vmclarity icon indicating copy to clipboard operation
vmclarity copied to clipboard

Published 20 hours ago verified publisher icon openclarity

Ensure CIS Docker scanner operability with VMClarity

Open ramizpolic opened this issue 4 months ago • 1 comments

Overview

Dockle requires DOCKER or DOCKER-ARCHIVE as input. VMClarity providers usually produce ROOTFS artefacts that need to be scanned.

  • Investigate how to scan ROOTFS in CIS Docker scanner (check if delegate scanning to dockle is possible or if we need to do something before such as archiving)
  • Check which types are possible to scan (ideally, we want to be able to scan DIR, ROOTFS, IMAGE, DOCKERARCHIVE, OCIARCHIVE, OCIDIR). Collect notes.

Context

Dockle actually scans the filesystem as defined in https://github.com/Portshift/dockle/blob/6cd22e0b9ebed566c510136a4a29089e272e9971/pkg/scanner/scan.go#L35-L76. This actual scanning is done by https://github.com/Portshift/dockle/tree/master/pkg/assessor. In essence, we can directly use the assessor package to scan a given dir rather than creating a scan for dockle to perform in order to avoid limitations of input types.

ramizpolic avatar Feb 27 '24 09:02 ramizpolic