------------------------------------------|----------------------------------------------------------|
| Scan base image in Dockerfile | Supported | [Supported](./docs/features/scan_base_image.md) (0.1.0+) |
| Code lens support | Supported | [Supported](./docs/features/code_lens.md) (0.2.0+) |
| Build and Scan Dockerfile | Supported | [Supported](./docs/features/build_and_scan.md) (0.4.0+) |
| Layered image analysis | Supported | [Supported](./docs/features/layered_analysis.md) (0.5.0+)|
| Docker-compose image analysis | Supported | In roadmap |
| K8s Manifest image analysis | Supported | In roadmap |
| Infrastructure-as-code analysis | Supported | In roadmap |
| Vulnerability explanation | Supported | In roadmap |
| Feature | **[VSCode Extension](https://github.com/sysdiglabs/vscode-extension)** | **[Sysdig LSP](./docs/features/README.md)** |
|---------------------------------|------------------------------------------------------------------------|------------------------------------------------------------------------|
| Scan base image in Dockerfile | Supported | [Supported](./docs/features/scan_base_image.md) (0.1.0+) |
| Code lens support | Supported | [Supported](./docs/features/code_lens.md) (0.2.0+) |
| Build and Scan Dockerfile | Supported | [Supported](./docs/features/build_and_scan.md) (0.4.0+) |
| Layered image analysis | Supported | [Supported](./docs/features/layered_analysis.md) (0.5.0+) |
| Docker-compose image analysis | Supported | [Supported](./docs/features/docker_compose_image_analysis.md) (0.6.0+) |
| K8s Manifest image analysis | Supported | In roadmap |
| Infrastructure-as-code analysis | Supported | In roadmap |
| Vulnerability explanation | Supported | In roadmap |

## Build

Expand Down
3 changes: 3 additions & 0 deletions docs/features/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,4 +18,7 @@ Sysdig LSP provides tools to integrate container security checks into your devel
- Scans each Dockerfile layer individually for precise vulnerability identification.
- Supports detailed analysis in single-stage and multi-stage Dockerfiles.

## [Docker-compose Image Analysis](./docker_compose_image_analysis.md)
- Scans the images defined in your `docker-compose.yml` files for vulnerabilities.

See the linked documents for more details.
Binary file added docs/features/docker_compose_image_analysis.gif
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
20 changes: 20 additions & 0 deletions docs/features/docker_compose_image_analysis.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
# Docker-compose Image Analysis

Sysdig LSP scans the images defined in your `docker-compose.yml` files to identify vulnerabilities.

> [!IMPORTANT]
> Sysdig LSP analyzes each service's image in your compose file.

![Sysdig LSP executing docker-compose image scan](./docker_compose_image_analysis.gif)

## Example

```yaml
services:
web:
image: nginx:latest
db:
image: postgres:13
```

In this example, Sysdig LSP will provide actions to scan both `nginx:latest` and `postgres:13` images.
42 changes: 8 additions & 34 deletions src/app/commands.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,59 +67,33 @@ impl<C> CommandExecutor<C>
where
C: LSPClient,
{
pub async fn scan_image_from_file(
pub async fn scan_image(
&self,
uri: &str,
line: u32,
range: Range,
image_name: &str,
image_scanner: &impl ImageScanner,
) -> Result<()> {
let document_text = self
.document_database
.read_document_text(uri)
.await
.ok_or_else(|| {
Error::internal_error().with_message("unable to obtain document to scan")
})?;

let image_for_selected_line =
self.image_from_line(line, &document_text).ok_or_else(|| {
Error::parse_error().with_message(format!(
"unable to retrieve image for the selected line: {line}"
))
})?;

self.show_message(
MessageType::INFO,
format!("Starting scan of {image_for_selected_line}...").as_str(),
format!("Starting scan of {image_name}...").as_str(),
)
.await;

let scan_result = image_scanner
.scan_image(image_for_selected_line)
.scan_image(image_name)
.await
.map_err(|e| Error::internal_error().with_message(e.to_string()))?;

self.show_message(
MessageType::INFO,
format!("Finished scan of {image_for_selected_line}.").as_str(),
format!("Finished scan of {image_name}.").as_str(),
)
.await;

let diagnostic = {
let range_for_selected_line = Range::new(
Position::new(line, 0),
Position::new(
line,
document_text
.lines()
.nth(line as usize)
.map(|x| x.len() as u32)
.unwrap_or(u32::MAX),
),
);

let mut diagnostic = Diagnostic {
range: range_for_selected_line,
range,
severity: Some(DiagnosticSeverity::HINT),
message: "No vulnerabilities found.".to_owned(),
..Default::default()
Expand All @@ -128,7 +102,7 @@ where
if scan_result.has_vulnerabilities() {
diagnostic.message = format!(
"Vulnerabilities found for {}: {} Critical, {} High, {} Medium, {} Low, {} Negligible",
image_for_selected_line,
image_name,
scan_result.count_vulns_of_severity(VulnSeverity::Critical),
scan_result.count_vulns_of_severity(VulnSeverity::High),
scan_result.count_vulns_of_severity(VulnSeverity::Medium),
Expand Down
Loading