types

package

v1.4.0 Latest Latest Go to latest Published: Mar 2, 2021 License: Apache-2.0 Imports: 16 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/alcideio/iskan

Links

Open Source Insights

Documentation ¶

Index ¶

type Azure
type ClusterScanReport
- func NewClusterScanReport() *ClusterScanReport
type ClusterScanReportSummary
- func NewClusterScanReportSummary() *ClusterScanReportSummary
type ECR
type HarborConfig
type ImageScanResult
type ImageVulnerabilitiesFinder
type InsightVM
type PodSpecSummary
type Policy
- func NewDefaultPolicy() *Policy
- func (p *Policy) Init()
type RegistryExclusion
type ReportFilter
- func LoadReportFilter(fname string) (*ReportFilter, error)
type ScanRateLimit
type ScanScope
- func (f *ScanScope) Init()
- func (f *ScanScope) IsNamespaceIncluded(ns string) bool
- func (f *ScanScope) ShouldScanImage(image string) (bool, string)
type ScanTaskResult
type SeveritySummary
- func NewSeveritySummary() SeveritySummary
- func (s SeveritySummary) Add(b SeveritySummary)
- func (s SeveritySummary) Max() (string, uint32)
- func (s SeveritySummary) String() string
- func (s SeveritySummary) Table() string
type SeveritySummaryMap
- func (sm SeveritySummaryMap) Table(aux SeveritySummaryMap) string
type TrivyConfig
- func DefaultTrivyConfig() *TrivyConfig
type VulnProviderAPICreds
type VulnProviderConfig
type VulnProvidersConfig
- func LoadVulnProvidersConfig(fname string) (*VulnProvidersConfig, error)
- func LoadVulnProvidersConfigFromBuffer(data []byte) (*VulnProvidersConfig, error)
type VulnerabilityExclusion

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type Azure ¶

type Azure struct {
	// Azure Related
	// https://docs.microsoft.com/en-us/cli/azure/ad/sp?view=azure-cli-latest#az_ad_sp_reset_credentials
	TenantId       string `json:"tenantId,omitempty" envconfig:"AZURE_TENANT_ID"       default:""                  doc:"Tenant Id"`
	SubscriptionId string `json:"subscriptionId,omitempty" envconfig:"AZURE_SUBSCRIPTION_ID" default:""                  doc:"Subscription Id"`
	ClientId       string `json:"clientId,omitempty" envconfig:"AZURE_CLIENT_ID"       default:""                  doc:"Client Id"`
	ClientSecret   string `json:"clientSecret,omitempty" envconfig:"AZURE_CLIENT_SECRET"   default:""                  doc:"Client Secret"`
	//ResourceGroupName string `json:"resourceGroupName,omitempty" envconfig:"AZURE_RG_NAME"         default:""                  doc:"Resource Group Name"`
	CloudName string `` /* 170-byte string literal not displayed */
}

type ClusterScanReport ¶

type ClusterScanReport struct {
	//A Cluster UUID Identifier ... (namespace uid of kube-system ;P)
	ClusterId string
	// CreationTimestamp is a timestamp representing the time when this report was
	// created. It is represented in RFC3339 form and is in UTC.
	CreationTimeStamp string `json:"CreationTimeStamp,omitempty"`

	//Unique Report UUID
	ReportUUID string

	//The Policy with the report was generated with
	Policy Policy

	// Report Findings
	Findings map[string]*ImageScanResult

	// High level stats about this report
	Summary ClusterScanReportSummary
}

func NewClusterScanReport ¶

func NewClusterScanReport() *ClusterScanReport

type ClusterScanReportSummary ¶

type ClusterScanReportSummary struct {
	// ns/podName --> Severity Vector
	PodSummary map[string]PodSpecSummary

	ClusterSeverity SeveritySummary

	NamespaceSeverity SeveritySummaryMap

	// ns/podName --> Severity Vector
	PodSeverity        SeveritySummaryMap
	PodFixableSeverity SeveritySummaryMap

	FailedOrSkippedPods   []string
	FailedOrSkippedImages []string

	AnalyzedPodCount uint32
	ExcludedPodCount uint32
}

func NewClusterScanReportSummary ¶

func NewClusterScanReportSummary() *ClusterScanReportSummary

type ECR ¶

type ECR struct {
	AccessKeyId     string `json:"accessKeyId,omitempty"`
	SecretAccessKey string `json:"secretAccessKey,omitempty"`
	Region          string `json:"region,omitempty"`
}

type HarborConfig ¶ added in v1.3.0

type HarborConfig struct {
	Insecure bool   `json:"insecure,omitempty" envconfig:"HARBOR_INSECURE" default:"false"`
	Host     string `json:"host,omitempty" envconfig:"HARBOR_HOST" default:"localhost"`
	Username string `json:"username,omitempty" envconfig:"HARBOR_USERNAME" default:""`
	Password string `json:"password,omitempty" envconfig:"HARBOR_PASSWORD" default:""`
}

type ImageScanResult ¶

type ImageScanResult struct {
	Image string

	CompletedOK bool
	Reason      string

	//If completed ok - this value should be populated with findings (if there are any)
	Findings []*grafeas.Occurrence

	//Stats
	Summary      SeveritySummary
	Fixable      SeveritySummary
	ExcludeCount uint32
}

type ImageVulnerabilitiesFinder ¶

type ImageVulnerabilitiesFinder interface {
	//Which Registry Platform it supports
	Type() string

	ListOccurrences(ctx context.Context, containerImage string) (*ImageScanResult, error)
}

type InsightVM ¶ added in v1.4.0

type InsightVM struct {
	//https://help.rapid7.com/insightvm/en-us/api/api.html#section/Overview
	ApiKey string `json:"apiKey,omitempty" envconfig:"INSIGHTVM_APIKEY" default:""`
	Region string `json:"region,omitempty" envconfig:"INSIGHTVM_REGION" default:"us"`
}

type PodSpecSummary ¶

type PodSpecSummary struct {
	Name      string
	Namespace string

	Spec *v1.PodSpec

	Severity SeveritySummary
	Fixable  SeveritySummary

	ScanFailures uint32
}

type Policy ¶

type Policy struct {
	ScanScope *ScanScope

	ReportFilter *ReportFilter

	RateLimit ScanRateLimit
}

func NewDefaultPolicy ¶

func NewDefaultPolicy() *Policy

func (*Policy) Init ¶

func (p *Policy) Init()

type RegistryExclusion ¶

type RegistryExclusion struct {
	Registry string
	Reason   string

	SnoozeBy string
	// Unix returns t as a Unix time, the number of seconds elapsed
	// since January 1, 1970 UTC.
	SnoozeUntil int64
}

type ReportFilter ¶

type ReportFilter struct {
	//Empty Severity --> Include All Severity
	Severities string

	//CVSS Score is greater than the specified threshold
	CvssGreaterThan float32

	//Include only fixable vulnerabilities
	FixableOnly bool

	//Specific CVEs
	VulnerabilityExclusions []*VulnerabilityExclusion
}

Evaluate Each Occurence Against filter to exclude occurences from report. The conditions are ANDed - if any if the conditions

func LoadReportFilter ¶

func LoadReportFilter(fname string) (*ReportFilter, error)

type ScanRateLimit ¶

type ScanRateLimit struct {
	ApiQPS   float32 `json:"apiQPS,omitempty" envconfig:"ISKAN_API_QPS"    default:"50.0"  doc:"indicates the maximum QPS to the vuln providers"`
	ApiBurst int32   `json:"apiBurst,omitempty" envconfig:"ISKAN_API_BURST"  default:"100"   doc:"Maximum burst for throttle"`
}

type ScanScope ¶

type ScanScope struct {
	NamespaceExclude string
	NamespaceInclude string

	RegistryExclusion []*RegistryExclusion
	// contains filtered or unexported fields
}

func (*ScanScope) Init ¶

func (f *ScanScope) Init()

func (*ScanScope) IsNamespaceIncluded ¶

func (f *ScanScope) IsNamespaceIncluded(ns string) bool

func (*ScanScope) ShouldScanImage ¶

func (f *ScanScope) ShouldScanImage(image string) (bool, string)

type ScanTaskResult ¶

type ScanTaskResult struct {
	Findings map[string]*ImageScanResult

	ScannedPods []*v1.Pod
	SkippedPods []*v1.Pod
}

type SeveritySummary ¶

type SeveritySummary map[grafeas.Severity]uint32

func NewSeveritySummary ¶

func NewSeveritySummary() SeveritySummary

func (SeveritySummary) Add ¶

func (s SeveritySummary) Add(b SeveritySummary)

func (SeveritySummary) Max ¶

func (s SeveritySummary) Max() (string, uint32)

func (SeveritySummary) String ¶

func (s SeveritySummary) String() string

func (SeveritySummary) Table ¶

func (s SeveritySummary) Table() string

type SeveritySummaryMap ¶

type SeveritySummaryMap map[string]SeveritySummary

func (SeveritySummaryMap) Table ¶

func (sm SeveritySummaryMap) Table(aux SeveritySummaryMap) string

type TrivyConfig ¶

type TrivyConfig struct {
	CacheDir      string `json:"cacheDir,omitempty" envconfig:"SCANNER_TRIVY_CACHE_DIR" default:"/home/iskan/.cache/trivy"`
	ReportsDir    string `json:"reportsDir,omitempty" envconfig:"SCANNER_TRIVY_REPORTS_DIR" default:"/home/iskan/.cache/reports"`
	DebugMode     bool   `json:"debugMode,omitempty" envconfig:"SCANNER_TRIVY_DEBUG_MODE" default:"false"`
	VulnType      string `json:"vulnType,omitempty" envconfig:"SCANNER_TRIVY_VULN_TYPE" default:"os,library"`
	Severity      string `json:"severity,omitempty" envconfig:"SCANNER_TRIVY_SEVERITY" default:"UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"`
	IgnoreUnfixed bool   `json:"ignoreUnfixed,omitempty" envconfig:"SCANNER_TRIVY_IGNORE_UNFIXED" default:"false"`
	SkipUpdate    bool   `json:"skipUpdate,omitempty" envconfig:"SCANNER_TRIVY_SKIP_UPDATE" default:"false"`
	GitHubToken   string `json:"githubToken,omitempty" envconfig:"SCANNER_TRIVY_GITHUB_TOKEN"`
	Insecure      bool   `json:"insecure,omitempty" envconfig:"SCANNER_TRIVY_INSECURE" default:"false"`
}

func DefaultTrivyConfig ¶

func DefaultTrivyConfig() *TrivyConfig

type VulnProviderAPICreds ¶

type VulnProviderAPICreds struct {
	GCR string `json:"gcr,omitempty"`

	ECR *ECR `json:"ecr,omitempty"`

	ACR *Azure `json:"acr,omitempty"`

	Trivy *TrivyConfig `json:"trivy,omitempty"`

	Harbor *HarborConfig `json:"harbor,omitempty"`

	InsightVM *InsightVM `json:"insightvm,omitempty"`
}

type VulnProviderConfig ¶

type VulnProviderConfig struct {
	//Repo Kind
	Kind string

	//Repo FQDN
	Repository string

	//API Access Credentials
	Creds VulnProviderAPICreds
}

type VulnProvidersConfig ¶

type VulnProvidersConfig struct {
	Providers []VulnProviderConfig
}

func LoadVulnProvidersConfig ¶

func LoadVulnProvidersConfig(fname string) (*VulnProvidersConfig, error)

func LoadVulnProvidersConfigFromBuffer ¶

func LoadVulnProvidersConfigFromBuffer(data []byte) (*VulnProvidersConfig, error)

type VulnerabilityExclusion ¶

type VulnerabilityExclusion struct {
	CVE         string
	Reason      string
	SnoozeUntil int64
	SnoozedBy   string
}

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL