github/kubescape
1
0
Fork 0
mirror of https://github.com/kubescape/kubescape.git synced 2026-02-14 09:59:54 +00:00
Code Issues Packages Projects Releases Wiki Activity

return error on image when severity threshold exceeded

Browse Source 
Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com>
This commit is contained in:
Matthias Bertschy
2025-08-14 14:38:59 +02:00
parent c5341a356b
commit 011fc0689d
4 changed files with 18 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
cmd/scan/image.go
View File

@@ -8,7 +8,6 @@ import (
"github.com/kubescape/kubescape/v3/core/cautils"
"github.com/kubescape/kubescape/v3/core/meta"
metav1 "github.com/kubescape/kubescape/v3/core/meta/datastructures/v1"
"github.com/kubescape/kubescape/v3/pkg/imagescan"
"github.com/spf13/cobra"
)
@@ -60,12 +59,12 @@ func getImageCmd(ks meta.IKubescape, scanInfo *cautils.ScanInfo) *cobra.Command
Exceptions: exceptions,
}
results, err := ks.ScanImage(imgScanInfo, scanInfo)
exceedsSeverityThreshold, err := ks.ScanImage(imgScanInfo, scanInfo)
if err != nil {
return err
}
if imagescan.ExceedsSeverityThreshold(results, imagescan.ParseSeverity(scanInfo.FailThresholdSeverity)) {
if exceedsSeverityThreshold {
shared.TerminateOnExceedingSeverity(scanInfo, logger.L())
}

11
core/core/image_scan.go
View File

@@ -7,7 +7,6 @@ import (
"regexp"
"strings"
"github.com/anchore/grype/grype/presenter/models"
"github.com/kubescape/go-logger"
"github.com/kubescape/kubescape/v3/core/cautils"
ksmetav1 "github.com/kubescape/kubescape/v3/core/meta/datastructures/v1"
@@ -161,14 +160,14 @@ func getUniqueVulnerabilitiesAndSeverities(policies []VulnerabilitiesIgnorePolic
return uniqueVulnsList, uniqueSeversList
}
func (ks *Kubescape) ScanImage(imgScanInfo *ksmetav1.ImageScanInfo, scanInfo *cautils.ScanInfo) (*models.PresenterConfig, error) {
func (ks *Kubescape) ScanImage(imgScanInfo *ksmetav1.ImageScanInfo, scanInfo *cautils.ScanInfo) (bool, error) {
logger.L().Start(fmt.Sprintf("Scanning image %s...", imgScanInfo.Image))
dbCfg, _ := imagescan.NewDefaultDBConfig()
svc, err := imagescan.NewScanService(dbCfg)
if err != nil {
logger.L().StopError(fmt.Sprintf("Failed to initialize image scanner: %s", err))
return nil, err
return false, err
}
defer svc.Close()
@@ -183,7 +182,7 @@ func (ks *Kubescape) ScanImage(imgScanInfo *ksmetav1.ImageScanInfo, scanInfo *ca
exceptionPolicies, err := GetImageExceptionsFromFile(imgScanInfo.Exceptions)
if err != nil {
logger.L().StopError(fmt.Sprintf("Failed to load exceptions from file: %s", imgScanInfo.Exceptions))
return nil, err
return false, err
}
vulnerabilityExceptions, severityExceptions = getUniqueVulnerabilitiesAndSeverities(exceptionPolicies, imgScanInfo.Image)
@@ -192,7 +191,7 @@ func (ks *Kubescape) ScanImage(imgScanInfo *ksmetav1.ImageScanInfo, scanInfo *ca
scanResults, err := svc.Scan(ks.Context(), imgScanInfo.Image, creds, vulnerabilityExceptions, severityExceptions)
if err != nil {
logger.L().StopError(fmt.Sprintf("Failed to scan image: %s", imgScanInfo.Image))
return nil, err
return false, err
}
logger.L().StopSuccess(fmt.Sprintf("Successfully scanned image: %s", imgScanInfo.Image))
@@ -212,5 +211,5 @@ func (ks *Kubescape) ScanImage(imgScanInfo *ksmetav1.ImageScanInfo, scanInfo *ca
},
}
return scanResults, resultsHandler.HandleResults(ks.Context(), scanInfo)
return imagescan.ExceedsSeverityThreshold(scanResults, imagescan.ParseSeverity(scanInfo.FailThresholdSeverity)), resultsHandler.HandleResults(ks.Context(), scanInfo)
}

2
core/meta/ksinterface.go
View File

@@ -30,5 +30,5 @@ type IKubescape interface {
Patch(patchInfo *metav1.PatchInfo, scanInfo *cautils.ScanInfo) (*models.PresenterConfig, error)
// scan image
ScanImage(imgScanInfo *metav1.ImageScanInfo, scanInfo *cautils.ScanInfo) (*models.PresenterConfig, error)
ScanImage(imgScanInfo *metav1.ImageScanInfo, scanInfo *cautils.ScanInfo) (bool, error)
}

20
core/mocks/cmd_mocks.go
View File

@@ -15,38 +15,38 @@ func (m *MockIKubescape) Context() context.Context {
return context.TODO()
}
func (m *MockIKubescape) Scan(scanInfo *cautils.ScanInfo) (*resultshandling.ResultsHandler, error) {
func (m *MockIKubescape) Scan(_ *cautils.ScanInfo) (*resultshandling.ResultsHandler, error) {
return nil, nil
}
func (m *MockIKubescape) List(listPolicies *metav1.ListPolicies) error {
func (m *MockIKubescape) List(_ *metav1.ListPolicies) error {
return nil
}
func (m *MockIKubescape) Download(downloadInfo *metav1.DownloadInfo) error {
func (m *MockIKubescape) Download(_ *metav1.DownloadInfo) error {
return nil
}
func (m *MockIKubescape) SetCachedConfig(setConfig *metav1.SetConfig) error {
func (m *MockIKubescape) SetCachedConfig(_ *metav1.SetConfig) error {
return nil
}
func (m *MockIKubescape) ViewCachedConfig(viewConfig *metav1.ViewConfig) error {
func (m *MockIKubescape) ViewCachedConfig(_ *metav1.ViewConfig) error {
return nil
}
func (m *MockIKubescape) DeleteCachedConfig(deleteConfig *metav1.DeleteConfig) error {
func (m *MockIKubescape) DeleteCachedConfig(_ *metav1.DeleteConfig) error {
return nil
}
func (m *MockIKubescape) Fix(fixInfo *metav1.FixInfo) error {
func (m *MockIKubescape) Fix(_ *metav1.FixInfo) error {
return nil
}
func (m *MockIKubescape) Patch(patchInfo *metav1.PatchInfo, scanInfo *cautils.ScanInfo) (*models.PresenterConfig, error) {
func (m *MockIKubescape) Patch(_ *metav1.PatchInfo, _ *cautils.ScanInfo) (*models.PresenterConfig, error) {
return nil, nil
}
func (m *MockIKubescape) ScanImage(imgScanInfo *metav1.ImageScanInfo, scanInfo *cautils.ScanInfo) (*models.PresenterConfig, error) {
return nil, nil
func (m *MockIKubescape) ScanImage(_ *metav1.ImageScanInfo, _ *cautils.ScanInfo) (bool, error) {
return false, nil
}