Documentation
¶
Overview ¶
This package provides primitives for working with vulnerability scanners.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Builder ¶
type Builder interface {
Owner(owner metav1.Object) Builder
Container(name string) Builder
PodSpecHash(hash string) Builder
Result(result v1alpha1.VulnerabilityScanResult) Builder
Get() (v1alpha1.VulnerabilityReport, error)
}
func NewBuilder ¶
type Plugin ¶ added in v0.8.0
type Plugin interface {
// GetScanJobSpec describes the pod that will be created by Starboard when
// it schedules a Kubernetes job to scan the workload with the specified
// descriptor.
// The second argument maps container names to Docker registry credentials,
// which can be passed to the scanner as environment variables with values
// set from returned secrets.
GetScanJobSpec(spec corev1.PodSpec, credentials map[string]docker.Auth) (
corev1.PodSpec, []*corev1.Secret, error)
// ParseVulnerabilityScanResult is a callback to parse and convert logs of
// the pod controlled by the scan job to v1alpha1.VulnerabilityScanResult.
ParseVulnerabilityScanResult(imageRef string, logsReader io.ReadCloser) (
v1alpha1.VulnerabilityScanResult, error)
}
Plugin defines the interface between Starboard and static vulnerability scanners.
type ReadWriter ¶
func NewControllerRuntimeReadWriter ¶ added in v0.9.0
func NewControllerRuntimeReadWriter(client client.Client) ReadWriter
NewControllerRuntimeReadWriter constructs a new ReadWriter which is using the client package provided by the controller-runtime libraries for interacting with the Kubernetes API server.
func NewReadWriter ¶
func NewReadWriter(clientset versioned.Interface) ReadWriter
NewReadWriter constructs a new ReadWriter which is using the client-go module for interacting with the Kubernetes API server.
type Reader ¶
type Reader interface {
FindByOwner(context.Context, kube.Object) ([]v1alpha1.VulnerabilityReport, error)
}
Reader is the interface that wraps basic FindByOwner method.
FindByOwner returns the slice of v1alpha1.VulnerabilityReport instances owned by the given kube.Object or an empty slice if the reports are not found.
type Scanner ¶
type Scanner struct {
ext.IDGenerator
kube.SecretsReader
// contains filtered or unexported fields
}
Scanner is a template for running static vulnerability scanners that implement the Plugin interface.
func NewScanner ¶ added in v0.8.0
func NewScanner( scheme *runtime.Scheme, clientset kubernetes.Interface, opts kube.ScannerOpts, plugin Plugin, ) *Scanner
NewScanner constructs a new static vulnerability Scanner with the specified Plugin that knows how to perform the actual scanning, which is performed by running a Kubernetes job, and knows how to convert logs to instances of v1alpha1.VulnerabilityReport.
func (*Scanner) Scan ¶ added in v0.8.0
func (s *Scanner) Scan(ctx context.Context, workload kube.Object) ([]v1alpha1.VulnerabilityReport, error)
Scan creates a Kubernetes job to scan the specified workload. The pod created by the scan job has template contributed by the Plugin. It is a blocking method that watches the status of the job until it succeeds or fails. When succeeded it parses container logs and coverts the output to instances of v1alpha1.VulnerabilityReport by delegating such transformation logic also to the Plugin.
Source Files