Docker Image
Pulls Docker images from container registries for compile pipeline scanning of source code, binaries, and configuration.
Only downloads images when their SHA256 hash differs from previously scanned symbol files.
Docker CLI
Requires docker CLI for authentication and export. Install locally or use the compiler Docker image.
Executed CLI commands:
# check the docker cli client is available
docker version
# check whether target image exists and its hash has not already been scanned
docker inspect manifest <image>
# create the container locally
docker create <image>
# export the container to a .tar file
docker export <containerID> <temp-file-to-scan.tar>
# stop the container and remove the image from disk
docker stop <containerID>
docker rmi <containerID>
Configuration
To configure the Docker image module, Edit these settings.
Below is the default configuration from: docker/config.yaml (* Required Fields).
ewogICJ0eXBlIiA6ICJvYmplY3QiLAogICJwcm9wZXJ0aWVzIiA6IHsKICAgICJ0ZW54IiA6IHsKICAgICAgInR5cGUiIDogInN0cmluZyIKICAgIH0sCiAgICAiZG9ja2VyIiA6IHsKICAgICAgInR5cGUiIDogIm9iamVjdCIsCiAgICAgICJhZGRpdGlvbmFsUHJvcGVydGllcyIgOiBmYWxzZSwKICAgICAgInByb3BlcnRpZXMiIDogewogICAgICAgICJpbWFnZXMiIDogewogICAgICAgICAgInR5cGUiIDogWwogICAgICAgICAgICAiYXJyYXkiLAogICAgICAgICAgICAibnVsbCIKICAgICAgICAgIF0sCiAgICAgICAgICAibWFya2Rvd25EZXNjcmlwdGlvbiIgOiAiRG9ja2VyIGltYWdlIGZpbGVzIHRvIHB1bGxcblxuU3BlY2lmaWVzIHRoZSBVUkxzIGZvciB0aGUgcmVtb3RlIERvY2tlciBpbWFnZXMgdG8gcHVsbCBpbiB0aGUgZm9ybSBvZjogYDxjb250YWluZXItcmVwb3NpdG9yeT4vPGltYWdlPi88dmVyc2lvbj5gLiBGb3IgZXhhbXBsZTogIGBgYCB5YW1sICBkb2NrZXJJbWFnZXM6IC0gZG9ja2VyLmlvL2dyYWZhbmEvZ3JhZmFuYToxMS4xLjAgYGBgIiwKICAgICAgICAgICJpdGVtcyIgOiB7CiAgICAgICAgICAgICJ0eXBlIiA6ICJzdHJpbmciCiAgICAgICAgICB9CiAgICAgICAgfSwKICAgICAgICAidXNlcm5hbWUiIDogewogICAgICAgICAgInR5cGUiIDogWwogICAgICAgICAgICAic3RyaW5nIiwKICAgICAgICAgICAgIm51bGwiCiAgICAgICAgICBdLAogICAgICAgICAgIm1hcmtkb3duRGVzY3JpcHRpb24iIDogIkRvY2tlciB1c2VyIG5hbWVcblxuU3BlY2lmaWVzIHRoZSBbdXNlciBuYW1lXShodHRwczovL2RvY3MuZG9ja2VyLmNvbS9yZWZlcmVuY2UvY2xpL2RvY2tlci9sb2dpbi8jdXNlcm5hbWUpIGZvciBhdXRoZW50aWNhdGluZyB0aGUgZG9ja2VyIGNsaWVudC4gSWYgdGhpcyB2YWx1ZSBpcyBub3Qgc2V0LCB0aGUgZG9ja2VyIGNsaWVudCBpcyBhc3N1bWVkIHRvIGJlIHByZS1hdXRoZW50aWNhdGVkLiAgVGhpcyB2YWx1ZSBzaG91bGQgYmUgc2V0IHZpYSBhbiBbZW52aXJvbm1lbnQgdmFyaWFibGVdKGh0dHBzOi8vZG9jLmxvZzEweC5jb20vYXBpL2pzLyNUZW5YRW52LmdldCk6ICBgYGAgeWFtbCBkb2NrZXJVc2VybmFtZTogJD1UZW5YRW52LmdldChcIkRPQ0tFUl9VU0VSTkFNRVwiKSBgYGAiCiAgICAgICAgfSwKICAgICAgICAicGFzc3dvcmQiIDogewogICAgICAgICAgInR5cGUiIDogWwogICAgICAgICAgICAic3RyaW5nIiwKICAgICAgICAgICAgIm51bGwiCiAgICAgICAgICBdLAogICAgICAgICAgIm1hcmtkb3duRGVzY3JpcHRpb24iIDogIkRvY2tlciBwYXNzd29yZFxuXG5TcGVjaWZpZXMgdGhlIHBhc3N3b3JkIGZvciBhdXRoZW50aWNhdGluZyB0aGUgZG9ja2VyIGNsaWVudCBpbiBjb25qdW5jdGlvbiB3aXRoIFtkb2NrZXJVc2VybmFtZV0oaHR0cHM6Ly9kb2MubG9nMTB4LmNvbS9jb21waWxlL3B1bGwvZG9ja2VyLyNkb2NrZXJ1c2VybmFtZSkuIFRoaXMgdmFsdWUgaXMgd3JpdHRlbiBpbnRvIHRoZSBkb2NrZXIgY2xpZW50J3Mgc3RkIGlucHV0IHZpYSB0aGUgbG9naW4gY29tbWFuZCdzIFtwYXNzd29yZC1zdGRpbl0oaHR0cHM6Ly9kb2NzLmRvY2tlci5jb20vcmVmZXJlbmNlL2NsaS9kb2NrZXIvbG9naW4vI3Bhc3N3b3JkLXN0ZGluKSBhcmd1bWVudC4gIFRoaXMgdmFsdWUgc2hvdWxkIGJlIHNldCB2aWEgYW4gW2Vudmlyb25tZW50IHZhcmlhYmxlXShodHRwczovL2RvYy5sb2cxMHguY29tL2FwaS9qcy8jVGVuWEVudi5nZXQpOiAgYGBgIHlhbWwgZG9ja2VyUGFzc3dvcmQ6ICQ9VGVuWEVudi5nZXQoXCJET0NLRVJfVE9LRU5cIikgYGBgIgogICAgICAgIH0sCiAgICAgICAgInJlbW92ZSIgOiB7CiAgICAgICAgICAidHlwZSIgOiBbCiAgICAgICAgICAgICJib29sZWFuIiwKICAgICAgICAgICAgInN0cmluZyIKICAgICAgICAgIF0sCiAgICAgICAgICAibWFya2Rvd25EZXNjcmlwdGlvbiIgOiAiUmVtb3ZlIGltYWdlIGFmdGVyIHNjYW5cblxuU3BlY2lmaWVzIHdoZXRoZXIgdG8gcmVtb3ZlIFtkb2NrZXJJbWFnZXNdKGh0dHBzOi8vZG9jLmxvZzEweC5jb20vY29tcGlsZS9wdWxsL2RvY2tlci8jZG9ja2VyaW1hZ2VzKSB1c2luZyBbZG9ja2VyIHJtaSAtZl0oaHR0cHM6Ly9kb2NzLmRvY2tlci5jb20vcmVmZXJlbmNlL2NsaS9kb2NrZXIvaW1hZ2Uvcm0vKSAoQWNjZXB0cyBib29sZWFuIG9yIHN0cmluZyB3aXRoICQ9IHByZWZpeCBmb3IgcnVudGltZSBldmFsdWF0aW9uKSAoRGVmYXVsdDogdHJ1ZSkiLAogICAgICAgICAgImRlZmF1bHQiIDogdHJ1ZQogICAgICAgIH0sCiAgICAgICAgImdpdGh1YlJlcG9Ub2tlbiIgOiB7CiAgICAgICAgICAidHlwZSIgOiBbCiAgICAgICAgICAgICJzdHJpbmciLAogICAgICAgICAgICAibnVsbCIKICAgICAgICAgIF0sCiAgICAgICAgICAibWFya2Rvd25EZXNjcmlwdGlvbiIgOiAiR2l0SHViIEFQSSB0b2tlbiBmb3IgcHVsbGluZyBpbWFnZSBzb3VyY2UgY29kZSByZXBvc2l0b3JpZXNcblxuRGVmaW5lcyBhbiBhY2Nlc3MgdG9rZW4gZm9yIHB1bGxpbmcgW0dpdGh1YiByZXBvc10oaHR0cHM6Ly9kb2MubG9nMTB4LmNvbS9jb21waWxlL3B1bGwvZ2l0aHViLykgcmVmZXJlbmNlZCBieSBhIHRhcmdldCBpbWFnZSdzIFtvcmcub3BlbmNvbnRhaW5lcnMuaW1hZ2Uuc291cmNlXShodHRwczovL2dpdGh1Yi5jb20vb3BlbmNvbnRhaW5lcnMvaW1hZ2Utc3BlYy9ibG9iL3YxLjAuMS9hbm5vdGF0aW9ucy5tZCNwcmUtZGVmaW5lZC1hbm5vdGF0aW9uLWtleXMpIHByb3BlcnR5LiAgSWYgdGhpcyBwcm9wZXJ0eSBpcyBub3QgYXZhaWxhYmxlIHdpdGhpbiB0aGUgW2ltYWdlIG1hbmlmZXN0XShodHRwczovL2RvY3MuZG9ja2VyLmNvbS9yZWZlcmVuY2UvY2xpL2RvY2tlci9tYW5pZmVzdC9pbnNwZWN0KSwgYW4gYXR0ZW1wdCBpcyBtYWRlIHRvIGluZmVyIGEgdmFsaWQgR2l0SHViIHJlcG8gbmFtZSBmcm9tIHRoZSBpbWFnZSBuYW1lLiBGb3IgZXhhbXBsZSwgZm9yIHRoZSB0aGUgdGFyZ2V0IGltYWdlIG5hbWU6IGBkb2NrZXIuaW8vZ3JhZmFuYS9ncmFmYW5hOjExLjEuMGAsIHRoZSBbZ3JhZmFuYS9ncmFmYW5hXShodHRwczovL2dpdGh1Yi5jb20vZ3JhZmFuYS9ncmFmYW5hKSBHaXRIdWIgcmVwbyBpcyBpbmZlcnJlZC4gIElmIG5vdCBhbiBBUEkgdG9rZW4gaXMgbm90IHNwZWNpZmllZCwgR2l0SHViIHJlcG9zIHJlZmVyZW5jZWQgd2l0aGluIGltYWdlIG1hbmlmZXN0cyBvciBpbmZlcnJlZCBmcm9tIGltYWdlIG5hbWVzIGFyZSBub3QgcHVsbGVkLiBUbyBsZWFybiBtb3JlIHNlZSBbR2l0SHViIHRva2Vuc10oaHR0cHM6Ly9kb2NzLmdpdGh1Yi5jb20vZW4vYXV0aGVudGljYXRpb24va2VlcGluZy15b3VyLWFjY291bnQtYW5kLWRhdGEtc2VjdXJlL21hbmFnaW5nLXlvdXItcGVyc29uYWwtYWNjZXNzLXRva2VucykuIgogICAgICAgIH0sCiAgICAgICAgImNvbW1hbmQiIDogewogICAgICAgICAgInR5cGUiIDogWwogICAgICAgICAgICAic3RyaW5nIiwKICAgICAgICAgICAgIm51bGwiCiAgICAgICAgICBdLAogICAgICAgICAgIm1hcmtkb3duRGVzY3JpcHRpb24iIDogIlBhdGggdG8gZG9ja2VyIGNvbW1hbmRcblxuRGVmaW5lcyB0aGUgcGF0aCB0byB0aGUgW2RvY2tlcl0oaHR0cHM6Ly9kb2NzLmRvY2tlci5jb20vcmVmZXJlbmNlL2NsaS9kb2NrZXIvKSBwcm9ncmFtIHVzZWQgcHVsbGluZyBhbmQgZXhwb3J0aW5nIGltYWdlcy4gKERlZmF1bHQ6ICpOSVg6IC91c3IvbG9jYWwvYmluL2RvY2tlciwgV2luOiBDOi9Qcm9ncmFtIEZpbGVzL0RvY2tlci9Eb2NrZXIvcmVzb3VyY2VzL2Jpbi9kb2NrZXIuZXhlKSIsCiAgICAgICAgICAiZGVmYXVsdCIgOiAiKk5JWDogL3Vzci9sb2NhbC9iaW4vZG9ja2VyLCBXaW46IEM6L1Byb2dyYW0gRmlsZXMvRG9ja2VyL0RvY2tlci9yZXNvdXJjZXMvYmluL2RvY2tlci5leGUiCiAgICAgICAgfQogICAgICB9CiAgICB9CiAgfSwKICAiYWRkaXRpb25hbFByb3BlcnRpZXMiIDogZmFsc2UKfQ==
# 🔟❎ 'compile' Docker configuration
# Pull docker images files using the Docker CLI client from container registries to
# scan for symbol values. To learn more see https://doc.log10x.com/compile/pull/docker
# Set the 10x pipeline to 'compile'
tenx: compile
# ============================= Docker Options ================================
docker:
# 'username' specifies the user name for authenticating the docker client.
# If not set, the docker client is assumed to be pre-authenticated.
# To learn more see https://docs.docker.com/reference/cli/docker/login/#username
username: $=TenXEnv.get("DOCKER_USERNAME") # (❗ EnvVar REQUIRED)
# 'password' specifies the password argument for authenticating the docker client login command.
# This value is written into the docker client's std input via the --password-stdin argument.
# To learn more see https://docs.docker.com/reference/cli/docker/login/#password-stdin.
password: $=TenXEnv.get("DOCKER_TOKEN") # (❗ EnvVar REQUIRED)
# 'command' specifies the location of docker cli https://docs.docker.com/reference/cli/docker/ program
#command: $=TenXString.includes(TenXEnv.get("os.name"), "Windows") ? "C:/Program Files/Docker/Docker/resources/bin/docker.exe":"/usr/local/bin/docker"
# 'images' specify images to pull and export to matching .tar files to scan
images: [
# docker.io/grafana/grafana:11.1.0
]
# 'remove' specifies whether to remove exported images once their contents are extracted.
# To learn more see https://docs.docker.com/reference/cli/docker/image/rm
remove: false
# 'githubRepoToken' defines an access token for pulling Github repos referenced
# by a target image's 'org.opencontainers.image.source' property.
githubRepoToken: $=TenXEnv.get("GH_TOKEN") # (❗ EnvVar REQUIRED)
Options
Specify the options below to configure the Docker image:
| Name | Description |
|---|---|
| dockerImages | Docker image files to pull |
| dockerUsername | Docker user name |
| dockerPassword | Docker password |
| dockerRemove | Remove image after scan |
| dockerGithubRepoToken | GitHub API token for pulling image source code repositories |
| dockerCommand | Path to docker command |
dockerImages
Docker image files to pull.
| Type | Default |
|---|---|
| List | [] |
specifies the URLs for the remote Docker images to pull in the form of: <container-repository>/<image>/<version>.
For example:
dockerUsername
Docker user name.
| Type | Default |
|---|---|
| String | "" |
specifies the user name for authenticating the docker client. If this value is not set, the docker client is assumed to be pre-authenticated.
This value should be set via an environment variable:
dockerPassword
Docker password.
| Type | Default |
|---|---|
| String | "" |
specifies the password for authenticating the docker client in conjunction with dockerUsername.
This value is written into the docker client's std input via the login command's password-stdin argument.
This value should be set via an environment variable:
dockerRemove
Remove image after scan.
| Type | Default |
|---|---|
| Boolean | true |
Specifies whether to remove dockerImages using docker rmi -f.
dockerGithubRepoToken
GitHub API token for pulling image source code repositories.
| Type | Default |
|---|---|
| String | "" |
Defines an access token for pulling Github repos referenced by a target image's org.opencontainers.image.source property.
If this property is not available within the image manifest,
an attempt is made to infer a valid GitHub repo name from the image name.
For example, for the the target image name: docker.io/grafana/grafana:11.1.0, the grafana/grafana GitHub repo is inferred.
If not an API token is not specified, GitHub repos referenced within image manifests or inferred from image names are not pulled. To learn more see GitHub tokens.
dockerCommand
Path to docker command.
| Type | Default |
|---|---|
| String | *NIX: /usr/local/bin/docker, Win: C:/Program Files/Docker/Docker/resources/bin/docker.exe |
Defines the path to the docker program used pulling and exporting images.
This module is defined in docker/module.yaml.