scanner

package
v1.0.3 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 1, 2026 License: MIT Imports: 9 Imported by: 0

Documentation

Overview

Package scanner - Grype scanner adapter implementation

Package scanner - Orchestrator for running multiple scanners concurrently

Package scanner provides the abstraction layer for container vulnerability scanners.

Design Pattern: Strategy Pattern The Scanner interface defines a contract that all scanner implementations must follow. This enables: 1. Easy addition of new scanners without modifying existing code (Open/Closed Principle) 2. Runtime selection of scanners 3. Mock implementations for testing 4. Consistent error handling across all scanners

Architecture Decision: Why Interface-Based Design? - Decouples the orchestration logic from specific scanner implementations - Enables unit testing with mock scanners - Allows users to add custom scanners by implementing the interface - Follows SOLID principles, specifically Interface Segregation

Package scanner - Trivy scanner adapter implementation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func DescribeRegistry added in v1.0.3 

func DescribeRegistry(reg *Registry) string

Types

type DockerGrypeScanner added in v1.0.3 

type DockerGrypeScanner struct {
	// contains filtered or unexported fields
}

func NewDockerGrypeScanner added in v1.0.3 

func NewDockerGrypeScanner() *DockerGrypeScanner

func (*DockerGrypeScanner) Info added in v1.0.3 

func (d *DockerGrypeScanner) Info(ctx context.Context) (*models.ScannerInfo, error)

func (*DockerGrypeScanner) IsAvailable added in v1.0.3 

func (d *DockerGrypeScanner) IsAvailable() bool

func (*DockerGrypeScanner) Name added in v1.0.3 

func (d *DockerGrypeScanner) Name() string

func (*DockerGrypeScanner) Scan added in v1.0.3 

func (d *DockerGrypeScanner) Scan(ctx context.Context, target string) (*models.ScanResult, error)

type DockerTrivyScanner added in v1.0.3 

type DockerTrivyScanner struct {
	// contains filtered or unexported fields
}

func NewDockerTrivyScanner added in v1.0.3 

func NewDockerTrivyScanner() *DockerTrivyScanner

func (*DockerTrivyScanner) Info added in v1.0.3 

func (d *DockerTrivyScanner) Info(ctx context.Context) (*models.ScannerInfo, error)

func (*DockerTrivyScanner) IsAvailable added in v1.0.3 

func (d *DockerTrivyScanner) IsAvailable() bool

func (*DockerTrivyScanner) Name added in v1.0.3 

func (d *DockerTrivyScanner) Name() string

func (*DockerTrivyScanner) Scan added in v1.0.3 

func (d *DockerTrivyScanner) Scan(ctx context.Context, target string) (*models.ScanResult, error)

type GrypeScanner 

type GrypeScanner struct {
	// contains filtered or unexported fields
}

GrypeScanner implements the Scanner interface for Anchore's Grype. Grype is a vulnerability scanner for container images and filesystems.

Grype Output Format: Grype outputs JSON with a "matches" array containing vulnerability matches and an "artifact" describing what was scanned.

func NewGrypeScanner 

func NewGrypeScanner() *GrypeScanner

NewGrypeScanner creates a new Grype scanner with default settings.

func NewGrypeScannerWithPath 

func NewGrypeScannerWithPath(path string) *GrypeScanner

NewGrypeScannerWithPath creates a Grype scanner with a custom executable path.

func (*GrypeScanner) Info 

func (g *GrypeScanner) Info(ctx context.Context) (*models.ScannerInfo, error)

Info returns metadata about the Grype installation.

func (*GrypeScanner) IsAvailable 

func (g *GrypeScanner) IsAvailable() bool

IsAvailable checks if Grype is installed and accessible.

func (*GrypeScanner) Name 

func (g *GrypeScanner) Name() string

Name returns the scanner identifier.

func (*GrypeScanner) ParseOutputForTest 

func (g *GrypeScanner) ParseOutputForTest(data []byte) ([]models.Vulnerability, error)

ParseOutputForTest exposes the parseOutput method for integration testing. This allows tests to verify JSON parsing without needing the actual scanner binary.

func (*GrypeScanner) Scan 

func (g *GrypeScanner) Scan(ctx context.Context, target string) (*models.ScanResult, error)

Scan executes Grype against the specified target.

type Orchestrator 

type Orchestrator struct {
	// contains filtered or unexported fields
}

Orchestrator manages the execution of multiple scanners. It handles: - Concurrent scanner execution - Timeout management per scanner - Error aggregation and fault tolerance - Result collection

Design Decision: Fault Tolerance The orchestrator continues even if individual scanners fail. This ensures partial results are still available and useful.

func NewOrchestrator 

func NewOrchestrator(registry *Registry, config models.ScanConfig) *Orchestrator

NewOrchestrator creates a new scanner orchestrator.

func (*Orchestrator) GetAvailableScanners 

func (o *Orchestrator) GetAvailableScanners(ctx context.Context) []models.ScannerInfo

GetAvailableScanners returns information about all available scanners.

func (*Orchestrator) ScanAll 

func (o *Orchestrator) ScanAll(ctx context.Context, target string) ([]models.ScanResult, error)

ScanAll executes all available scanners against the target. Returns results from all scanners, including failed ones.

Concurrency Model: - Each scanner runs in its own goroutine - Each scanner has an independent timeout - Results are collected via channel - Main goroutine waits for all scanners to complete

Time Complexity: O(max(T1, T2, ..., Tn)) where Ti is the time for scanner i This is because scanners run concurrently.

func (*Orchestrator) ScanWithScanner 

func (o *Orchestrator) ScanWithScanner(ctx context.Context, scannerName, target string) (*models.ScanResult, error)

ScanWithScanner executes a specific scanner by name.

type Registry 

type Registry struct {
	// contains filtered or unexported fields
}

Registry maintains a collection of available scanners. It provides scanner discovery and selection capabilities.

func DefaultRegistry 

func DefaultRegistry() *Registry

DefaultRegistry creates a registry with all built-in scanners.

func NewRegistry 

func NewRegistry() *Registry

NewRegistry creates an empty scanner registry.

func SmartRegistry added in v1.0.3 

func SmartRegistry() *Registry

func (*Registry) Count 

func (r *Registry) Count() int

Count returns the number of registered scanners.

func (*Registry) Get 

func (r *Registry) Get(name string) Scanner

Get retrieves a scanner by name. Returns nil if the scanner is not registered.

func (*Registry) GetAll 

func (r *Registry) GetAll() []Scanner

GetAll returns all registered scanners.

func (*Registry) GetAvailable 

func (r *Registry) GetAvailable() []Scanner

GetAvailable returns only scanners that are currently available.

func (*Registry) Names 

func (r *Registry) Names() []string

Names returns the names of all registered scanners.

func (*Registry) Register 

func (r *Registry) Register(scanner Scanner)

Register adds a scanner to the registry. If a scanner with the same name already exists, it will be replaced.

type Scanner 

type Scanner interface {
	// Name returns the unique identifier for this scanner.
	// Used for logging, reporting, and scanner selection.
	Name() string

	// Scan executes the vulnerability scan on the specified target.
	// The target can be:
	// - A container image reference (e.g., "alpine:3.18", "nginx:latest")
	// - A local image (e.g., "my-app:dev")
	// - A filesystem path (e.g., "/path/to/project")
	//
	// The context should have a timeout set to prevent runaway scans.
	// Returns a ScanResult containing normalized vulnerabilities or an error.
	Scan(ctx context.Context, target string) (*models.ScanResult, error)

	// Info returns metadata about this scanner.
	// Used to check availability and version information.
	Info(ctx context.Context) (*models.ScannerInfo, error)

	// IsAvailable checks if the scanner is installed and accessible.
	// This is a quick check that doesn't perform a full scan.
	IsAvailable() bool
}

Scanner defines the contract for all vulnerability scanner implementations. Each scanner adapter must implement this interface to be usable by the orchestrator.

Design Considerations: - Scan() accepts a context for timeout/cancellation support - Returns structured ScanResult rather than raw output - Info() provides metadata for scanner discovery and validation

type TrivyScanner 

type TrivyScanner struct {
	// contains filtered or unexported fields
}

TrivyScanner implements the Scanner interface for Aqua Security's Trivy. Trivy is a comprehensive vulnerability scanner for containers and other artifacts.

Trivy Output Format: Trivy outputs JSON with a "Results" array containing vulnerability information for each scanned layer/component.

func NewTrivyScanner 

func NewTrivyScanner() *TrivyScanner

NewTrivyScanner creates a new Trivy scanner with default settings.

func NewTrivyScannerWithPath 

func NewTrivyScannerWithPath(path string) *TrivyScanner

NewTrivyScannerWithPath creates a Trivy scanner with a custom executable path.

func (*TrivyScanner) Info 

func (t *TrivyScanner) Info(ctx context.Context) (*models.ScannerInfo, error)

Info returns metadata about the Trivy installation.

func (*TrivyScanner) IsAvailable 

func (t *TrivyScanner) IsAvailable() bool

IsAvailable checks if Trivy is installed and accessible.

func (*TrivyScanner) Name 

func (t *TrivyScanner) Name() string

Name returns the scanner identifier.

func (*TrivyScanner) ParseOutputForTest 

func (t *TrivyScanner) ParseOutputForTest(data []byte) ([]models.Vulnerability, error)

ParseOutputForTest exposes the parseOutput method for integration testing. This allows tests to verify JSON parsing without needing the actual scanner binary.

func (*TrivyScanner) Scan 

func (t *TrivyScanner) Scan(ctx context.Context, target string) (*models.ScanResult, error)

Scan executes Trivy against the specified target.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.