A minimalist Go API to scan Docker images for security vulnerabilities and weaknesses
Requirements:
- Docker
- Docker Compose
- Go 1.12+
Clone this repository
git clone https://github.com/abhisek/container-image-scanner-api && \
cd container-image-scanner-api
Build the API server
make
Start services
docker-compose up
The API server container mounts current directory for ease in development. You can re-build API server and restart the service:
docker-compose restart apisvrwithout having the need to rebuild the entire API Server image.
Submit scan:
curl -d '{"image": "ubuntu"}' http://localhost:8000/scans
Get scan status
curl http://localhost:8000/scans/:scan_id/status
Get scan report
curl http://localhost:8000/scans/:scan_id
Note: Scan reports are stored in Redis server with expiration set to 15 minutes. To change time window or disable report expiration set the following environment variable
# Disable report expiration in Redis
export REPORT_EXPIRATION_WINDOW=0
# Set report expiration window to 30 minutes
export REPORT_EXPIRATION_WINDOW=1800
The application uses docker:dind (Docker in Docker) for pulling image and scanning with external tools (currently only Trivy and Dockle). This model is to ensure we can run this safely in Kubernetes and avoid any dependency or clutter in host system.
Three containers are used to deliver the service:
- Docker in Docker (DIND) container
- API Server (This app) container
- Redis (For data structure persistence)
/var/run is shared between the two containers to allow API Server access to DIND through unix socket in /var/run/docker.sock
In memory data structure with go-routine based asynchronous tasks. Check service.go for more details.
Redis is used for persistence with 15 minutes expiration for reports
The current version do not use persistence