feat: add virtual machine scan command (#2910)

Co-authored-by: knqyf263 <knqyf263@gmail.com>
2025-12-22 07:10:41 -08:00 · 2022-11-27 18:45:00 +09:00
parent 531eaa8f06
commit 22d92e4ad6
56 changed files with 2436 additions and 144 deletions
--- a/pkg/commands/app.go
+++ b/pkg/commands/app.go
@@ -87,6 +87,7 @@ func NewApp(version string) *cobra.Command {
 		NewSBOMCommand(globalFlags),
 		NewVersionCommand(globalFlags),
 		NewAWSCommand(globalFlags),
+		NewVMCommand(globalFlags),
 	)
 	rootCmd.AddCommand(loadPluginCommands()...)

@@ -824,7 +825,7 @@ func NewAWSCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
 		Use:     "aws [flags]",
 		Aliases: []string{},
 		Args:    cobra.ExactArgs(0),
-		Short:   "scan aws account",
+		Short:   "[EXPERIMENTAL] Scan AWS account",
 		Long: fmt.Sprintf(`Scan an AWS account for misconfigurations. Trivy uses the same authentication methods as the AWS CLI. See https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html

 The following services are supported:
@@ -869,6 +870,62 @@ The following services are supported:
 	return cmd
 }

+func NewVMCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
+	reportFlagGroup := flag.NewReportFlagGroup()
+	reportFlagGroup.ReportFormat = nil // TODO: support --report summary
+
+	vmFlags := &flag.Flags{
+		CacheFlagGroup:         flag.NewCacheFlagGroup(),
+		DBFlagGroup:            flag.NewDBFlagGroup(),
+		LicenseFlagGroup:       flag.NewLicenseFlagGroup(),
+		MisconfFlagGroup:       flag.NewMisconfFlagGroup(),
+		RemoteFlagGroup:        flag.NewClientFlags(), // for client/server mode
+		ReportFlagGroup:        reportFlagGroup,
+		ScanFlagGroup:          flag.NewScanFlagGroup(),
+		SecretFlagGroup:        flag.NewSecretFlagGroup(),
+		VulnerabilityFlagGroup: flag.NewVulnerabilityFlagGroup(),
+	}
+
+	cmd := &cobra.Command{
+		Use:     "vm [flags] VM_IMAGE",
+		Aliases: []string{},
+		Short:   "[EXPERIMENTAL] Scan a virtual machine image",
+		Example: `  # Scan your AWS AMI
+  $ trivy vm --security-checks vuln ami:${your_ami_id}
+
+  # Scan your AWS EBS snapshot
+  $ trivy vm ebs:${your_ebs_snapshot_id}
+`,
+		PreRunE: func(cmd *cobra.Command, args []string) error {
+			if err := vmFlags.Bind(cmd); err != nil {
+				return xerrors.Errorf("flag bind error: %w", err)
+			}
+			return validateArgs(cmd, args)
+		},
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if err := vmFlags.Bind(cmd); err != nil {
+				return xerrors.Errorf("flag bind error: %w", err)
+			}
+			options, err := vmFlags.ToOptions(cmd.Version, args, globalFlags, outputWriter)
+			if err != nil {
+				return xerrors.Errorf("flag error: %w", err)
+			}
+			if options.Timeout < time.Minute*30 {
+				options.Timeout = time.Minute * 30
+				log.Logger.Debug("Timeout is set to less than 30 min - upgrading to 30 min for this command.")
+			}
+			return artifact.Run(cmd.Context(), options, artifact.TargetVM)
+		},
+		SilenceErrors: true,
+		SilenceUsage:  true,
+	}
+	cmd.SetFlagErrorFunc(flagErrorFunc)
+	vmFlags.AddFlags(cmd)
+	cmd.SetUsageTemplate(fmt.Sprintf(usageTemplate, vmFlags.Usages(cmd)))
+
+	return cmd
+}
+
 func NewSBOMCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
 	reportFlagGroup := flag.NewReportFlagGroup()
 	reportFlagGroup.DependencyTree = nil // disable '--dependency-tree'