quayio-scanner 0.1.2 → 0.1.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +5 -5
- data/Rakefile +6 -1
- data/bin/check-container-vulnerabilities.rb +9 -2
- data/lib/quayio/scanner/check.rb +2 -2
- data/lib/quayio/scanner/image.rb +5 -4
- data/lib/quayio/scanner/version.rb +1 -1
- data/quayio-scanner.gemspec +3 -4
- metadata +26 -12
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
|
-
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
2
|
+
SHA256:
|
|
3
|
+
metadata.gz: 66c2653d41f714187352754314ba1f6635f4fc5aa4a8d0898ccd3e12a5c66b96
|
|
4
|
+
data.tar.gz: c5c5766092d539ff79aef0bbf2e0ba711b665ea7f704ee8fd96caf761be1ecc4
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: a1f2ef52c92a20f7c5b6625cc45ce8ea238c25d3958fd4314b6dca4cebebfef1a0dd7947bc2e95840ab94dfbed7e24f7c7d95db4caab2d2b9b2432cf20f4c6d6
|
|
7
|
+
data.tar.gz: 456cbd136d5c59fd756f3ae958e87c0f19aae2f0b88945b5e4be4ebfc7fe2a53bd7fd80070ac46bf95d0efd49b1fd77fe253513a260146980763849f536cc6a6
|
data/Rakefile
CHANGED
|
@@ -36,9 +36,16 @@ class CheckContainerVulnerabilities < Sensu::Plugin::Check::CLI
|
|
|
36
36
|
short: '-t TOKEN',
|
|
37
37
|
long: '--quayio-token TOKEN'
|
|
38
38
|
|
|
39
|
+
option :whitelist,
|
|
40
|
+
description: 'Vulnerability whitelist',
|
|
41
|
+
short: '-w WHITELIST[,WHITELIST]',
|
|
42
|
+
long: '--whitelist WHITELIST[,WHITELIST]',
|
|
43
|
+
default: '',
|
|
44
|
+
proc: proc { |w| w.split(',') }
|
|
45
|
+
|
|
39
46
|
def run
|
|
40
|
-
status, message = Quayio::Scanner::Check.new(
|
|
41
|
-
|
|
47
|
+
status, message = Quayio::Scanner::Check.new(
|
|
48
|
+
config[:docker_url], config[:quayio_token], config[:whitelist]).run
|
|
42
49
|
|
|
43
50
|
if status == :ok
|
|
44
51
|
ok message
|
data/lib/quayio/scanner/check.rb
CHANGED
|
@@ -3,7 +3,7 @@ require 'docker'
|
|
|
3
3
|
|
|
4
4
|
module Quayio
|
|
5
5
|
module Scanner
|
|
6
|
-
class Check < Struct.new(:docker_url, :quayio_token)
|
|
6
|
+
class Check < Struct.new(:docker_url, :quayio_token, :whitelist)
|
|
7
7
|
def run
|
|
8
8
|
Docker.url = docker_url
|
|
9
9
|
containers = Docker::Container.all
|
|
@@ -11,7 +11,7 @@ module Quayio
|
|
|
11
11
|
.uniq
|
|
12
12
|
|
|
13
13
|
vulnerable_images = containers
|
|
14
|
-
.map { |container| Image.new(container, quayio_token) }
|
|
14
|
+
.map { |container| Image.new(container, quayio_token, whitelist) }
|
|
15
15
|
.select(&:vulnerable?)
|
|
16
16
|
.map(&:name)
|
|
17
17
|
|
data/lib/quayio/scanner/image.rb
CHANGED
|
@@ -3,7 +3,7 @@ require 'rest-client'
|
|
|
3
3
|
|
|
4
4
|
module Quayio
|
|
5
5
|
module Scanner
|
|
6
|
-
class Image < Struct.new(:name, :quayio_token)
|
|
6
|
+
class Image < Struct.new(:name, :quayio_token, :whitelist)
|
|
7
7
|
RELEVANT_SEVERITIES = %w(Medium High Critical)
|
|
8
8
|
|
|
9
9
|
def vulnerable?
|
|
@@ -26,9 +26,10 @@ module Quayio
|
|
|
26
26
|
|
|
27
27
|
def high_vulnerabilities_present?
|
|
28
28
|
raw_scan['data']['Layer']['Features'].detect do |f|
|
|
29
|
-
f['Vulnerabilities'] &&
|
|
30
|
-
|
|
31
|
-
.
|
|
29
|
+
f['Vulnerabilities'] && f['Vulnerabilities'].detect do |v|
|
|
30
|
+
RELEVANT_SEVERITIES.include?(v['Severity']) &&
|
|
31
|
+
!whitelist.include?(v['Name'])
|
|
32
|
+
end
|
|
32
33
|
end
|
|
33
34
|
end
|
|
34
35
|
|
data/quayio-scanner.gemspec
CHANGED
|
@@ -1,6 +1,4 @@
|
|
|
1
|
-
|
|
2
|
-
|
|
3
|
-
lib = File.expand_path('../lib', __FILE__)
|
|
1
|
+
lib = File.expand_path('lib', __dir__)
|
|
4
2
|
$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
|
|
5
3
|
require 'quayio/scanner/version'
|
|
6
4
|
|
|
@@ -20,10 +18,11 @@ Gem::Specification.new do |spec|
|
|
|
20
18
|
spec.executables = Dir.glob('bin/**/*.rb').map { |file| File.basename(file) }
|
|
21
19
|
spec.require_paths = ['lib']
|
|
22
20
|
|
|
23
|
-
spec.add_dependency 'sensu-plugin', '~> 2.1'
|
|
24
21
|
spec.add_dependency 'docker-api', '~> 1.33'
|
|
25
22
|
spec.add_dependency 'rest-client', '~> 2.0'
|
|
23
|
+
spec.add_dependency 'sensu-plugin', '~> 2.1'
|
|
26
24
|
spec.add_development_dependency 'bundler', '~> 1.14'
|
|
27
25
|
spec.add_development_dependency 'rake', '~> 10.0'
|
|
26
|
+
spec.add_development_dependency 'rspec', '~> 3.7'
|
|
28
27
|
spec.add_development_dependency 'rubocop', '~> 0.49'
|
|
29
28
|
end
|
metadata
CHANGED
|
@@ -1,57 +1,57 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: quayio-scanner
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.1.
|
|
4
|
+
version: 0.1.3
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Benjamin Meichsner
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2018-
|
|
11
|
+
date: 2018-05-30 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
|
-
name:
|
|
14
|
+
name: docker-api
|
|
15
15
|
requirement: !ruby/object:Gem::Requirement
|
|
16
16
|
requirements:
|
|
17
17
|
- - "~>"
|
|
18
18
|
- !ruby/object:Gem::Version
|
|
19
|
-
version: '
|
|
19
|
+
version: '1.33'
|
|
20
20
|
type: :runtime
|
|
21
21
|
prerelease: false
|
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
|
23
23
|
requirements:
|
|
24
24
|
- - "~>"
|
|
25
25
|
- !ruby/object:Gem::Version
|
|
26
|
-
version: '
|
|
26
|
+
version: '1.33'
|
|
27
27
|
- !ruby/object:Gem::Dependency
|
|
28
|
-
name:
|
|
28
|
+
name: rest-client
|
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
|
30
30
|
requirements:
|
|
31
31
|
- - "~>"
|
|
32
32
|
- !ruby/object:Gem::Version
|
|
33
|
-
version: '
|
|
33
|
+
version: '2.0'
|
|
34
34
|
type: :runtime
|
|
35
35
|
prerelease: false
|
|
36
36
|
version_requirements: !ruby/object:Gem::Requirement
|
|
37
37
|
requirements:
|
|
38
38
|
- - "~>"
|
|
39
39
|
- !ruby/object:Gem::Version
|
|
40
|
-
version: '
|
|
40
|
+
version: '2.0'
|
|
41
41
|
- !ruby/object:Gem::Dependency
|
|
42
|
-
name:
|
|
42
|
+
name: sensu-plugin
|
|
43
43
|
requirement: !ruby/object:Gem::Requirement
|
|
44
44
|
requirements:
|
|
45
45
|
- - "~>"
|
|
46
46
|
- !ruby/object:Gem::Version
|
|
47
|
-
version: '2.
|
|
47
|
+
version: '2.1'
|
|
48
48
|
type: :runtime
|
|
49
49
|
prerelease: false
|
|
50
50
|
version_requirements: !ruby/object:Gem::Requirement
|
|
51
51
|
requirements:
|
|
52
52
|
- - "~>"
|
|
53
53
|
- !ruby/object:Gem::Version
|
|
54
|
-
version: '2.
|
|
54
|
+
version: '2.1'
|
|
55
55
|
- !ruby/object:Gem::Dependency
|
|
56
56
|
name: bundler
|
|
57
57
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -80,6 +80,20 @@ dependencies:
|
|
|
80
80
|
- - "~>"
|
|
81
81
|
- !ruby/object:Gem::Version
|
|
82
82
|
version: '10.0'
|
|
83
|
+
- !ruby/object:Gem::Dependency
|
|
84
|
+
name: rspec
|
|
85
|
+
requirement: !ruby/object:Gem::Requirement
|
|
86
|
+
requirements:
|
|
87
|
+
- - "~>"
|
|
88
|
+
- !ruby/object:Gem::Version
|
|
89
|
+
version: '3.7'
|
|
90
|
+
type: :development
|
|
91
|
+
prerelease: false
|
|
92
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
93
|
+
requirements:
|
|
94
|
+
- - "~>"
|
|
95
|
+
- !ruby/object:Gem::Version
|
|
96
|
+
version: '3.7'
|
|
83
97
|
- !ruby/object:Gem::Dependency
|
|
84
98
|
name: rubocop
|
|
85
99
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -133,7 +147,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
133
147
|
version: '0'
|
|
134
148
|
requirements: []
|
|
135
149
|
rubyforge_project:
|
|
136
|
-
rubygems_version: 2.
|
|
150
|
+
rubygems_version: 2.7.7
|
|
137
151
|
signing_key:
|
|
138
152
|
specification_version: 4
|
|
139
153
|
summary: Scan quay.io for vulnerabilties in running docker containers.
|