Docker Image Integration

Overview

You can scan Docker containers by running the Unified Agent in Docker mode using the docker.scanImages parameter. 

In this mode, the Linux packages are detected, and a general scan of the image file system is performed for package managers' based resolution and identification of source files/binaries.

For scanning an RPM-based Docker container, RPM database compatibility between the container and the machine in which the scan is performed will increase the accuracy of the results.

Prerequisites

  • Docker installed

  • Unified Agent version 18.2.2 and above 

When scanning a Docker image on Windows, the CMD tool must be executed with the 'Run as Administrator' option.

Configurations

  • Set the Boolean property docker.scanImages in the config file to true. This setting runs a docker images command in the background and parses the output line by line with the docker.includes and docker.excludes GLOB patterns in order to select which of the existing docker images to scan.

  • Set the GLOB pattern property for docker.includes and docker.excludes

  • Set the Integer property 'archiveExtractionDepth' when you wish to extract archive files from the docker image.

Example

docker.scanImages=true

docker.includes=.*alpine.*

docker.excludes=.*2017.10.01.* .*2017.06.01.*

The above example configures the Unified Agent to scan all the docker repositories named *alpine.* except for the 2 image tags in the 'excludes' section.

Alternatively, you can leave both the docker.includes and docker.excludes parameters commented out if you want to scan all your image containers. 

The scanner saves your required images and scans all the file systems and installed packages.
It scans all the image layers, and handles archive files in the layers based on the value in the property 'archiveExtractionDepth'.

The Docker image is saved to the temporary directory defined in your environment and is deleted immediately after the scan.

The scanning results are displayed in a new WhiteSource project. The docker.projectNameFormat parameter determines the format (only relevant when docker.scanTarFiles=False) : 

  • If the value is set to default, the project name created in WhiteSource comprises the Docker repository name, tag and ID, in the following format:

<Image Name> <Image Tag> <Image ID>

  • If the value is set to repositoryNameAndTag, then the project name created in WhiteSource comprises the Docker repository name and tag, in the following format:

<Image Name> <Image Tag>

  • If the value is set to repositoryName,  the project name comprises only the Docker repository name:

<Image Name>