vmclarity
vmclarity copied to clipboard
Ensure CIS Docker scanner operability with VMClarity
Overview
Dockle requires DOCKER or DOCKER-ARCHIVE as input. VMClarity providers usually produce ROOTFS artefacts that need to be scanned.
- Investigate how to scan ROOTFS in CIS Docker scanner (check if delegate scanning to dockle is possible or if we need to do something before such as archiving)
- Check which types are possible to scan (ideally, we want to be able to scan DIR, ROOTFS, IMAGE, DOCKERARCHIVE, OCIARCHIVE, OCIDIR). Collect notes.
Context
Dockle actually scans the filesystem as defined in https://github.com/Portshift/dockle/blob/6cd22e0b9ebed566c510136a4a29089e272e9971/pkg/scanner/scan.go#L35-L76. This actual scanning is done by https://github.com/Portshift/dockle/tree/master/pkg/assessor.
In essence, we can directly use the assessor
package to scan a given dir rather than creating a scan for dockle to perform in order to avoid limitations of input types.