scan

package
v0.0.0-...-e601d7c Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 20, 2026 License: MIT Imports: 13 Imported by: 0

Documentation

Index

Constants

View Source 
const DefaultGrypeVersion = "0.111.0"

DefaultGrypeVersion is the pinned install version. Bump here to upgrade cluster-wide, or override per-scan via SC config (ScanToolConfig.Version) or SC_GRYPE_VERSION env var.

View Source 
const DefaultTrivyVersion = "0.70.0"

DefaultTrivyVersion is the pinned install version. Bump here to upgrade cluster-wide, or override per-scan via SC config (ScanToolConfig.Version) or SC_TRIVY_VERSION env var.

Variables

View Source 
var ValidSeverities = []Severity{
	SeverityCritical,
	SeverityHigh,
	SeverityMedium,
	SeverityLow,
	SeverityUnknown,
}

ValidSeverities lists all valid severity levels

Functions

This section is empty.

Types

type CacheConfig 

type CacheConfig struct {
	Enabled bool `json:"enabled" yaml:"enabled"`
	TTL     int  `json:"ttl" yaml:"ttl"` // TTL in hours
}

CacheConfig configures scan result caching

type Config 

type Config struct {
	Enabled  bool          `json:"enabled" yaml:"enabled"`
	Tools    []ScanTool    `json:"tools" yaml:"tools"`
	FailOn   Severity      `json:"failOn" yaml:"failOn"`
	WarnOn   Severity      `json:"warnOn" yaml:"warnOn"`
	Required bool          `json:"required" yaml:"required"`
	Output   *OutputConfig `json:"output,omitempty" yaml:"output,omitempty"`
	Cache    *CacheConfig  `json:"cache,omitempty" yaml:"cache,omitempty"`
}

Config represents scanning configuration

func DefaultConfig 

func DefaultConfig() *Config

DefaultConfig returns default scanning configuration

func (*Config) ShouldCache 

func (c *Config) ShouldCache() bool

ShouldCache returns true if caching is enabled

func (*Config) ShouldSaveLocal 

func (c *Config) ShouldSaveLocal() bool

ShouldSaveLocal returns true if local output is configured

func (*Config) Validate 

func (c *Config) Validate() error

Validate validates the configuration

type GrypeOutput 

type GrypeOutput struct {
	Matches    []grypeMatch `json:"matches"`
	Descriptor struct {
		Name    string `json:"name"`
		Version string `json:"version"`
	} `json:"descriptor"`
}

GrypeOutput represents grype JSON output structure

type GrypeScanner 

type GrypeScanner struct {
	// contains filtered or unexported fields
}

GrypeScanner implements Scanner interface using Grype

func NewGrypeScanner 

func NewGrypeScanner() *GrypeScanner

NewGrypeScanner creates a new GrypeScanner pinned to DefaultGrypeVersion.

func (*GrypeScanner) CheckInstalled 

func (g *GrypeScanner) CheckInstalled(ctx context.Context) error

CheckInstalled checks if grype is installed

func (*GrypeScanner) CheckVersion 

func (g *GrypeScanner) CheckVersion(ctx context.Context) error

CheckVersion checks if grype meets minimum version requirements

func (*GrypeScanner) Install 

func (g *GrypeScanner) Install(ctx context.Context) error

Install installs grype if not already present using the official install script

func (*GrypeScanner) Scan 

func (g *GrypeScanner) Scan(ctx context.Context, image string) (*ScanResult, error)

Scan performs vulnerability scanning using grype

func (*GrypeScanner) Tool 

func (g *GrypeScanner) Tool() ScanTool

Tool returns the scanner tool name

func (*GrypeScanner) Version 

func (g *GrypeScanner) Version(ctx context.Context) (string, error)

Version returns the grype version

type OutputConfig 

type OutputConfig struct {
	Local    string `json:"local,omitempty" yaml:"local,omitempty"`
	Registry bool   `json:"registry" yaml:"registry"`
}

OutputConfig configures scan output

type PolicyEnforcer 

type PolicyEnforcer struct {
	// contains filtered or unexported fields
}

PolicyEnforcer enforces vulnerability policies

func NewPolicyEnforcer 

func NewPolicyEnforcer(config *Config) *PolicyEnforcer

NewPolicyEnforcer creates a new PolicyEnforcer

func (*PolicyEnforcer) Enforce 

func (p *PolicyEnforcer) Enforce(result *ScanResult) error

Enforce enforces the vulnerability policy on scan results. Returns *PolicyViolationError if the failOn threshold is exceeded, or nil for configuration problems / no violations.

func (*PolicyEnforcer) ShouldBlock 

func (p *PolicyEnforcer) ShouldBlock(result *ScanResult) bool

ShouldBlock returns true if the result violates the policy

type PolicyViolationError 

type PolicyViolationError struct {
	Message string
}

PolicyViolationError is returned when scan results exceed the configured severity threshold. It is distinct from tool errors so callers can apply soft-fail logic (warn but continue).

func (*PolicyViolationError) Error 

func (e *PolicyViolationError) Error() string

type ScanResult 

type ScanResult struct {
	ImageDigest     string                 `json:"imageDigest"`
	Tool            ScanTool               `json:"tool"`
	Vulnerabilities []Vulnerability        `json:"vulnerabilities"`
	Summary         VulnerabilitySummary   `json:"summary"`
	ScannedAt       time.Time              `json:"scannedAt"`
	Digest          string                 `json:"digest"` // SHA256 of content
	Metadata        map[string]interface{} `json:"metadata,omitempty"`
}

ScanResult represents vulnerability scan results

func MergeResults 

func MergeResults(results ...*ScanResult) *ScanResult

MergeResults merges multiple scan results, deduplicating by vulnerability ID and package coordinates. When multiple scanners report the same package-level finding, the higher severity and richer metadata win.

func NewScanResult 

func NewScanResult(imageDigest string, tool ScanTool, vulns []Vulnerability) *ScanResult

NewScanResult creates a new ScanResult

func (*ScanResult) ValidateDigest 

func (r *ScanResult) ValidateDigest() error

ValidateDigest validates the digest matches the content

type ScanTool 

type ScanTool string

ScanTool represents a vulnerability scanning tool 

const (
	ScanToolGrype ScanTool = "grype"
	ScanToolTrivy ScanTool = "trivy"
	ScanToolAll   ScanTool = "all"
)

type Scanner 

type Scanner interface {
	// Scan performs vulnerability scanning on an image
	Scan(ctx context.Context, image string) (*ScanResult, error)

	// Tool returns the scanner tool name
	Tool() ScanTool

	// Version returns the scanner version
	Version(ctx context.Context) (string, error)

	// CheckInstalled checks if the scanner is installed
	CheckInstalled(ctx context.Context) error

	// CheckVersion checks if the scanner meets minimum version requirements
	CheckVersion(ctx context.Context) error

	// Install installs the scanner if not already present
	Install(ctx context.Context) error
}

Scanner is the interface for vulnerability scanners

func NewScanner 

func NewScanner(tool ScanTool) (Scanner, error)

NewScanner creates a new scanner for the specified tool. Versions can be overridden via SC_GRYPE_VERSION or SC_TRIVY_VERSION env vars.

func NewScannerWithVersion 

func NewScannerWithVersion(tool ScanTool, version string) (Scanner, error)

NewScannerWithVersion creates a scanner pinned to a specific version. Priority: explicit version arg > SC_GRYPE_VERSION / SC_TRIVY_VERSION env var > built-in default. The resolved version is used for both install target and minimum required check.

type Severity 

type Severity string

Severity represents vulnerability severity levels 

const (
	SeverityCritical Severity = "critical"
	SeverityHigh     Severity = "high"
	SeverityMedium   Severity = "medium"
	SeverityLow      Severity = "low"
	SeverityUnknown  Severity = "unknown"
)

type TrivyOutput 

type TrivyOutput struct {
	Results []struct {
		Vulnerabilities []struct {
			VulnerabilityID  string    `json:"VulnerabilityID"`
			Severity         string    `json:"Severity"`
			PkgName          string    `json:"PkgName"`
			InstalledVersion string    `json:"InstalledVersion"`
			FixedVersion     string    `json:"FixedVersion"`
			Description      string    `json:"Description"`
			References       []string  `json:"References"`
			CVSS             trivyCVSS `json:"CVSS"`
		} `json:"Vulnerabilities"`
	} `json:"Results"`
	Metadata struct {
		Version string `json:"Version"`
		ImageID string `json:"ImageID"`
	} `json:"Metadata"`
}

TrivyOutput represents trivy JSON output structure

type TrivyScanner 

type TrivyScanner struct {
	// contains filtered or unexported fields
}

TrivyScanner implements Scanner interface using Trivy

func NewTrivyScanner 

func NewTrivyScanner() *TrivyScanner

NewTrivyScanner creates a new TrivyScanner pinned to DefaultTrivyVersion.

func (*TrivyScanner) CheckInstalled 

func (t *TrivyScanner) CheckInstalled(ctx context.Context) error

CheckInstalled checks if trivy is installed

func (*TrivyScanner) CheckVersion 

func (t *TrivyScanner) CheckVersion(ctx context.Context) error

CheckVersion checks if trivy meets minimum version requirements

func (*TrivyScanner) Install 

func (t *TrivyScanner) Install(ctx context.Context) error

Install installs trivy if not already present using the official install script

func (*TrivyScanner) Scan 

func (t *TrivyScanner) Scan(ctx context.Context, image string) (*ScanResult, error)

Scan performs vulnerability scanning using trivy

func (*TrivyScanner) Tool 

func (t *TrivyScanner) Tool() ScanTool

Tool returns the scanner tool name

func (*TrivyScanner) Version 

func (t *TrivyScanner) Version(ctx context.Context) (string, error)

Version returns the trivy version

type Vulnerability 

type Vulnerability struct {
	ID          string                 `json:"id"`          // CVE ID
	Severity    Severity               `json:"severity"`    // Critical, High, Medium, Low, Unknown
	Package     string                 `json:"package"`     // Package name
	Version     string                 `json:"version"`     // Installed version
	FixedIn     string                 `json:"fixedIn"`     // Fixed version (if available)
	Description string                 `json:"description"` // Vulnerability description
	URLs        []string               `json:"urls"`        // Reference URLs
	CVSS        float64                `json:"cvss"`        // CVSS score
	Metadata    map[string]interface{} `json:"metadata,omitempty"`
}

Vulnerability represents a single vulnerability

type VulnerabilitySummary 

type VulnerabilitySummary struct {
	Critical int `json:"critical"`
	High     int `json:"high"`
	Medium   int `json:"medium"`
	Low      int `json:"low"`
	Unknown  int `json:"unknown"`
	Total    int `json:"total"`
}

VulnerabilitySummary aggregates vulnerability counts by severity

func (VulnerabilitySummary) HasCritical 

func (s VulnerabilitySummary) HasCritical() bool

HasCritical returns true if there are critical vulnerabilities

func (VulnerabilitySummary) HasHigh 

func (s VulnerabilitySummary) HasHigh() bool

HasHigh returns true if there are high vulnerabilities

func (VulnerabilitySummary) HasLow 

func (s VulnerabilitySummary) HasLow() bool

HasLow returns true if there are low vulnerabilities

func (VulnerabilitySummary) HasMedium 

func (s VulnerabilitySummary) HasMedium() bool

HasMedium returns true if there are medium vulnerabilities

func (VulnerabilitySummary) String 

func (s VulnerabilitySummary) String() string

String returns a human-readable summary

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.