image-inspector

module

v2.4.1+incompatible Latest Latest Go to latest Published: Sep 5, 2018 License: Apache-2.0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/openshift/image-inspector

Links

Open Source Insights

README ¶

Image Inspector

Image Inspector can extract docker images to a target directory and (optionally) serve the content through webdav.

$ image-inspector --image=fedora:22 --serve 0.0.0.0:8080 --scan-type=openscap
2015/12/10 19:24:44 Image fedora:22 is available, skipping image pull
2015/12/10 19:24:44 Extracting image fedora:22 to
                    /var/tmp/image-inspector-121627917
2015/12/10 19:24:46 Serving image content
                    /var/tmp/image-inspector-121627917 on
                    webdav://0.0.0.0:8080/api/v1/content/

$ cadaver http://localhost:8080/api/v1/content
dav:/api/v1/content/> ls
Listing collection `/api/v1/content/': succeeded.
Coll:   boot                                4096  Dec 10 20:24
Coll:   dev                                 4096  Dec 10 20:24
Coll:   etc                                 4096  Dec 10 20:24
Coll:   home                                4096  Dec 10 20:24
Coll:   lost+found                          4096  Dec 10 20:24
...

OpenSCAP support

Image Inspector can inspect images using OpenSCAP and serve the scan result. The OpenSCAP scan report will be served on <serve_path>/api/v1/openscap and the status of the scan will be available on <serve_path>/api/v1/metadata in the OpenSCAP section. An HTML OpenSCAP scan report will be served on <serve_path>/api/v1/openscap-report if the --openscap-html-report option is used.

$ sudo image-inspector --image=fedora:22 --path=/tmp/image-content --scan-type=openscap
		--serve 0.0.0.0:8080 --chroot
2016/05/25 16:12:04 Image fedora:22 is available, skipping image pull
2016/05/25 16:12:04 Extracting image fedora:22 to /tmp/image-content
2016/05/25 16:12:14 OpenSCAP scanning /tmp/image-content. Placing results in /var/tmp/image-inspector-scan-results-845509636
2016/05/25 16:12:20 Serving image content /tmp/image-content on webdav://0.0.0.0:8080/api/v1/content/

ClamAV support

Image Inspector can inspect images using ClamAV. To use the ClamAV scan you first have to install the ClamAV server. To initiate the scan you need to provide location of the ClamAV socket file using the -clam-socket flag:

$ sudo image-inspector --image=mfojtik/virus-test:latest --scan-type=clamav --clam-socket=/var/run/clamd.socket
2017/06/20 19:40:48 Pulling image docker.io/mfojtik/virus-test:latest
2017/06/20 19:40:51 Extracting image docker.io/mfojtik/virus-test:latest to /var/tmp/image-inspector-992373344
2017/06/20 19:40:55 clamav scan took 1s (1 problems found)

Integration with third-party services

To retrieve the compacted scan results, you can provide the -post-results-url option which will cause the Image Inspector to HTTP POST the results in JSON form to the given URL. To make sure you only process results from the Image Inspector you trust, you can provide the -post-results-token-file option and point it to a file with shared token.

Building

To build the image-inspector you can run this command:

$ make

Running as a container

$ docker run -ti --rm --privileged -p 8080:8080 \
  -v /var/run/docker.sock:/var/run/docker.sock \
  openshift/image-inspector --image=registry.access.redhat.com/rhel7:latest \
  --path=/tmp/image-content --scan-type=openscap --serve 0.0.0.0:8080

Directories ¶

Path	Synopsis
cmd
examples
openshift/clamav/run-clam-scan
pkg
api
clamav
cmd
imageserver
inspector
openscap
util

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL