Extract images from Dockerfiles (#1002)

* added image details in config * updated doc with supported kustomize version * fixed test cases * fixed lint error
tenable · Aug 24, 2021 · 256facf · 256facf
1 parent a559f4b
commit 256facf
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 2 deletions.
diff --git a/docs/usage/command_line_mode.md b/docs/usage/command_line_mode.md
@@ -260,7 +260,7 @@ aws_ecr_repository:
 | -d | Use this to scan a specific directory. Use "." for current directory | AWS, GCP, Azure, and GitHub|
 | -f | Use this command to scan a specific file | <tbd any formats/limitations for example file size> |
 | -i type  | Use this to change the IaC provider | arm, cft, docker, helm, k8s, kustomize, **terraform**|
-| -i version  | Use this in conjunction with `- i type` to specify the version of IaC provider | Supported versions of each IaC are: `arm: v1, cft: v1, docker: v1, helm: v3, k8s: v1, kustomize: v3, terraform: v12, v13, v14, v15`|
+| -i version  | Use this in conjunction with `- i type` to specify the version of IaC provider | Supported versions of each IaC are: `arm: v1, cft: v1, docker: v1, helm: v3, k8s: v1, kustomize: v2, v3, v4, terraform: v12, v13, v14, v15`|
 | -p | Use this to specify directory path for policies | By default policies are installed here: <tbd specify a default path> |
 | -t  | Use this to specify individual cloud providers | **all**, aws, azure, gcp, github, k8s|
 | -r | Use this to specify directory path for remote backend | git, s3, gcs, http |

diff --git a/pkg/iac-providers/docker/v1/load-dir_test.go b/pkg/iac-providers/docker/v1/load-dir_test.go
@@ -88,7 +88,7 @@ func TestLoadIacDir(t *testing.T) {
 						MaxSeverity: "None",
 						MinSeverity: "High"}},
 				"docker_dockerfile": []output.ResourceConfig{{ID: "docker_dockerfile.96052d48e5364a05995aaec1e5d53f2d", Name: "Dockerfile", ModuleName: "", Source: "Dockerfile", PlanRoot: "", Line: 1, Type: "docker_dockerfile", Config: []string{"from", "cmd"}, SkipRules: []output.SkipRule{{Rule: "AWS.S3Bucket.DS.High.1041", Comment: "This rule does not belong to dockerfile will add correct once dockerfile policy added."}}, MaxSeverity: "None", MinSeverity: "High"}},
-				"docker_from":       []output.ResourceConfig{{ID: "docker_from.68be487d8ad02b4e09b46d29c8dbef3b", Name: "Dockerfile", ModuleName: "", Source: "Dockerfile", PlanRoot: "", Line: 1, Type: "docker_from", Config: "runatlantis/atlantis:v0.16.1", SkipRules: []output.SkipRule{{Rule: "AWS.S3Bucket.DS.High.1041", Comment: "This rule does not belong to dockerfile will add correct once dockerfile policy added."}}, MaxSeverity: "None", MinSeverity: "High"}}},
+				"docker_from":       []output.ResourceConfig{{ID: "docker_from.68be487d8ad02b4e09b46d29c8dbef3b", Name: "Dockerfile", ModuleName: "", Source: "Dockerfile", PlanRoot: "", Line: 1, Type: "docker_from", Config: "runatlantis/atlantis:v0.16.1", SkipRules: []output.SkipRule{{Rule: "AWS.S3Bucket.DS.High.1041", Comment: "This rule does not belong to dockerfile will add correct once dockerfile policy added."}}, MaxSeverity: "None", MinSeverity: "High", ContainerImages: []output.ContainerDetails{{Image: "runatlantis/atlantis:v0.16.1"}}}}},
 			wantErr: nil,
 		},
 	}

diff --git a/pkg/iac-providers/docker/v1/load-file.go b/pkg/iac-providers/docker/v1/load-file.go
@@ -34,6 +34,8 @@ const (
 	docker                 string = "docker"
 	resourceTypeDockerfile string = "dockerfile"
 	underScoreSeparator    string = "_"
+	dockerFromInstruction  string = "from"
+	dockerScratchImage     string = "scratch"
 
 	// IDConnectorString is string connector used in id creation
 	IDConnectorString        string = "."
@@ -73,6 +75,11 @@ func (dc *DockerV1) LoadIacFile(absFilePath string, options map[string]interface
 			MinSeverity: minSeverity,
 			MaxSeverity: maxSeverity,
 		}
+		if data[i].Cmd == dockerFromInstruction && strings.Fields(data[i].Value)[0] != dockerScratchImage {
+			config.ContainerImages = append(config.ContainerImages, output.ContainerDetails{
+				Image: strings.Fields(data[i].Value)[0],
+			})
+		}
 		allResourcesConfig[config.Type] = append(allResourcesConfig[config.Type], config)
 
 	}

diff --git a/pkg/iac-providers/docker/v1/load-file_test.go b/pkg/iac-providers/docker/v1/load-file_test.go
@@ -90,6 +90,11 @@ var multiStageDockerfileConfig = output.AllResourceConfigs{
 			SkipRules:   []output.SkipRule(nil),
 			MaxSeverity: "",
 			MinSeverity: "",
+			ContainerImages: []output.ContainerDetails{
+				{
+					Image: "golang:alpine",
+				},
+			},
 		},
 		{
 			ID:          "docker_from.3e7f6a412bae2c36b5e8123c0d437288",
@@ -103,6 +108,11 @@ var multiStageDockerfileConfig = output.AllResourceConfigs{
 			SkipRules:   []output.SkipRule(nil),
 			MaxSeverity: "",
 			MinSeverity: "",
+			ContainerImages: []output.ContainerDetails{
+				{
+					Image: "alpine:3.12.0",
+				},
+			},
 		},
 	},
 	"docker_run": []output.ResourceConfig{