feat(image): add support for Docker CIS Benchmark (#3496)

Co-authored-by: chenk <hen.keinan@gmail.com>
2025-12-23 07:29:00 -08:00 · 2023-01-31 07:31:59 +02:00
parent 6eec9ac0a4
commit cb5af0b33b
18 changed files with 253 additions and 155 deletions
--- a/pkg/commands/artifact/run.go
+++ b/pkg/commands/artifact/run.go
@@ -288,6 +288,8 @@ func (r *runner) Report(opts flag.Options, report types.Report) error {
 		OutputTemplate:     opts.Template,
 		IncludeNonFailures: opts.IncludeNonFailures,
 		Trace:              opts.Trace,
+		Report:             opts.ReportFormat,
+		Compliance:         opts.Compliance,
 	}); err != nil {
 		return xerrors.Errorf("unable to write results: %w", err)
 	}
@@ -365,7 +367,7 @@ func Run(ctx context.Context, opts flag.Options, targetKind TargetKind) (err err
 	defer cancel()

 	defer func() {
-		if xerrors.Is(err, context.DeadlineExceeded) {
+		if errors.Is(err, context.DeadlineExceeded) {
 			log.Logger.Warn("Increase --timeout value")
 		}
 	}()
@@ -476,6 +478,22 @@ func initScannerConfig(opts flag.Options, cacheClient cache.Cache) (ScannerConfi
 		target = opts.Input
 	}

+	if opts.Compliance.Spec.ID != "" {
+		// set scanners types by spec
+		scanners, err := opts.Compliance.Scanners()
+		if err != nil {
+			return ScannerConfig{}, types.ScanOptions{}, xerrors.Errorf("scanner error: %w", err)
+		}
+
+		opts.Scanners = scanners
+		opts.ImageConfigScanners = nil
+		// TODO: define image-config-scanners in the spec
+		if opts.Compliance.Spec.ID == "docker-cis" {
+			opts.Scanners = nil
+			opts.ImageConfigScanners = scanners
+		}
+	}
+
 	scanOptions := types.ScanOptions{
 		VulnType:            opts.VulnType,
 		Scanners:            opts.Scanners,