Versions Compared

Old Version 16

changes.mady.by.user Tsur Rothfeld

Saved on

compared with

New Version 17

changes.mady.by.user Tsur Rothfeld

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Overview

You can scan Docker images by running the Unified Agent in Docker mode (using the 'scanImages' parameter). In this mode, only the the Docker Image scan and and Package Manager scan  scan (scanPackageManager) will take place.
A General scan  General scan using local resolvers (package manager) will only take place if the resolvers are installed and available locally. 

Info

For scanning an RPM-based Docker container, RPM database compatibility between the container and the machine in which the scan is performed will increase the accuracy of the results.

Prerequisites

  • Docker installed

  • Unified Agent version 18.2.2 and above 

Info

When scanning a Docker image on Windows, the CMD tool must be executed with the 'Run as Administrator' option.

Configurations

  • Set the Boolean property 'docker.scanImages' in the config file to true. This setting runs a "docker images" command in the background and parses the output line by line with the docker.includes and docker.excludes GLOB patterns in order to select which of the existing docker images to scan.

  • Set the GLOB pattern property for 'docker.includes' and 'docker.excludes'. 

  • Set the Integer property 'archiveExtractionDepth' when you wish to extract archive files from the docker image.

Example

docker.scanImages=true

docker.includes=.*alpine.*

docker.excludes=.*2017.10.01.* .*2017.06.01.*

The above example configures the Unified Agent to scan all the docker repositories named *alpine.* except for the 2 image tags in the 'excludes' section.

Alternatively, you can leave both the 'docker.includes' and 'docker.excludes' parameters commented out if you want to scan all your image containers. 

The scanner saves your required images and scans all the file system and installed packages.
It scans all the image layers, and handles archive files in the layers based on the value in the property 'archiveExtractionDepth'.

...

The scanning results are displayed in a new WhiteSource project. The docker.projectNameFormat parameter determines the format: 

  • If the value is set to default, the project name created in WhiteSource comprises the Docker repository name, tag and ID, in the following format:

<Image Name> <Image Tag> <Image ID>

  • If the value is set to repositoryNameAndTag, then the project name created in WhiteSource comprises the Docker repository name and tag, in the following format:

<Image Name> <Image Tag>

  • If the value is set to repositoryName,  the project name comprises only the Docker repository name:

<Image Name> Name>