From 011fc0689deafd82faef36f1bee41264363e9796 Mon Sep 17 00:00:00 2001 From: Matthias Bertschy Date: Thu, 14 Aug 2025 14:38:59 +0200 Subject: [PATCH] return error on image when severity threshold exceeded Signed-off-by: Matthias Bertschy --- cmd/scan/image.go | 5 ++--- core/core/image_scan.go | 11 +++++------ core/meta/ksinterface.go | 2 +- core/mocks/cmd_mocks.go | 20 ++++++++++---------- 4 files changed, 18 insertions(+), 20 deletions(-) diff --git a/cmd/scan/image.go b/cmd/scan/image.go index 1023e598..3ccf2ad9 100644 --- a/cmd/scan/image.go +++ b/cmd/scan/image.go @@ -8,7 +8,6 @@ import ( "github.com/kubescape/kubescape/v3/core/cautils" "github.com/kubescape/kubescape/v3/core/meta" metav1 "github.com/kubescape/kubescape/v3/core/meta/datastructures/v1" - "github.com/kubescape/kubescape/v3/pkg/imagescan" "github.com/spf13/cobra" ) @@ -60,12 +59,12 @@ func getImageCmd(ks meta.IKubescape, scanInfo *cautils.ScanInfo) *cobra.Command Exceptions: exceptions, } - results, err := ks.ScanImage(imgScanInfo, scanInfo) + exceedsSeverityThreshold, err := ks.ScanImage(imgScanInfo, scanInfo) if err != nil { return err } - if imagescan.ExceedsSeverityThreshold(results, imagescan.ParseSeverity(scanInfo.FailThresholdSeverity)) { + if exceedsSeverityThreshold { shared.TerminateOnExceedingSeverity(scanInfo, logger.L()) } diff --git a/core/core/image_scan.go b/core/core/image_scan.go index 0f2b7491..ea49bb81 100644 --- a/core/core/image_scan.go +++ b/core/core/image_scan.go @@ -7,7 +7,6 @@ import ( "regexp" "strings" - "github.com/anchore/grype/grype/presenter/models" "github.com/kubescape/go-logger" "github.com/kubescape/kubescape/v3/core/cautils" ksmetav1 "github.com/kubescape/kubescape/v3/core/meta/datastructures/v1" @@ -161,14 +160,14 @@ func getUniqueVulnerabilitiesAndSeverities(policies []VulnerabilitiesIgnorePolic return uniqueVulnsList, uniqueSeversList } -func (ks *Kubescape) ScanImage(imgScanInfo *ksmetav1.ImageScanInfo, scanInfo *cautils.ScanInfo) (*models.PresenterConfig, error) { +func (ks *Kubescape) ScanImage(imgScanInfo *ksmetav1.ImageScanInfo, scanInfo *cautils.ScanInfo) (bool, error) { logger.L().Start(fmt.Sprintf("Scanning image %s...", imgScanInfo.Image)) dbCfg, _ := imagescan.NewDefaultDBConfig() svc, err := imagescan.NewScanService(dbCfg) if err != nil { logger.L().StopError(fmt.Sprintf("Failed to initialize image scanner: %s", err)) - return nil, err + return false, err } defer svc.Close() @@ -183,7 +182,7 @@ func (ks *Kubescape) ScanImage(imgScanInfo *ksmetav1.ImageScanInfo, scanInfo *ca exceptionPolicies, err := GetImageExceptionsFromFile(imgScanInfo.Exceptions) if err != nil { logger.L().StopError(fmt.Sprintf("Failed to load exceptions from file: %s", imgScanInfo.Exceptions)) - return nil, err + return false, err } vulnerabilityExceptions, severityExceptions = getUniqueVulnerabilitiesAndSeverities(exceptionPolicies, imgScanInfo.Image) @@ -192,7 +191,7 @@ func (ks *Kubescape) ScanImage(imgScanInfo *ksmetav1.ImageScanInfo, scanInfo *ca scanResults, err := svc.Scan(ks.Context(), imgScanInfo.Image, creds, vulnerabilityExceptions, severityExceptions) if err != nil { logger.L().StopError(fmt.Sprintf("Failed to scan image: %s", imgScanInfo.Image)) - return nil, err + return false, err } logger.L().StopSuccess(fmt.Sprintf("Successfully scanned image: %s", imgScanInfo.Image)) @@ -212,5 +211,5 @@ func (ks *Kubescape) ScanImage(imgScanInfo *ksmetav1.ImageScanInfo, scanInfo *ca }, } - return scanResults, resultsHandler.HandleResults(ks.Context(), scanInfo) + return imagescan.ExceedsSeverityThreshold(scanResults, imagescan.ParseSeverity(scanInfo.FailThresholdSeverity)), resultsHandler.HandleResults(ks.Context(), scanInfo) } diff --git a/core/meta/ksinterface.go b/core/meta/ksinterface.go index 8b4588fe..3a365324 100644 --- a/core/meta/ksinterface.go +++ b/core/meta/ksinterface.go @@ -30,5 +30,5 @@ type IKubescape interface { Patch(patchInfo *metav1.PatchInfo, scanInfo *cautils.ScanInfo) (*models.PresenterConfig, error) // scan image - ScanImage(imgScanInfo *metav1.ImageScanInfo, scanInfo *cautils.ScanInfo) (*models.PresenterConfig, error) + ScanImage(imgScanInfo *metav1.ImageScanInfo, scanInfo *cautils.ScanInfo) (bool, error) } diff --git a/core/mocks/cmd_mocks.go b/core/mocks/cmd_mocks.go index d31d2d5e..160a7a8e 100644 --- a/core/mocks/cmd_mocks.go +++ b/core/mocks/cmd_mocks.go @@ -15,38 +15,38 @@ func (m *MockIKubescape) Context() context.Context { return context.TODO() } -func (m *MockIKubescape) Scan(scanInfo *cautils.ScanInfo) (*resultshandling.ResultsHandler, error) { +func (m *MockIKubescape) Scan(_ *cautils.ScanInfo) (*resultshandling.ResultsHandler, error) { return nil, nil } -func (m *MockIKubescape) List(listPolicies *metav1.ListPolicies) error { +func (m *MockIKubescape) List(_ *metav1.ListPolicies) error { return nil } -func (m *MockIKubescape) Download(downloadInfo *metav1.DownloadInfo) error { +func (m *MockIKubescape) Download(_ *metav1.DownloadInfo) error { return nil } -func (m *MockIKubescape) SetCachedConfig(setConfig *metav1.SetConfig) error { +func (m *MockIKubescape) SetCachedConfig(_ *metav1.SetConfig) error { return nil } -func (m *MockIKubescape) ViewCachedConfig(viewConfig *metav1.ViewConfig) error { +func (m *MockIKubescape) ViewCachedConfig(_ *metav1.ViewConfig) error { return nil } -func (m *MockIKubescape) DeleteCachedConfig(deleteConfig *metav1.DeleteConfig) error { +func (m *MockIKubescape) DeleteCachedConfig(_ *metav1.DeleteConfig) error { return nil } -func (m *MockIKubescape) Fix(fixInfo *metav1.FixInfo) error { +func (m *MockIKubescape) Fix(_ *metav1.FixInfo) error { return nil } -func (m *MockIKubescape) Patch(patchInfo *metav1.PatchInfo, scanInfo *cautils.ScanInfo) (*models.PresenterConfig, error) { +func (m *MockIKubescape) Patch(_ *metav1.PatchInfo, _ *cautils.ScanInfo) (*models.PresenterConfig, error) { return nil, nil } -func (m *MockIKubescape) ScanImage(imgScanInfo *metav1.ImageScanInfo, scanInfo *cautils.ScanInfo) (*models.PresenterConfig, error) { - return nil, nil +func (m *MockIKubescape) ScanImage(_ *metav1.ImageScanInfo, _ *cautils.ScanInfo) (bool, error) { + return false, nil }