Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 17 Next »

Overview

You can scan Docker images by running the Unified Agent in Docker mode (using the 'scanImages' parameter). In this mode, only the Docker Image scan and Package Manager scan (scanPackageManager) will take place.
A General scan using local resolvers (package manager) will only take place if the resolvers are installed and available locally. 

For scanning an RPM-based Docker container, RPM database compatibility between the container and the machine in which the scan is performed will increase the accuracy of the results.

Prerequisites

  • Docker installed

  • Unified Agent version 18.2.2 and above 

When scanning a Docker image on Windows, the CMD tool must be executed with the 'Run as Administrator' option.

Configurations

  • Set the Boolean property 'docker.scanImages' in the config file to true. This setting runs a "docker images" command in the background and parses the output line by line with the docker.includes and docker.excludes GLOB patterns in order to select which of the existing docker images to scan.

  • Set the GLOB pattern property for 'docker.includes' and 'docker.excludes'. 

  • Set the Integer property 'archiveExtractionDepth' when you wish to extract archive files from the docker image.

Example

docker.scanImages=true

docker.includes=.*alpine.*

docker.excludes=.*2017.10.01.* .*2017.06.01.*

The above example configures the Unified Agent to scan all the docker repositories named *alpine.* except for the 2 image tags in the 'excludes' section.

Alternatively, you can leave both the 'docker.includes' and 'docker.excludes' parameters commented out if you want to scan all your image containers. 

The scanner saves your required images and scans all the file system and installed packages.
It scans all the image layers, and handles archive files in the layers based on the value in the property 'archiveExtractionDepth'.

The Docker image is saved to the temporary directory defined in your environment, and is deleted immediately after the scan.

The scanning results are displayed in a new WhiteSource project. The docker.projectNameFormat parameter determines the format: 

  • If the value is set to default, the project name created in WhiteSource comprises the Docker repository name, tag and ID, in the following format:

<Image Name> <Image Tag> <Image ID>

  • If the value is set to repositoryNameAndTag, then the project name created in WhiteSource comprises the Docker repository name and tag, in the following format:

<Image Name> <Image Tag>

  • If the value is set to repositoryName,  the project name comprises only the Docker repository name:

<Image Name> 

  • No labels

Copyright © 2024 Mend.io (White Source Ltd.) | All rights reserved.