security

package
v0.0.0-...-bd1a880 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 8, 2025 License: MIT Imports: 16 Imported by: 0

Documentation

Overview

Package security provides container security scanning and secure default configurations

Package security provides container security scanning and secure default configurations

Index

Constants

This section is empty.

Variables

View Source 
var (
	// ErrInvalidSeccompProfile indicates an invalid seccomp profile
	ErrInvalidSeccompProfile = errors.New("invalid seccomp profile")

	// ErrInvalidAppArmorProfile indicates an invalid AppArmor profile
	ErrInvalidAppArmorProfile = errors.New("invalid apparmor profile")

	// ErrProfileNotFound indicates a profile was not found
	ErrProfileNotFound = errors.New("profile not found")

	// ErrUnsupportedRuntime indicates an unsupported container runtime
	ErrUnsupportedRuntime = errors.New("unsupported container runtime")
)

Common errors

View Source 
var (
	// ErrImageNotFound indicates the image was not found
	ErrImageNotFound = errors.New("image not found")

	// ErrScanFailed indicates that the scan failed
	ErrScanFailed = errors.New("scan failed")

	// ErrInvalidImage indicates an invalid image specification
	ErrInvalidImage = errors.New("invalid image specification")

	// ErrScannerNotAvailable indicates the scanner is not available
	ErrScannerNotAvailable = errors.New("security scanner not available")

	// ErrUnsupportedScanner indicates that the scanner type is not supported
	ErrUnsupportedScanner = errors.New("unsupported scanner type")
)

Common errors

Functions

func FormatScanResultString 

func FormatScanResultString(r *models.SecurityScanResult) string

FormatScanResultString returns a string representation of a models.SecurityScanResult

func WithLogger 

func WithLogger(logger *logrus.Logger) func(*SecurityManager)

WithLogger sets the logger

func WithMaxConcurrentScans 

func WithMaxConcurrentScans(max int) func(*SecurityManager)

WithMaxConcurrentScans sets the maximum number of concurrent scans

func WithScannerFactory 

func WithScannerFactory(factory ScannerFactory) func(*SecurityManager)

WithScannerFactory sets the scanner factory

Types

type CapabilityProfile 

type CapabilityProfile struct {
	// Name is the name of the profile
	Name string `json:"name"`

	// Description is the description of the profile
	Description string `json:"description"`

	// Add are capabilities to add
	Add []string `json:"add"`

	// Drop are capabilities to drop
	Drop []string `json:"drop"`
}

CapabilityProfile represents a capability profile

type DefaultsManager 

type DefaultsManager struct {
	// contains filtered or unexported fields
}

DefaultsManager manages secure default configurations for containers

func NewDefaultsManager 

func NewDefaultsManager(options DefaultsOptions) (*DefaultsManager, error)

NewDefaultsManager creates a new DefaultsManager

func (*DefaultsManager) ApplyCustomSecuritySettings 

func (m *DefaultsManager) ApplyCustomSecuritySettings(ctx context.Context, createOptions *container.Config, hostConfig *container.HostConfig, seccompProfile, apparmorProfile, capabilityProfile string) error

ApplyCustomSecuritySettings applies custom security settings to container create options

func (*DefaultsManager) ApplySecureDefaults 

func (m *DefaultsManager) ApplySecureDefaults(ctx context.Context, createOptions *container.Config, hostConfig *container.HostConfig) error

ApplySecureDefaults applies secure defaults to container create options

func (*DefaultsManager) DeleteAppArmorProfile 

func (m *DefaultsManager) DeleteAppArmorProfile(name string) error

DeleteAppArmorProfile deletes an AppArmor profile

func (*DefaultsManager) DeleteCapabilityProfile 

func (m *DefaultsManager) DeleteCapabilityProfile(name string) error

DeleteCapabilityProfile deletes a capability profile

func (*DefaultsManager) DeleteSeccompProfile 

func (m *DefaultsManager) DeleteSeccompProfile(name string) error

DeleteSeccompProfile deletes a seccomp profile

func (*DefaultsManager) GetAppArmorProfile 

func (m *DefaultsManager) GetAppArmorProfile(name string) (string, error)

GetAppArmorProfile gets an AppArmor profile

func (*DefaultsManager) GetCapabilityProfile 

func (m *DefaultsManager) GetCapabilityProfile(name string) (CapabilityProfile, error)

GetCapabilityProfile gets a capability profile

func (*DefaultsManager) GetDefaultAppArmorProfile 

func (m *DefaultsManager) GetDefaultAppArmorProfile() string

GetDefaultAppArmorProfile gets the default AppArmor profile

func (*DefaultsManager) GetDefaultCapabilityProfile 

func (m *DefaultsManager) GetDefaultCapabilityProfile() (CapabilityProfile, error)

GetDefaultCapabilityProfile gets the default capability profile

func (*DefaultsManager) GetDefaultSeccompProfile 

func (m *DefaultsManager) GetDefaultSeccompProfile() (SeccompProfile, error)

GetDefaultSeccompProfile gets the default seccomp profile

func (*DefaultsManager) GetSeccompProfile 

func (m *DefaultsManager) GetSeccompProfile(name string) (SeccompProfile, error)

GetSeccompProfile gets a seccomp profile

func (*DefaultsManager) InstallAppArmorProfile 

func (m *DefaultsManager) InstallAppArmorProfile(name, content string) error

InstallAppArmorProfile installs an AppArmor profile

func (*DefaultsManager) IsAppArmorEnabled 

func (m *DefaultsManager) IsAppArmorEnabled() bool

IsAppArmorEnabled checks if AppArmor is enabled

func (*DefaultsManager) IsSeccompEnabled 

func (m *DefaultsManager) IsSeccompEnabled() bool

IsSeccompEnabled checks if seccomp is enabled

func (*DefaultsManager) ListAppArmorProfiles 

func (m *DefaultsManager) ListAppArmorProfiles() []string

ListAppArmorProfiles lists all AppArmor profiles

func (*DefaultsManager) ListCapabilityProfiles 

func (m *DefaultsManager) ListCapabilityProfiles() []string

ListCapabilityProfiles lists all capability profiles

func (*DefaultsManager) ListSeccompProfiles 

func (m *DefaultsManager) ListSeccompProfiles() []string

ListSeccompProfiles lists all seccomp profiles

func (*DefaultsManager) LoadProfiles 

func (m *DefaultsManager) LoadProfiles() error

LoadProfiles loads profiles from disk

func (*DefaultsManager) SaveCapabilityProfile 

func (m *DefaultsManager) SaveCapabilityProfile(profile CapabilityProfile) error

SaveCapabilityProfile saves a capability profile to disk

func (*DefaultsManager) SaveSeccompProfile 

func (m *DefaultsManager) SaveSeccompProfile(profile SeccompProfile) error

SaveSeccompProfile saves a seccomp profile to disk

func (*DefaultsManager) SetDefaultAppArmorProfile 

func (m *DefaultsManager) SetDefaultAppArmorProfile(name string) error

SetDefaultAppArmorProfile sets the default AppArmor profile

func (*DefaultsManager) SetDefaultCapabilityProfile 

func (m *DefaultsManager) SetDefaultCapabilityProfile(name string) error

SetDefaultCapabilityProfile sets the default capability profile

func (*DefaultsManager) SetDefaultSeccompProfile 

func (m *DefaultsManager) SetDefaultSeccompProfile(name string) error

SetDefaultSeccompProfile sets the default seccomp profile

type DefaultsOptions 

type DefaultsOptions struct {
	// ConfigPath is the path to the configuration directory
	ConfigPath string

	// DefaultSeccompProfile is the default seccomp profile
	DefaultSeccompProfile string

	// DefaultAppArmorProfile is the default AppArmor profile
	DefaultAppArmorProfile string

	// DefaultCapabilityProfile is the default capability profile
	DefaultCapabilityProfile string

	// Logger is the logger
	Logger *logrus.Logger

	// DockerClient is the Docker client
	DockerClient client.APIClient
}

DefaultsOptions defines options for the DefaultsManager

type DockerScanClient 

type DockerScanClient interface {
	ImageInspectWithRaw(ctx context.Context, imageID string) (types.ImageInspect, []byte, error)
	ContainerInspect(ctx context.Context, containerID string) (types.ContainerJSON, error)
}

DockerScanClient defines the minimal interface needed by the SecurityManager

type ScanOptions 

type ScanOptions struct {
	// Timeout is the timeout for the scan
	Timeout time.Duration

	// Logger for logging
	Logger *logrus.Logger

	// OutputFormat is the format of the scan output (e.g., JSON, XML)
	OutputFormat string

	// IncludeLayers indicates whether to include layer information
	IncludeLayers bool

	// SeverityThreshold is the minimum severity to include in results
	SeverityThreshold string // Use string for severity threshold

	// MaxConcurrentScans is the maximum number of concurrent scans
	MaxConcurrentScans int

	// AdditionalFlags are additional scanner-specific flags
	AdditionalFlags map[string]string
}

ScanOptions defines options for scanning

type Scanner 

type Scanner interface {
	// Name returns the name of the scanner
	Name() string

	// Version returns the version of the scanner
	Version() string

	// IsAvailable checks if the scanner is available
	IsAvailable(ctx context.Context) bool

	// ScanImage scans an image and returns the results
	ScanImage(ctx context.Context, imageRef string, options ScanOptions) (*models.SecurityScanResult, error) // Use models type

	// ScanRunningContainer scans a running container and returns the results
	ScanRunningContainer(ctx context.Context, containerID string, options ScanOptions) (*models.SecurityScanResult, error) // Use models type
}

Scanner is the interface that security scanners must implement

func NewClairScanner 

func NewClairScanner() Scanner

NewClairScanner creates a new Clair scanner

func NewGrypeScanner 

func NewGrypeScanner() Scanner

NewGrypeScanner creates a new Grype scanner

func NewMockScanner 

func NewMockScanner() Scanner

NewMockScanner creates a new mock scanner

func NewTrivyScanner 

func NewTrivyScanner() Scanner

NewTrivyScanner creates a new Trivy scanner

type ScannerFactory 

type ScannerFactory interface {
	// Create creates a scanner of the specified type
	Create(scannerType string) (Scanner, error)
}

ScannerFactory creates scanners 

var DefaultScannerFactory ScannerFactory = &defaultScannerFactory{}

DefaultScannerFactory is the default scanner factory

type SeccompArg 

type SeccompArg struct {
	// Index is the argument index
	Index uint `json:"index"`

	// Value is the argument value
	Value uint64 `json:"value"`

	// ValueTwo is the second argument value (for range-based comparisons)
	ValueTwo uint64 `json:"valueTwo,omitempty"`

	// Op is the comparison operator
	Op string `json:"op"`
}

SeccompArg represents a seccomp argument matcher

type SeccompProfile 

type SeccompProfile struct {
	// Name is the name of the profile
	Name string `json:"name"`

	// Description is the description of the profile
	Description string `json:"description"`

	// DefaultAction is the default action for seccomp rules
	DefaultAction string `json:"defaultAction"`

	// Architectures are the supported architectures
	Architectures []string `json:"architectures,omitempty"`

	// Syscalls are the system call rules
	Syscalls []SeccompSyscall `json:"syscalls"`

	// Path is the path to the profile file
	Path string `json:"-"`
}

SeccompProfile represents a seccomp profile

type SeccompSyscall 

type SeccompSyscall struct {
	// Names are the syscall names
	Names []string `json:"names"`

	// Action is the action to take
	Action string `json:"action"`

	// Args are optional argument matchers
	Args []SeccompArg `json:"args,omitempty"`
}

SeccompSyscall represents a seccomp syscall rule

type SecurityManager 

type SecurityManager struct {
	// contains filtered or unexported fields
}

SecurityManager manages security scanning and vulnerability management

func NewSecurityManager 

func NewSecurityManager(dockerClient DockerScanClient, options ...func(*SecurityManager)) *SecurityManager

NewSecurityManager creates a new security manager

func (*SecurityManager) GetAvailableScanners 

func (m *SecurityManager) GetAvailableScanners() []string

GetAvailableScanners returns the available scanners

func (*SecurityManager) GetLatestScanResult 

func (m *SecurityManager) GetLatestScanResult(target string) *models.SecurityScanResult

GetLatestScanResult returns the latest scan result for an image or container target

func (*SecurityManager) GetScanHistory 

func (m *SecurityManager) GetScanHistory() []*models.SecurityScanResult

GetScanHistory returns the scan history

func (*SecurityManager) RegisterScanner 

func (m *SecurityManager) RegisterScanner(scannerType string) error

RegisterScanner registers a scanner

func (*SecurityManager) ScanContainer 

func (m *SecurityManager) ScanContainer(ctx context.Context, containerID string, scannerType string, options ScanOptions) (*models.SecurityScanResult, error)

ScanContainer scans a container

func (*SecurityManager) ScanImage 

func (m *SecurityManager) ScanImage(ctx context.Context, imageRef string, scannerType string, options ScanOptions) (*models.SecurityScanResult, error)

ScanImage scans an image

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.