-
Notifications
You must be signed in to change notification settings - Fork 2.2k
/
run.go
153 lines (135 loc) · 4.39 KB
/
run.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
package commands
import (
"context"
"errors"
"github.com/spf13/viper"
"golang.org/x/xerrors"
k8sArtifacts "github.com/aquasecurity/trivy-kubernetes/pkg/artifacts"
"github.com/aquasecurity/trivy-kubernetes/pkg/k8s"
cmd "github.com/aquasecurity/trivy/pkg/commands/artifact"
"github.com/aquasecurity/trivy/pkg/commands/operation"
cr "github.com/aquasecurity/trivy/pkg/compliance/report"
"github.com/aquasecurity/trivy/pkg/flag"
k8sRep "github.com/aquasecurity/trivy/pkg/k8s"
"github.com/aquasecurity/trivy/pkg/k8s/report"
"github.com/aquasecurity/trivy/pkg/k8s/scanner"
"github.com/aquasecurity/trivy/pkg/log"
"github.com/aquasecurity/trivy/pkg/types"
)
// Run runs a k8s scan
func Run(ctx context.Context, args []string, opts flag.Options) error {
clusterOptions := []k8s.ClusterOption{
k8s.WithKubeConfig(opts.K8sOptions.KubeConfig),
k8s.WithBurst(opts.K8sOptions.Burst),
k8s.WithQPS(opts.K8sOptions.QPS),
}
if len(args) > 0 {
clusterOptions = append(clusterOptions, k8s.WithContext(args[0]))
}
cluster, err := k8s.GetCluster(clusterOptions...)
if err != nil {
return xerrors.Errorf("failed getting k8s cluster: %w", err)
}
ctx, cancel := context.WithTimeout(ctx, opts.Timeout)
defer func() {
cancel()
if errors.Is(err, context.DeadlineExceeded) {
log.WarnContext(ctx, "Increase --timeout value")
}
}()
opts.K8sVersion = cluster.GetClusterVersion()
return clusterRun(ctx, opts, cluster)
}
type runner struct {
flagOpts flag.Options
cluster string
}
func newRunner(flagOpts flag.Options, cluster string) *runner {
return &runner{
flagOpts,
cluster,
}
}
func (r *runner) run(ctx context.Context, artifacts []*k8sArtifacts.Artifact) error {
runner, err := cmd.NewRunner(ctx, r.flagOpts)
if err != nil {
if errors.Is(err, cmd.SkipScan) {
return nil
}
return xerrors.Errorf("init error: %w", err)
}
defer func() {
if err := runner.Close(ctx); err != nil {
log.ErrorContext(ctx, "failed to close runner: %s", err)
}
}()
s := scanner.NewScanner(r.cluster, runner, r.flagOpts)
// set scanners types by spec
if r.flagOpts.Compliance.Spec.ID != "" {
scanners, err := r.flagOpts.Compliance.Scanners()
if err != nil {
return xerrors.Errorf("scanner error: %w", err)
}
r.flagOpts.ScanOptions.Scanners = scanners
}
var rpt report.Report
rpt, err = s.Scan(ctx, artifacts)
if err != nil {
return xerrors.Errorf("k8s scan error: %w", err)
}
output, cleanup, err := r.flagOpts.OutputWriter(ctx)
if err != nil {
return xerrors.Errorf("failed to create output file: %w", err)
}
defer cleanup()
if r.flagOpts.Compliance.Spec.ID != "" {
var scanResults []types.Results
for _, rss := range rpt.Resources {
scanResults = append(scanResults, rss.Results)
}
complianceReport, err := cr.BuildComplianceReport(scanResults, r.flagOpts.Compliance)
if err != nil {
return xerrors.Errorf("compliance report build error: %w", err)
}
return cr.Write(ctx, complianceReport, cr.Option{
Format: r.flagOpts.Format,
Report: r.flagOpts.ReportFormat,
Output: output,
})
}
if err := k8sRep.Write(ctx, rpt, report.Option{
Format: r.flagOpts.Format,
Report: r.flagOpts.ReportFormat,
Output: output,
Severities: r.flagOpts.Severities,
Scanners: r.flagOpts.ScanOptions.Scanners,
APIVersion: r.flagOpts.AppVersion,
}); err != nil {
return xerrors.Errorf("unable to write results: %w", err)
}
return operation.Exit(r.flagOpts, rpt.Failed(), types.Metadata{})
}
// Full-cluster scanning with '--format table' without explicit '--report all' is not allowed so that it won't mess up user's terminal.
// To show all the results, user needs to specify "--report all" explicitly
// even though the default value of "--report" is "all".
//
// e.g.
// $ trivy k8s --report all cluster
// $ trivy k8s --report all all
//
// Or they can use "--format json" with implicit "--report all".
//
// e.g. $ trivy k8s --format json cluster // All the results are shown in JSON
//
// Single resource scanning is allowed with implicit "--report all".
//
// e.g. $ trivy k8s pod myapp
func validateReportArguments(opts flag.Options) error {
if opts.ReportFormat == "all" &&
!viper.IsSet("report") &&
opts.Format == "table" {
m := "All the results in the table format can mess up your terminal. Use \"--report all\" to tell Trivy to output it to your terminal anyway, or consider \"--report summary\" to show the summary output."
return xerrors.New(m)
}
return nil
}