carbon-black-cloud-container-cli (also known as cbctl) is a CLI tool that can be used to scan any container-based images in the command line or in CI/CD pipelines.
To Linux:
CGO_ENABLED=0 GOOS=linux GOARCH=amd64 \
go build \
-tags="containers_image_openpgp exclude_graphdriver_devicemapper exclude_graphdriver_btrfs" \
-ldflags "-X 'github.com/vmware/carbon-black-cloud-container-cli/internal/version.version=${version}' \
-X 'github.com/vmware/carbon-black-cloud-container-cli/internal/version.buildDate=${build_date}'" \
main.goTo MacOS:
CGO_ENABLED=0 GOOS=darwin GOARCH=amd64 \
go build \
-tags="containers_image_openpgp exclude_graphdriver_devicemapper exclude_graphdriver_btrfs" \
-ldflags "-X 'github.com/vmware/carbon-black-cloud-container-cli/internal/version.version=${version}' \
-X 'github.com/vmware/carbon-black-cloud-container-cli/internal/version.buildDate=${build_date}'" \
main.goThe detailed usage of cbctl can be found here: Carbon Black Container CLI
We exposed bom generation and scan image functions for convenient image scanning process, you can follow the following steps to get started:
$ go get -u github.com/vmware/carbon-black-cloud-container-cli
- Create a pair of API ID & Key with
workloads.container.image(CREATE and READ permissions) access level in Carbon Black Cloud console - Create a RegistryHandler for generating Software Bill of Materials (SBOM) from user's input:
- Create RegistryHandler:
registryHandler := scan.NewRegistryHandler() - Get the SBOM (options can be checked below):
sbom, err := registryHandler.Generate(input, scan.Option)
- Create RegistryHandler:
- Create a ScanHandler for scanning vulnerabilities from SBOM:
- Create ScanHandler:
scanHandler := scan.NewScanHandler(<CBC_saasURL>, <CBC_orgKey>, <apiID>, <apiKey>, <sbom>); - Scan the SBOM (options can be checked below):
scannedImage, err := scanHandler.Scan(scan.Option)
- Create ScanHandler:
| Option Name | Type | Description |
|---|---|---|
| ForceScan | bool | Force scan an image no matter it is scanned or not |
| Credential | string | The auth string used for login to registry, format: USERNAME[:PASSWORD] |
| FullTag | string | The tag set to override in the image |
| UseDockerDaemon | bool | Use docker daemon to pull the image |
| ShouldCleanup | bool | Delete the docker image pulled by docker (should only be used when UserDockerDaemon is true) |
| Timeout | int | The duration (second) for the scan |
Please follow CONTRIBUTING.md