aquasecurity · knqyf263 · Apr 20, 2023 · Feb 11, 2023 · Feb 13, 2023 · Feb 14, 2023
@@ -43,6 +43,7 @@ trivy image [flags] IMAGE_NAME
       --custom-headers strings         custom headers in client mode
       --db-repository string           OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
       --dependency-tree                [EXPERIMENTAL] show dependency origin tree of vulnerable packages
+      --docker-host string             unix domain socket path to use for docker scanning
       --download-db-only               download/update vulnerability database but don't run a scan
       --download-java-db-only          download/update Java index database but don't run a scan
       --enable-modules strings         [EXPERIMENTAL] module names to enable

@@ -193,6 +193,15 @@ image:
   # Same as '--removed-pkgs'
   # Default is false
   removed-pkgs: false
+
+  # Same as '--platform'
+  # Default is empty
+  platform: 
+
+  docker:
+    # Same as '--docker-host'
+    # Default is empty
+    host: 
 ```
 
 ## Vulnerability Options

@@ -482,3 +482,9 @@ Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1)
 
 </details>
 
+### Configure Docker daemon socket to connect to.
+You can configure Docker daemon socket with `DOCKER_HOST` or `--docker-host`.
+
+```shell
+$ trivy image --docker-host tcp://127.0.0.1:2375 YOUR_IMAGE
+```
@@ -760,7 +760,7 @@ func NewModuleCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
 				if err != nil {
 					return xerrors.Errorf("flag error: %w", err)
 				}
-				return module.Install(cmd.Context(), opts.ModuleDir, repo, opts.Quiet, opts.Remote())
+				return module.Install(cmd.Context(), opts.ModuleDir, repo, opts.Quiet, opts.Registry())
 			},
 		},
 		&cobra.Command{

@@ -22,7 +22,7 @@ import (
 // initializeDockerScanner is for container image scanning in standalone mode
 // e.g. dockerd, container registry, podman, etc.
 func initializeDockerScanner(ctx context.Context, imageName string, artifactCache cache.ArtifactCache,
-	localArtifactCache cache.LocalArtifactCache, remoteOpt types.RemoteOptions, artifactOption artifact.Option) (
+	localArtifactCache cache.LocalArtifactCache, imageOpt types.ImageOptions, artifactOption artifact.Option) (
 	scanner.Scanner, func(), error) {
 	wire.Build(scanner.StandaloneDockerSet)
 	return scanner.Scanner{}, nil, nil
@@ -69,7 +69,7 @@ func initializeVMScanner(ctx context.Context, filePath string, artifactCache cac
 // initializeRemoteDockerScanner is for container image scanning in client/server mode
 // e.g. dockerd, container registry, podman, etc.
 func initializeRemoteDockerScanner(ctx context.Context, imageName string, artifactCache cache.ArtifactCache,
-	remoteScanOptions client.ScannerOption, remoteOpt types.RemoteOptions, artifactOption artifact.Option) (
+	remoteScanOptions client.ScannerOption, imageOpt types.ImageOptions, artifactOption artifact.Option) (
 	scanner.Scanner, func(), error) {
 	wire.Build(scanner.RemoteDockerSet)
 	return scanner.Scanner{}, nil, nil

@@ -19,6 +19,7 @@ import (
 	"github.com/aquasecurity/trivy/pkg/fanal/analyzer/config"
 	"github.com/aquasecurity/trivy/pkg/fanal/artifact"
 	"github.com/aquasecurity/trivy/pkg/fanal/cache"
+	ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
 	"github.com/aquasecurity/trivy/pkg/flag"
 	"github.com/aquasecurity/trivy/pkg/javadb"
 	"github.com/aquasecurity/trivy/pkg/log"
@@ -314,7 +315,7 @@ func (r *runner) initDB(ctx context.Context, opts flag.Options) error {
 
 	// download the database file
 	noProgress := opts.Quiet || opts.NoProgress
-	if err := operation.DownloadDB(ctx, opts.AppVersion, opts.CacheDir, opts.DBRepository, noProgress, opts.SkipDBUpdate, opts.Remote()); err != nil {
+	if err := operation.DownloadDB(ctx, opts.AppVersion, opts.CacheDir, opts.DBRepository, noProgress, opts.SkipDBUpdate, opts.Registry()); err != nil {
 		return err
 	}
 
@@ -615,8 +616,6 @@ func initScannerConfig(opts flag.Options, cacheClient cache.Cache) (ScannerConfi
 		fileChecksum = true
 	}
 
-	remoteOpts := opts.Remote()
-
 	return ScannerConfig{
 		Target:             target,
 		ArtifactCache:      cacheClient,
@@ -633,18 +632,25 @@ func initScannerConfig(opts flag.Options, cacheClient cache.Cache) (ScannerConfi
 			FilePatterns:      opts.FilePatterns,
 			Offline:           opts.OfflineScan,
 			NoProgress:        opts.NoProgress || opts.Quiet,
+			Insecure:          opts.Insecure,
 			RepoBranch:        opts.RepoBranch,
 			RepoCommit:        opts.RepoCommit,
 			RepoTag:           opts.RepoTag,
 			SBOMSources:       opts.SBOMSources,
 			RekorURL:          opts.RekorURL,
 			Platform:          opts.Platform,
+			DockerHost:        opts.DockerHost,
 			Slow:              opts.Slow,
 			AWSRegion:         opts.Region,
 			FileChecksum:      fileChecksum,
 
-			// For OCI registries
-			RemoteOptions: remoteOpts,
+			// For image scanning
+			ImageOption: ftypes.ImageOptions{
+				RegistryOptions: opts.Registry(),
+				DockerOptions: ftypes.DockerOptions{
+					Host: opts.DockerHost,
+				},
+			},
 
 			// For misconfiguration scanning
 			MisconfScannerOption: configScannerOptions,

@@ -12,7 +12,7 @@ import (
 // $ trivy image alpine:3.15
 func imageStandaloneScanner(ctx context.Context, conf ScannerConfig) (scanner.Scanner, func(), error) {
 	s, cleanup, err := initializeDockerScanner(ctx, conf.Target, conf.ArtifactCache, conf.LocalArtifactCache,
-		conf.ArtifactOption.RemoteOptions, conf.ArtifactOption)
+		conf.ArtifactOption.ImageOption, conf.ArtifactOption)
 	if err != nil {
 		return scanner.Scanner{}, func() {}, xerrors.Errorf("unable to initialize a docker scanner: %w", err)
 	}
@@ -34,7 +34,7 @@ func archiveStandaloneScanner(ctx context.Context, conf ScannerConfig) (scanner.
 func imageRemoteScanner(ctx context.Context, conf ScannerConfig) (
 	scanner.Scanner, func(), error) {
 	s, cleanup, err := initializeRemoteDockerScanner(ctx, conf.Target, conf.ArtifactCache, conf.ServerOption,
-		conf.ArtifactOption.RemoteOptions, conf.ArtifactOption)
+		conf.ArtifactOption.ImageOption, conf.ArtifactOption)
 	if err != nil {
 		return scanner.Scanner{}, nil, xerrors.Errorf("unable to initialize the remote docker scanner: %w", err)
 	}

@@ -109,7 +109,7 @@ func (c Cache) ClearArtifacts() error {
 }
 
 // DownloadDB downloads the DB
-func DownloadDB(ctx context.Context, appVersion, cacheDir, dbRepository string, quiet, skipUpdate bool, opt types.RemoteOptions) error {
+func DownloadDB(ctx context.Context, appVersion, cacheDir, dbRepository string, quiet, skipUpdate bool, opt types.RegistryOptions) error {
 	mu.Lock()
 	defer mu.Unlock()
 

@@ -35,7 +35,7 @@ func Run(ctx context.Context, opts flag.Options) (err error) {
 
 	// download the database file
 	if err = operation.DownloadDB(ctx, opts.AppVersion, opts.CacheDir, opts.DBRepository,
-		true, opts.SkipDBUpdate, opts.Remote()); err != nil {
+		true, opts.SkipDBUpdate, opts.Registry()); err != nil {
 		return err
 	}
 
@@ -58,6 +58,6 @@ func Run(ctx context.Context, opts flag.Options) (err error) {
 	m.Register()
 
 	server := rpcServer.NewServer(opts.AppVersion, opts.Listen, opts.CacheDir, opts.Token, opts.TokenHeader,
-		opts.DBRepository, opts.Remote())
+		opts.DBRepository, opts.Registry())
 	return server.ListenAndServe(cache, opts.SkipDBUpdate)
 }
@@ -25,7 +25,7 @@ const (
 // Operation defines the DB operations
 type Operation interface {
 	NeedsUpdate(cliVersion string, skip bool) (need bool, err error)
-	Download(ctx context.Context, dst string, opt types.RemoteOptions) (err error)
+	Download(ctx context.Context, dst string, opt types.RegistryOptions) (err error)
 }
 
 type options struct {
@@ -143,7 +143,7 @@ func (c *Client) isNewDB(meta metadata.Metadata) bool {
 }
 
 // Download downloads the DB file
-func (c *Client) Download(ctx context.Context, dst string, opt types.RemoteOptions) error {
+func (c *Client) Download(ctx context.Context, dst string, opt types.RegistryOptions) error {
 	// Remove the metadata file under the cache directory before downloading DB
 	if err := c.metadata.Delete(); err != nil {
 		log.Logger.Debug("no metadata file")
@@ -183,7 +183,7 @@ func (c *Client) updateDownloadedAt(dst string) error {
 	return nil
 }
 
-func (c *Client) initOCIArtifact(opt types.RemoteOptions) (*oci.Artifact, error) {
+func (c *Client) initOCIArtifact(opt types.RegistryOptions) (*oci.Artifact, error) {
 	if c.artifact != nil {
 		return c.artifact, nil
 	}

@@ -219,7 +219,7 @@ func TestClient_Download(t *testing.T) {
 			}, nil)
 
 			// Mock OCI artifact
-			opt := ftypes.RemoteOptions{
+			opt := ftypes.RegistryOptions{
 				Insecure: false,
 			}
 			art, err := oci.NewArtifact("db", true, opt, oci.WithImage(img))

@@ -18,11 +18,13 @@ type Option struct {
 	SkipDirs          []string
 	FilePatterns      []string
 	NoProgress        bool
+	Insecure          bool
 	Offline           bool
 	AppDirs           []string
 	SBOMSources       []string
 	RekorURL          string
 	Platform          string
+	DockerHost        string
 	Slow              bool // Lower CPU and memory
 	AWSRegion         string
 	FileChecksum      bool // For SPDX
@@ -32,8 +34,8 @@ type Option struct {
 	RepoCommit string
 	RepoTag    string
 
-	// For OCI registries
-	types.RemoteOptions
+	// For image scanning
+	ImageOption types.ImageOptions
 
 	MisconfScannerOption misconf.ScannerOption
 	SecretScannerOption  analyzer.SecretScannerOption

@@ -59,7 +59,7 @@ func (a Artifact) inspectOCIReferrerSBOM(ctx context.Context) (ftypes.ArtifactRe
 	}
 
 	// Fetch referrers
-	index, err := remote.Referrers(ctx, digest, a.artifactOption.RemoteOptions)
+	index, err := remote.Referrers(ctx, digest, a.artifactOption.ImageOption.RegistryOptions)
 	if err != nil {
 		return ftypes.ArtifactReference{}, xerrors.Errorf("unable to fetch referrers: %w", err)
 	}
@@ -81,7 +81,7 @@ func (a Artifact) inspectOCIReferrerSBOM(ctx context.Context) (ftypes.ArtifactRe
 func (a Artifact) parseReferrer(ctx context.Context, repo string, desc v1.Descriptor) (ftypes.ArtifactReference, error) {
 	const fileName string = "referrer.sbom"
 	repoName := fmt.Sprintf("%s@%s", repo, desc.Digest)
-	referrer, err := oci.NewArtifact(repoName, true, a.artifactOption.RemoteOptions)
+	referrer, err := oci.NewArtifact(repoName, true, a.artifactOption.ImageOption.RegistryOptions)
 	if err != nil {
 		return ftypes.ArtifactReference{}, xerrors.Errorf("OCI error: %w", err)
 	}

@@ -9,8 +9,8 @@ import (
 	"github.com/aquasecurity/trivy/pkg/fanal/types"
 )
 
-func tryDockerDaemon(imageName string, ref name.Reference) (types.Image, func(), error) {
-	img, cleanup, err := daemon.DockerImage(ref)
+func tryDockerDaemon(imageName string, ref name.Reference, opt types.DockerOptions) (types.Image, func(), error) {
+	img, cleanup, err := daemon.DockerImage(ref, opt.Host)
 	if err != nil {
 		return nil, nil, err
 	}

@@ -11,10 +11,19 @@ import (
 
 // DockerImage implements v1.Image by extending daemon.Image.
 // The caller must call cleanup() to remove a temporary file.
-func DockerImage(ref name.Reference) (Image, func(), error) {
+func DockerImage(ref name.Reference, host string) (Image, func(), error) {
 	cleanup := func() {}
 
-	c, err := client.NewClientWithOpts(client.FromEnv, client.WithAPIVersionNegotiation())
+	opts := []client.Opt{
+		client.FromEnv,
+		client.WithAPIVersionNegotiation(),
+	}
+	if host != "" {
+		// adding host parameter to the last assuming it will pick up more preference
+		opts = append(opts, client.WithHost(host))
+	}
+	c, err := client.NewClientWithOpts(opts...)
+
 	if err != nil {
 		return nil, cleanup, xerrors.Errorf("failed to initialize a docker client: %w", err)
 	}

@@ -40,7 +40,7 @@ func TestDockerImage(t *testing.T) {
 			ref, err := name.ParseReference(tt.imageName)
 			require.NoError(t, err)
 
-			_, cleanup, err := DockerImage(ref)
+			_, cleanup, err := DockerImage(ref, "")
 			assert.Equal(t, tt.wantErr, err != nil, err)
 			defer func() {
 				if cleanup != nil {