scanner

package
v0.8.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 9, 2026 License: Apache-2.0 Imports: 15 Imported by: 0

Documentation

Overview

Package scanner provides pluggable vulnerability scanner execution.

Scanners execute external CLI tools to scan container images and produce JSON reports. Each scanner knows how to invoke its tool and which converter to use for parsing its output.

Available scanners:

  • grype: Anchore Grype (if installed)
  • trivy: Aqua Security Trivy (if installed)
  • snyk: Snyk CLI (if installed and authenticated)
  • osv: Google OSV-Scanner (if installed)

The Registry provides scanner discovery and lookup: 

registry := scanner.DefaultRegistry()
available := registry.Available() // only installed scanners
for _, s := range available {
    path, err := s.Scan(ctx, "docker.io/redis:latest")
    // path contains JSON output file
}

To add a new scanner, implement the Scanner interface: 

type Scanner interface {
    Name() string
    IsAvailable() bool
    Scan(ctx context.Context, image string) (outputPath string, err error)
    ConverterName() string
}

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func GetAllScannerNames added in v0.7.0 

func GetAllScannerNames() []string

GetAllScannerNames returns names of all registered scanners.

func GetAvailableScannerNames added in v0.7.0 

func GetAvailableScannerNames() []string

GetAvailableScannerNames returns names of all available scanners.

func GetSampleScanners 

func GetSampleScanners() []string

GetSampleScanners returns list of supported scanners.

Types

type GrypeScanner added in v0.7.0 

type GrypeScanner struct{}

GrypeScanner implements the Scanner interface for Grype.

func NewGrypeScanner added in v0.7.0 

func NewGrypeScanner() *GrypeScanner

NewGrypeScanner creates a new Grype scanner.

func (*GrypeScanner) ConverterName added in v0.7.0 

func (g *GrypeScanner) ConverterName() string

ConverterName returns the converter name for grype output.

func (*GrypeScanner) IsAvailable added in v0.7.0 

func (g *GrypeScanner) IsAvailable() bool

IsAvailable returns true if grype is installed.

func (*GrypeScanner) Name added in v0.7.0 

func (g *GrypeScanner) Name() string

Name returns the scanner's identifier.

func (*GrypeScanner) Scan added in v0.7.0 

func (g *GrypeScanner) Scan(ctx context.Context, image string) (string, error)

Scan runs grype against the given image.

func (*GrypeScanner) ScanToPath added in v0.7.0 

func (g *GrypeScanner) ScanToPath(ctx context.Context, image, outputPath string) error

ScanToPath runs grype and writes output to the specified path.

type OSVScanner added in v0.7.0 

type OSVScanner struct {
	// contains filtered or unexported fields
}

OSVScanner implements the Scanner interface for OSV-Scanner. Note: OSV-Scanner primarily scans lockfiles and SBOMs, not container images directly. Direct container image scanning support varies by osv-scanner version.

func NewOSVScanner added in v0.7.0 

func NewOSVScanner() *OSVScanner

NewOSVScanner creates a new OSV scanner.

func (*OSVScanner) ConverterName added in v0.7.0 

func (o *OSVScanner) ConverterName() string

ConverterName returns the converter name for osv output.

func (*OSVScanner) IsAvailable added in v0.7.0 

func (o *OSVScanner) IsAvailable() bool

IsAvailable returns true if osv-scanner is installed and supports docker scanning.

func (*OSVScanner) Name added in v0.7.0 

func (o *OSVScanner) Name() string

Name returns the scanner's identifier.

func (*OSVScanner) Scan added in v0.7.0 

func (o *OSVScanner) Scan(ctx context.Context, image string) (string, error)

Scan runs osv-scanner against the given image.

func (*OSVScanner) ScanToPath added in v0.7.0 

func (o *OSVScanner) ScanToPath(ctx context.Context, image, outputPath string) error

ScanToPath runs osv-scanner and writes output to the specified path.

type Options 

type Options struct {
	// Image to scan
	Image string

	// Scan types
	Scans string
}

Options are the scan options.

func (*Options) Validate 

func (o *Options) Validate() error

Validate validates the options.

type Registry added in v0.7.0 

type Registry struct {
	// contains filtered or unexported fields
}

Registry manages registered scanners and provides lookup.

func DefaultRegistry added in v0.7.0 

func DefaultRegistry() *Registry

DefaultRegistry returns a registry with all built-in scanners registered.

func NewRegistry added in v0.7.0 

func NewRegistry() *Registry

NewRegistry creates a new scanner registry.

func (*Registry) All added in v0.7.0 

func (r *Registry) All() []Scanner

All returns all registered scanners.

func (*Registry) Available added in v0.7.0 

func (r *Registry) Available() []Scanner

Available returns all scanners that are currently available (installed).

func (*Registry) AvailableNames added in v0.7.0 

func (r *Registry) AvailableNames() []string

AvailableNames returns the names of all available scanners.

func (*Registry) Get added in v0.7.0 

func (r *Registry) Get(name string) (Scanner, bool)

Get returns a scanner by name, or nil if not found.

func (*Registry) Names added in v0.7.0 

func (r *Registry) Names() []string

Names returns the names of all registered scanners.

func (*Registry) Register added in v0.7.0 

func (r *Registry) Register(s Scanner)

Register adds a scanner to the registry.

type Result 

type Result struct {
	// Image to scan
	Image string `json:"image"`

	Files map[ScanType]string `json:"files"`
}

Result is the scan result.

func Scan 

func Scan(opt *Options) (*Result, error)

Scan runs vulnerability scanners against the given image.

func ScanWithContext added in v0.7.0 

func ScanWithContext(ctx context.Context, opt *Options) (*Result, error)

ScanWithContext runs vulnerability scanners with context support.

type ScanResult added in v0.7.0 

type ScanResult struct {
	Image string            `json:"image"`
	Files map[string]string `json:"files"`
}

ScanResult is the result from ScanWithScanners using string keys.

func ScanWithScanners added in v0.7.0 

func ScanWithScanners(ctx context.Context, image string, scannerNames []string) (*ScanResult, error)

ScanWithScanners runs specific scanners by name against the given image.

type ScanType 

type ScanType int64
const (
	AllScans ScanType = iota
	Grype
	Snyk
	Trivy
	OSV
)

func ParseScan 

func ParseScan(s string) (ScanType, error)

ParseScan parses the scan.

func ParseScans 

func ParseScans(s string) ([]ScanType, error)

ParseScans parses the scans.

func (ScanType) String 

func (s ScanType) String() string

type Scanner added in v0.7.0 

type Scanner interface {
	// Name returns the scanner's identifier (e.g., "grype", "trivy").
	Name() string

	// IsAvailable returns true if the scanner is installed and available.
	IsAvailable() bool

	// Scan runs the scanner against the given image and returns the output file path.
	Scan(ctx context.Context, image string) (outputPath string, err error)

	// ScanToPath runs the scanner and writes output to the specified path.
	ScanToPath(ctx context.Context, image, outputPath string) error

	// ConverterName returns the name of the converter to use for this scanner's output.
	ConverterName() string
}

Scanner defines the interface for vulnerability scanners.

func GetAvailableScanners added in v0.7.0 

func GetAvailableScanners() []Scanner

GetAvailableScanners returns all available scanners from the default registry.

func GetScanner added in v0.7.0 

func GetScanner(name string) (Scanner, bool)

GetScanner returns a scanner by name from the default registry.

type SnykScanner added in v0.7.0 

type SnykScanner struct{}

SnykScanner implements the Scanner interface for Snyk.

func NewSnykScanner added in v0.7.0 

func NewSnykScanner() *SnykScanner

NewSnykScanner creates a new Snyk scanner.

func (*SnykScanner) ConverterName added in v0.7.0 

func (s *SnykScanner) ConverterName() string

ConverterName returns the converter name for snyk output.

func (*SnykScanner) IsAvailable added in v0.7.0 

func (s *SnykScanner) IsAvailable() bool

IsAvailable returns true if snyk is installed.

func (*SnykScanner) Name added in v0.7.0 

func (s *SnykScanner) Name() string

Name returns the scanner's identifier.

func (*SnykScanner) Scan added in v0.7.0 

func (s *SnykScanner) Scan(ctx context.Context, image string) (string, error)

Scan runs snyk against the given image.

func (*SnykScanner) ScanToPath added in v0.7.0 

func (s *SnykScanner) ScanToPath(ctx context.Context, image, outputPath string) error

ScanToPath runs snyk and writes output to the specified path.

type TrivyScanner added in v0.7.0 

type TrivyScanner struct{}

TrivyScanner implements the Scanner interface for Trivy.

func NewTrivyScanner added in v0.7.0 

func NewTrivyScanner() *TrivyScanner

NewTrivyScanner creates a new Trivy scanner.

func (*TrivyScanner) ConverterName added in v0.7.0 

func (t *TrivyScanner) ConverterName() string

ConverterName returns the converter name for trivy output.

func (*TrivyScanner) IsAvailable added in v0.7.0 

func (t *TrivyScanner) IsAvailable() bool

IsAvailable returns true if trivy is installed.

func (*TrivyScanner) Name added in v0.7.0 

func (t *TrivyScanner) Name() string

Name returns the scanner's identifier.

func (*TrivyScanner) Scan added in v0.7.0 

func (t *TrivyScanner) Scan(ctx context.Context, image string) (string, error)

Scan runs trivy against the given image.

func (*TrivyScanner) ScanToPath added in v0.7.0 

func (t *TrivyScanner) ScanToPath(ctx context.Context, image, outputPath string) error

ScanToPath runs trivy and writes output to the specified path.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.