README
¶
Drydock
A lightweight CLI to audit container vulnerabilities in Google Cloud Artifact Registry.
Drydock fetches vulnerability data directly from Google Cloud's Container Analysis API, allowing you to filter out noise and focus on High/Critical threats across your repositories.
🚀 Installation
macOS & Linux (Recommended)
Run the following command to automatically download and install the latest binary.
Default Installation (to /usr/local/bin):
curl -sSfL https://raw.githubusercontent.com/hiro-o918/drydock/main/install.sh | sh
Custom Installation Path:
To install to a specific directory (e.g., local bin), set the INSTALL_DIR variable:
curl -sSfL https://raw.githubusercontent.com/hiro-o918/drydock/main/install.sh | INSTALL_DIR=$HOME/.local/bin sh
(Make sure to add the target directory to your $PATH)
Go Install
If you have Go installed:
go install github.com/hiro-o918/drydock@latest
Manual Download
You can also download the pre-built binary from the Releases page.
⚡️ Usage
Quick Start
Scan a location for HIGH and CRITICAL vulnerabilities.
drydock -p my-project-id -l us-central1
Common Scenarios
1. Find CRITICAL vulnerabilities only Focus on the most urgent threats.
drydock -p my-project-id -l us-central1 -s CRITICAL
2. Find only fixable vulnerabilities Focus on vulnerabilities that have a fix available.
drydock -l us-central1 --fixable
3. Find Medium+ severity vulnerabilities that are fixable Focus on actionable vulnerabilities of medium or higher severity that have fixes available.
drydock -l us-central1 -s MEDIUM --fixable
4. Export report to CSV Generate a spreadsheet-compatible file for reporting.
drydock -p my-project-id -l us-central1 -o csv > report.csv
3. Inference Project ID from Environment If you don't specify a project ID, Drydock will attempt to infer it from your environment (e.g., environment variables, service account credentials, or GCE metadata server).
drydock -l us-central1
Options
| Flag | Description | Default |
|---|---|---|
-l, --location |
(Required) Artifact Registry location (e.g., us-central1) |
- |
-p, --project |
Google Cloud Project ID | Active gcloud project |
-s, --min-severity |
Filter by severity: LOW, MEDIUM, HIGH, CRITICAL |
HIGH |
-f, --fixable |
Only show vulnerabilities that have a fix available | false |
-o, --output-format |
Output format: json, csv, tsv |
json |
-c, --concurrency |
Number of concurrent API requests | 5 |
-d, --debug |
Enable verbose logging | false |
🔑 Prerequisites
Ensure you have the following configured before running:
- Authentication: Run
gcloud auth application-default loginor setGOOGLE_APPLICATION_CREDENTIALS. - Permissions: Your account needs:
roles/artifactregistry.reader(To list images)roles/containeranalysis.occurrences.viewer(To read vulnerability data)
Documentation
¶
Index ¶
Constants ¶
const ( // MaxCandidates is the number of latest digests to consider per image during discovery. // Limiting this prevents scanning thousands of old tags, significantly improving performance. MaxCandidates = 5 )
Variables ¶
This section is empty.
Functions ¶
func ParseArtifactURI ¶
func ParseArtifactURI(uri string) (schemas.ArtifactReference, error)
ParseArtifactURI parses a raw GAR URI string into a structured ArtifactReference.
Types ¶
type AnalyzeRequest ¶
type AnalyzeRequest struct {
// Artifact is the image reference to analyze
Artifact schemas.ArtifactReference
// Location is the GCP location (required for resource URL generation)
Location string
// MinSeverity filters vulnerabilities by minimum severity
MinSeverity schemas.Severity
// FixableOnly filters for vulnerabilities that have a fix available
FixableOnly bool
}
AnalyzeRequest contains parameters for vulnerability analysis
type Analyzer ¶
type Analyzer interface {
// Analyze retrieves vulnerabilities for the specified image
Analyze(ctx context.Context, req AnalyzeRequest) (*schemas.AnalyzeResult, error)
}
Analyzer fetches and processes vulnerability data
type ArtifactRegistryAnalyzer ¶
type ArtifactRegistryAnalyzer struct {
// contains filtered or unexported fields
}
ArtifactRegistryAnalyzer implements the vulnerability analysis logic.
func NewArtifactRegistryAnalyzer ¶
func NewArtifactRegistryAnalyzer(ctx context.Context, opts ...option.ClientOption) (*ArtifactRegistryAnalyzer, error)
NewArtifactRegistryAnalyzer creates a new analyzer with ADC authentication.
func (*ArtifactRegistryAnalyzer) Analyze ¶
func (a *ArtifactRegistryAnalyzer) Analyze(ctx context.Context, req AnalyzeRequest) (*schemas.AnalyzeResult, error)
Analyze retrieves and filters vulnerabilities for the specified image digest.
func (*ArtifactRegistryAnalyzer) Close ¶
func (a *ArtifactRegistryAnalyzer) Close() error
Close closes the underlying API client.
type Exporter ¶
type Exporter interface {
// Export outputs the analysis results to the configured destination
Export(ctx context.Context, results []schemas.AnalyzeResult) error
}
Exporter defines the interface for exporting analysis results
func NewExporter ¶
func NewExporter(format OutputFormat, writer io.Writer) (Exporter, error)
type ImageResolver ¶
type ImageResolver struct {
// contains filtered or unexported fields
}
ImageResolver handles resolving Docker image tags to SHA256 digests.
func NewImageResolver ¶
func NewImageResolver(ctx context.Context, opts ...option.ClientOption) (*ImageResolver, error)
NewImageResolver creates a new resolver with ADC authentication.
func (*ImageResolver) AllLatestImages ¶
func (r *ImageResolver) AllLatestImages(ctx context.Context, projectID, location string) iter.Seq2[ImageTarget, error]
AllLatestImages returns an iterator that yields resolved image targets one by one. It scans all Docker repositories in the specified project and location. For each image found, it selects the best digest (preferring "latest" tag, otherwise newest).
func (*ImageResolver) Close ¶
func (r *ImageResolver) Close() error
Close closes the underlying API client.
type ImageTarget ¶
type ImageTarget struct {
Artifact schemas.ArtifactReference // Structured image reference
URI string // Original API response URI (for debugging)
Location string // GCP location (e.g., "us-central1")
}
ImageTarget represents a resolved target for scanning.
type OutputFormat ¶
type OutputFormat string
const ( OutputFormatJSON OutputFormat = "json" OutputFormatCSV OutputFormat = "csv" OutputFormatTSV OutputFormat = "tsv" )
func (*OutputFormat) Set ¶
func (f *OutputFormat) Set(value string) error
Set implements the flag.Value interface. ここでパース時にバリデーションが行われます。
func (*OutputFormat) String ¶
func (f *OutputFormat) String() string
String implements the flag.Value interface.
type Scanner ¶
type Scanner struct {
// contains filtered or unexported fields
}
Scanner handles the scanning of container images.
func NewScanner ¶
func NewScanner( ctx context.Context, location string, resolver *ImageResolver, analyzer *ArtifactRegistryAnalyzer, exporter Exporter, opts ...ScannerOption, ) (*Scanner, error)
type ScannerOption ¶
ScannerOption defines a function type that can configure a Scanner
func WithConcurrency ¶
func WithConcurrency(concurrency uint8) ScannerOption
WithConcurrency sets the concurrency level for parallel scanning
func WithProjectID ¶
func WithProjectID(projectID string) ScannerOption
WithProjectID sets the GCP project ID for the scanner
Source Files
Directories