disco
Utility for bulk image, license, and vulnerability discovery in containerize workloads on GCP.
Note: this is a personal project, not an official Google product.
Features:
- Discover currently deployed container images
- multiple project and region report with filters
- deployed image to digest resolution
- Report on vulnerabilities or licenses in these images
- supports operating system and package-level scans
Why
It's easy to end up with a large number of services across many GCP projects and regions. Google Container Analysis service can scan your Artifact Registry images for vulnerabilities, but currently it only covers base OS, and it's not always easy to know which of these images are actually running in Cloud Run. Cloud Run also supports multiple revisions, each potentially using different version of an image, or even different image all together.
disco
provides an easy way of disco
vering which of these container images are currently deployed and are being used in Cloud Run. It extracts the digests (even if the revision is using only a tag (e.g. v1.2.3
), or that misunderstood latest
.
Install
disco
CLI is available via the most common distribution methods. The full list of installation options is available on the installation page.
Usage
disco [runtime] [command] [arguments...]
You can use the
--help
flag on any level to get more information about the runtime, commands, ofdisco
itself.
The command options available for all the runtimes include:
--project
- runs only on specific project (project ID)--format
- specifies report format:json
,yaml
,raw
(json
by default)--output
- saves report to file at this path (stdout by default)
Cloud Run
To see all of the commands available for run
:
disco run --help
Images
To discover container images currently deployed in Cloud Run:
disco run images
The images
command supports all of the generic options listed above, plus:
--uri
- outputs only image uri (default: false). This is helpful when you want to pipe the resulting images to another program.
The resulting report in JSON format will look something like this (abbreviated):
[
{
"image": "https://us-docker.pkg.dev/cloudrun/container/hello@sha256:2e70803dbc92a7bffcee3af54b5d264b23a6096f304f00d63b7d1e177e40986c",
"service": "hello",
"project": "cloudy-demos",
"location": "us-central1"
},
...
]
Licenses
To discover licenses used in container images currently deployed in Cloud Run.
disco run licenses
The licenses
command supports all of the generic options listed above, plus:
--source
- path to image list file to use as source. This allows you to use the previously generated list of images (disco run img --uri -o images.txt
), instead of running through potentially lengthy discovery.--image
- specific image URI to scan
The resulting report in JSON format will look something like this (abbreviated):
[
{
"image": "us-docker.pkg.dev/cloudrun/container/hello@sha256:2e70803dbc92a7bffcee3af54b5d264b23a6096f304f00d63b7d1e177e40986c",
"licenses": [
{
"name": "GPL-2.0",
"source": "alpine-baselayout"
},
{
"name": "MPL-2.0",
"source": "ca-certificates"
},
{
"name": "MIT",
"source": "ca-certificates"
},
...
]
},
...
]
Vulnerabilities
To discover potential vulnerabilities in container images currently deployed in Cloud Run.
disco run licenses
The licenses
command supports all of the generic options listed above, plus:
--cve
- filters report on a specific CVE. This enables quick search if anything currently running is exposed to new CVE.--ca
- invokes Container Analysis API instead of the local scanner (default: false).--source
- path to image list file to use as source. This allows you to use the previously generated list of images (disco run img --uri -o images.txt
), instead of running through potentially lengthy discovery.--image
- specific image URI to scan.
The resulting report in JSON format will look something like this (abbreviated):
[
{
"image": "gcr.io/cloudy-demos/hello-broken@sha256:0900c08e7d40f9485c8497c035de07391ba3c274a1035f504f8602531b2314e6",
"vulnerabilities": [
{
"source": "CVE-2022-3715",
"severity": "LOW",
"package": "bash",
"version": "5.1-6ubuntu1",
"title": "bash: a heap-buffer-overflow in valid_parameter_transform",
"description": "A flaw was found in the bash package, where a heap-buffer overflow can occur in valid_parameter_transform. This issue may lead to memory problems.",
"url": "https://avd.aquasec.com/nvd/cve-2022-3715",
"updated": "2022-12-23T16:52:00Z"
},
...
]
},
...
]
GKE
Not yet implemented.
OSS
Disclaimer
This is my personal project and it does not represent my employer. While I do my best to ensure that everything works, I take no responsibility for issues caused by this code.