README
¶
Drydock
A lightweight CLI to audit container vulnerabilities in Google Cloud Artifact Registry.
Drydock fetches vulnerability data directly from Google Cloud's Container Analysis API, allowing you to filter out noise and focus on High/Critical threats across your repositories.
🚀 Installation
macOS & Linux (Recommended)
Run the following command to automatically download and install the latest binary.
Default Installation (to /usr/local/bin):
curl -sSfL https://raw.githubusercontent.com/hiro-o918/drydock/main/install.sh | sh
Custom Installation Path:
To install to a specific directory (e.g., local bin), set the INSTALL_DIR variable:
curl -sSfL https://raw.githubusercontent.com/hiro-o918/drydock/main/install.sh | INSTALL_DIR=$HOME/.local/bin sh
(Make sure to add the target directory to your $PATH)
Go Install
If you have Go installed:
go install github.com/hiro-o918/drydock@latest
Manual Download
You can also download the pre-built binary from the Releases page.
⚡️ Usage
Quick Start
Scan a location for HIGH and CRITICAL vulnerabilities.
drydock -p my-project-id -l us-central1
Common Scenarios
1. Find CRITICAL vulnerabilities only Focus on the most urgent threats.
drydock -p my-project-id -l us-central1 -s CRITICAL
2. Find only fixable vulnerabilities Focus on vulnerabilities that have a fix available.
drydock -l us-central1 --fixable
3. Find Medium+ severity vulnerabilities that are fixable Focus on actionable vulnerabilities of medium or higher severity that have fixes available.
drydock -l us-central1 -s MEDIUM --fixable
4. Export report to CSV Generate a spreadsheet-compatible file for reporting.
drydock -p my-project-id -l us-central1 -o csv > report.csv
3. Inference Project ID from Environment If you don't specify a project ID, Drydock will attempt to infer it from your environment (e.g., environment variables, service account credentials, or GCE metadata server).
drydock -l us-central1
Options
| Flag | Description | Default |
|---|---|---|
-l, --location |
(Required) Artifact Registry location (e.g., us-central1) |
- |
-p, --project |
Google Cloud Project ID | Active gcloud project |
-s, --min-severity |
Filter by severity: LOW, MEDIUM, HIGH, CRITICAL |
HIGH |
-f, --fixable |
Only show vulnerabilities that have a fix available | false |
-o, --output-format |
Output format: json, csv, tsv |
json |
-c, --concurrency |
Number of concurrent API requests | 5 |
-d, --debug |
Enable verbose logging | false |
🔑 Prerequisites
Ensure you have the following configured before running:
- Authentication: Run
gcloud auth application-default loginor setGOOGLE_APPLICATION_CREDENTIALS. - Permissions: Your account needs:
roles/artifactregistry.reader(To list images)roles/containeranalysis.occurrences.viewer(To read vulnerability data)
🛠 Using Drydock as a Library
Drydock can be used as a library in your Go applications, allowing you to implement custom exporters or integrate vulnerability scanning into your own tools.
Basic Usage
import "github.com/hiro-o918/drydock"
func main() {
ctx := context.Background()
// Initialize scanner with location and options
scanner, err := drydock.NewScanner(
ctx,
"us-central1",
drydock.WithProjectID("my-project-id"),
)
if err != nil {
// Handle error
}
defer scanner.Close()
// Run scan with HIGH severity threshold and only fixable vulnerabilities
if err := scanner.Scan(ctx, schemas.SeverityHigh, true); err != nil {
// Handle error
}
}
Custom Exporters
You can implement custom exporters by implementing the Exporter interface:
type Exporter interface {
Export(ctx context.Context, results []schemas.AnalyzeResult) error
}
Example of using a custom exporter:
// Create your custom exporter
customExporter := NewMyCustomExporter()
// Use it with the scanner
scanner, err := drydock.NewScanner(ctx, "us-central1",
drydock.WithExporter(customExporter))
For a complete working example of a Markdown exporter, see the markdown_exporter example.
Documentation
¶
Index ¶
- Constants
- func ParseArtifactURI(uri string) (schemas.ArtifactReference, error)
- type AnalyzeRequest
- type Analyzer
- type ArtifactRegistryAnalyzer
- type Exporter
- type ImageResolver
- type ImageTarget
- type OutputFormat
- type Scanner
- type ScannerOption
- func WithAnalyzer(analyzer *ArtifactRegistryAnalyzer) ScannerOption
- func WithClientOptions(opts ...option.ClientOption) ScannerOption
- func WithConcurrency(concurrency uint8) ScannerOption
- func WithExporter(exporter Exporter) ScannerOption
- func WithOutputFormat(format OutputFormat, writer io.Writer) ScannerOption
- func WithProjectID(projectID string) ScannerOption
- func WithResolver(resolver *ImageResolver) ScannerOption
Constants ¶
const ( // MaxCandidates is the number of latest digests to consider per image during discovery. // Limiting this prevents scanning thousands of old tags, significantly improving performance. MaxCandidates = 5 )
Variables ¶
This section is empty.
Functions ¶
func ParseArtifactURI ¶
func ParseArtifactURI(uri string) (schemas.ArtifactReference, error)
ParseArtifactURI parses a raw GAR URI string into a structured ArtifactReference.
Types ¶
type AnalyzeRequest ¶
type AnalyzeRequest struct {
// Artifact is the image reference to analyze
Artifact schemas.ArtifactReference
// Location is the GCP location (required for resource URL generation)
Location string
// MinSeverity filters vulnerabilities by minimum severity
MinSeverity schemas.Severity
// FixableOnly filters for vulnerabilities that have a fix available
FixableOnly bool
}
AnalyzeRequest contains parameters for vulnerability analysis
type Analyzer ¶
type Analyzer interface {
// Analyze retrieves vulnerabilities for the specified image
Analyze(ctx context.Context, req AnalyzeRequest) (*schemas.AnalyzeResult, error)
}
Analyzer fetches and processes vulnerability data
type ArtifactRegistryAnalyzer ¶
type ArtifactRegistryAnalyzer struct {
// contains filtered or unexported fields
}
ArtifactRegistryAnalyzer implements the vulnerability analysis logic.
func NewArtifactRegistryAnalyzer ¶
func NewArtifactRegistryAnalyzer(ctx context.Context, opts ...option.ClientOption) (*ArtifactRegistryAnalyzer, error)
NewArtifactRegistryAnalyzer creates a new analyzer with ADC authentication.
func (*ArtifactRegistryAnalyzer) Analyze ¶
func (a *ArtifactRegistryAnalyzer) Analyze(ctx context.Context, req AnalyzeRequest) (*schemas.AnalyzeResult, error)
Analyze retrieves and filters vulnerabilities for the specified image digest.
func (*ArtifactRegistryAnalyzer) Close ¶
func (a *ArtifactRegistryAnalyzer) Close() error
Close closes the underlying API client.
type Exporter ¶
type Exporter interface {
// Export outputs the analysis results to the configured destination
Export(ctx context.Context, results []schemas.AnalyzeResult) error
}
Exporter defines the interface for exporting analysis results
func NewExporter ¶
func NewExporter(format OutputFormat, writer io.Writer) (Exporter, error)
type ImageResolver ¶
type ImageResolver struct {
// contains filtered or unexported fields
}
ImageResolver handles resolving Docker image tags to SHA256 digests.
func NewImageResolver ¶
func NewImageResolver(ctx context.Context, opts ...option.ClientOption) (*ImageResolver, error)
NewImageResolver creates a new resolver with ADC authentication.
func (*ImageResolver) AllLatestImages ¶
func (r *ImageResolver) AllLatestImages(ctx context.Context, projectID, location string) iter.Seq2[ImageTarget, error]
AllLatestImages returns an iterator that yields resolved image targets one by one. It scans all Docker repositories in the specified project and location. For each image found, it selects the best digest (preferring "latest" tag, otherwise newest).
func (*ImageResolver) Close ¶
func (r *ImageResolver) Close() error
Close closes the underlying API client.
type ImageTarget ¶
type ImageTarget struct {
Artifact schemas.ArtifactReference // Structured image reference
URI string // Original API response URI (for debugging)
Location string // GCP location (e.g., "us-central1")
}
ImageTarget represents a resolved target for scanning.
type OutputFormat ¶
type OutputFormat string
const ( OutputFormatJSON OutputFormat = "json" OutputFormatCSV OutputFormat = "csv" OutputFormatTSV OutputFormat = "tsv" )
func (*OutputFormat) Set ¶
func (f *OutputFormat) Set(value string) error
Set implements the flag.Value interface. ここでパース時にバリデーションが行われます。
func (*OutputFormat) String ¶
func (f *OutputFormat) String() string
String implements the flag.Value interface.
type Scanner ¶
type Scanner struct {
// contains filtered or unexported fields
}
Scanner handles the scanning of container images.
func NewScanner ¶
type ScannerOption ¶
ScannerOption defines a function type that can configure a Scanner
func WithAnalyzer ¶ added in v0.2.2
func WithAnalyzer(analyzer *ArtifactRegistryAnalyzer) ScannerOption
WithAnalyzer sets a custom Analyzer
func WithClientOptions ¶ added in v0.2.2
func WithClientOptions(opts ...option.ClientOption) ScannerOption
WithClientOptions sets client options for both resolver and analyzer
func WithConcurrency ¶
func WithConcurrency(concurrency uint8) ScannerOption
WithConcurrency sets the concurrency level for parallel scanning
func WithExporter ¶ added in v0.2.2
func WithExporter(exporter Exporter) ScannerOption
WithExporter sets a custom Exporter
func WithOutputFormat ¶ added in v0.2.2
func WithOutputFormat(format OutputFormat, writer io.Writer) ScannerOption
WithOutputFormat sets the output format and creates an appropriate exporter
func WithProjectID ¶
func WithProjectID(projectID string) ScannerOption
WithProjectID sets the GCP project ID for the scanner
func WithResolver ¶ added in v0.2.2
func WithResolver(resolver *ImageResolver) ScannerOption
WithResolver sets a custom ImageResolver
Source Files
Directories