From b68ff92da2e7d6c9fc908b45b375230fa9613833 Mon Sep 17 00:00:00 2001 From: Tomoya Amachi Date: Fri, 10 Sep 2021 10:06:41 +0900 Subject: [PATCH] add options: accept-key (#149) --- cmd/dockle/main.go | 5 +++++ pkg/assessor/manifest/manifest.go | 8 +++++++- pkg/run.go | 4 +++- 3 files changed, 15 insertions(+), 2 deletions(-) diff --git a/cmd/dockle/main.go b/cmd/dockle/main.go index 1a1b71c..cbd95bc 100644 --- a/cmd/dockle/main.go +++ b/cmd/dockle/main.go @@ -46,6 +46,11 @@ OPTIONS: Name: "ignore, i", Usage: "checkpoints to ignore. You can use .dockleignore too.", }, + cli.StringSliceFlag{ + Name: "accept-key, a", + EnvVar: "ACCEPT_KEY", + Usage: "For CIS-DI-0010. You can add acceptable keywords. e.g) -a GPG_KEY -a KEYCLOAK", + }, cli.StringFlag{ Name: "format, f", Value: "", diff --git a/pkg/assessor/manifest/manifest.go b/pkg/assessor/manifest/manifest.go index 56183ec..3f283e7 100644 --- a/pkg/assessor/manifest/manifest.go +++ b/pkg/assessor/manifest/manifest.go @@ -41,6 +41,12 @@ func (a ManifestAssessor) Assess(fileMap deckodertypes.FileMap) (assesses []*typ return checkAssessments(d) } +func AddAcceptanceKeys(keys []string) { + for _, key := range keys { + acceptanceEnvKey[key] = struct{}{} + } +} + func checkAssessments(img types.Image) (assesses []*types.Assessment, err error) { if img.Config.User == "" || img.Config.User == "root" { assesses = append(assesses, &types.Assessment{ @@ -61,7 +67,7 @@ func checkAssessments(img types.Image) (assesses []*types.Assessment, err error) assesses = append(assesses, &types.Assessment{ Code: types.AvoidCredential, Filename: ConfigFileName, - Desc: fmt.Sprintf("Suspicious ENV key found : %s", envKey), + Desc: fmt.Sprintf("Suspicious ENV key found : %s (You can suppress it with --accept-key)", envKey), }) } } diff --git a/pkg/run.go b/pkg/run.go index d2469e2..c4c6dcc 100644 --- a/pkg/run.go +++ b/pkg/run.go @@ -4,6 +4,7 @@ import ( "context" "errors" "fmt" + "github.com/goodwithtech/dockle/pkg/assessor/manifest" l "log" "os" "strings" @@ -72,8 +73,9 @@ func Run(c *cli.Context) (err error) { return fmt.Errorf("invalid image: %w", err) } } - log.Logger.Debug("Start assessments...") + manifest.AddAcceptanceKeys(c.StringSlice("accept-key")) + log.Logger.Debug("Start assessments...") assessments, err := scanner.ScanImage(ctx, imageName, filePath, dockerOption) if err != nil { if errors.Is(err, context.DeadlineExceeded) {