feat(image): custom docker host option

pkg/commands/artifact/run.go

@@ -531,6 +531,7 @@ func initScannerConfig(opts flag.Options, cacheClient cache.Cache) (ScannerConfi
 		ImageConfigScanners: opts.ImageConfigScanners, // this is valid only for 'image' subcommand
 		ScanRemovedPackages: opts.ScanRemovedPkgs,     // this is valid only for 'image' subcommand
 		Platform:            opts.Platform,            // this is valid only for 'image' subcommand
+		DockerHost:          opts.DockerHost,          // this is valid only for 'image' subcommand
 		ListAllPackages:     opts.ListAllPkgs,
 		LicenseCategories:   opts.LicenseCategories,
 		FilePatterns:        opts.FilePatterns,
@@ -617,6 +618,7 @@ func initScannerConfig(opts flag.Options, cacheClient cache.Cache) (ScannerConfi
 			SBOMSources:       opts.SBOMSources,
 			RekorURL:          opts.RekorURL,
 			Platform:          opts.Platform,
+			DockerHost:        opts.DockerHost,
 			Slow:              opts.Slow,
 			AWSRegion:         opts.Region,
 

pkg/commands/artifact/scanner.go

@@ -12,12 +12,22 @@ import (
 // imageStandaloneScanner initializes a container image scanner in standalone mode
 // $ trivy image alpine:3.15
 func imageStandaloneScanner(ctx context.Context, conf ScannerConfig) (scanner.Scanner, func(), error) {
-	dockerOpt, err := types.GetDockerOption(conf.ArtifactOption.InsecureSkipTLS, conf.ArtifactOption.Platform)
+	dockerOpt, err := types.GetDockerOption(
+		conf.ArtifactOption.InsecureSkipTLS,
+		conf.ArtifactOption.Platform,
+		conf.ArtifactOption.DockerHost,
+	)
 	if err != nil {
 		return scanner.Scanner{}, nil, err
 	}
-	s, cleanup, err := initializeDockerScanner(ctx, conf.Target, conf.ArtifactCache, conf.LocalArtifactCache,
-		dockerOpt, conf.ArtifactOption)
+	s, cleanup, err := initializeDockerScanner(
+		ctx,
+		conf.Target,
+		conf.ArtifactCache,
+		conf.LocalArtifactCache,
+		dockerOpt,
+		conf.ArtifactOption,
+	)
 	if err != nil {
 		return scanner.Scanner{}, func() {}, xerrors.Errorf("unable to initialize a docker scanner: %w", err)
 	}
@@ -39,7 +49,7 @@ func archiveStandaloneScanner(ctx context.Context, conf ScannerConfig) (scanner.
 func imageRemoteScanner(ctx context.Context, conf ScannerConfig) (
 	scanner.Scanner, func(), error) {
 	// Scan an image in Docker Engine, Docker Registry, etc.
-	dockerOpt, err := types.GetDockerOption(conf.ArtifactOption.InsecureSkipTLS, conf.ArtifactOption.Platform)
+	dockerOpt, err := types.GetDockerOption(conf.ArtifactOption.InsecureSkipTLS, conf.ArtifactOption.Platform, "")
 	if err != nil {
 		return scanner.Scanner{}, nil, err
 	}

pkg/fanal/artifact/artifact.go

@@ -26,6 +26,7 @@ type Option struct {
 	SBOMSources       []string
 	RekorURL          string
 	Platform          string
+	DockerHost        string
 	Slow              bool // Lower CPU and memory
 	AWSRegion         string
 

pkg/fanal/image/daemon.go

@@ -9,8 +9,8 @@ import (
 	"github.com/aquasecurity/trivy/pkg/fanal/types"
 )
 
-func tryDockerDaemon(imageName string, ref name.Reference) (types.Image, func(), error) {
-	img, cleanup, err := daemon.DockerImage(ref)
+func tryDockerDaemon(imageName string, ref name.Reference, opt types.DockerOption) (types.Image, func(), error) {
+	img, cleanup, err := daemon.DockerImage(ref, opt.DockerHost)
 	if err != nil {
 		return nil, nil, err
 	}

pkg/fanal/image/daemon/docker.go

@@ -11,10 +11,16 @@ import (
 
 // DockerImage implements v1.Image by extending daemon.Image.
 // The caller must call cleanup() to remove a temporary file.
-func DockerImage(ref name.Reference) (Image, func(), error) {
+func DockerImage(ref name.Reference, host string) (Image, func(), error) {
 	cleanup := func() {}
 
-	c, err := client.NewClientWithOpts(client.FromEnv, client.WithAPIVersionNegotiation())
+	opts := []client.Opt{client.FromEnv, client.WithAPIVersionNegotiation()}
+	if host != "" {
+		// adding host parameter to the last assuming it will pickup more preference
+		opts = append(opts, client.WithHost(host))
+	}
+	c, err := client.NewClientWithOpts(opts...)
+
 	if err != nil {
 		return nil, cleanup, xerrors.Errorf("failed to initialize a docker client: %w", err)
 	}

pkg/fanal/image/daemon/docker_test.go

@@ -40,7 +40,7 @@ func TestDockerImage(t *testing.T) {
 			ref, err := name.ParseReference(tt.imageName)
 			require.NoError(t, err)
 
-			_, cleanup, err := DockerImage(ref)
+			_, cleanup, err := DockerImage(ref, "")
 			assert.Equal(t, tt.wantErr, err != nil, err)
 			defer func() {
 				if cleanup != nil {

pkg/fanal/image/daemon/image_test.go

@@ -4,6 +4,8 @@ import (
 	"fmt"
 	"io/ioutil"
 	"os"
+	"path/filepath"
+	"runtime"
 	"testing"
 	"time"
 
@@ -17,18 +19,19 @@ import (
 	"github.com/aquasecurity/testdocker/engine"
 )
 
-func TestMain(m *testing.M) {
-	imagePaths := map[string]string{
-		"alpine:3.10":            "../../test/testdata/alpine-310.tar.gz",
-		"alpine:3.11":            "../../test/testdata/alpine-311.tar.gz",
-		"gcr.io/distroless/base": "../../test/testdata/distroless.tar.gz",
-	}
+var imagePaths = map[string]string{
+	"alpine:3.10":            "../../test/testdata/alpine-310.tar.gz",
+	"alpine:3.11":            "../../test/testdata/alpine-311.tar.gz",
+	"gcr.io/distroless/base": "../../test/testdata/distroless.tar.gz",
+}
 
-	// for Docker
-	opt := engine.Option{
-		APIVersion: "1.38",
-		ImagePaths: imagePaths,
-	}
+// for Docker
+var opt = engine.Option{
+	APIVersion: "1.38",
+	ImagePaths: imagePaths,
+}
+
+func TestMain(m *testing.M) {
 	te := engine.NewDockerEngine(opt)
 	defer te.Close()
 
@@ -59,7 +62,7 @@ func Test_image_ConfigName(t *testing.T) {
 			ref, err := name.ParseReference(tt.imageName)
 			require.NoError(t, err)
 
-			img, cleanup, err := DockerImage(ref)
+			img, cleanup, err := DockerImage(ref, "")
 			require.NoError(t, err)
 			defer cleanup()
 
@@ -70,6 +73,50 @@ func Test_image_ConfigName(t *testing.T) {
 	}
 }
 
+func Test_image_ConfigNameWithCustomDockerHost(t *testing.T) {
+
+	ref, err := name.ParseReference("alpine:3.11")
+	require.NoError(t, err)
+
+	eo := engine.Option{
+		APIVersion: opt.APIVersion,
+		ImagePaths: opt.ImagePaths,
+	}
+
+	var dockerHostParam string
+
+	if runtime.GOOS != "windows" {
+		runtimeDir, err := ioutil.TempDir("", "daemon")
+		require.NoError(t, err)
+
+		dir := filepath.Join(runtimeDir, "image")
+		err = os.MkdirAll(dir, os.ModePerm)
+		require.NoError(t, err)
+
+		customDockerHost := filepath.Join(dir, "image-test-unix-socket.sock")
+		eo.UnixDomainSocket = customDockerHost
+		dockerHostParam = "unix://" + customDockerHost
+	}
+
+	te := engine.NewDockerEngine(eo)
+	defer te.Close()
+
+	if runtime.GOOS == "windows" {
+		dockerHostParam = te.Listener.Addr().Network() + "://" + te.Listener.Addr().String()
+	}
+
+	img, cleanup, err := DockerImage(ref, dockerHostParam)
+	require.NoError(t, err)
+	defer cleanup()
+
+	conf, err := img.ConfigName()
+	assert.Equal(t, v1.Hash{
+		Algorithm: "sha256",
+		Hex:       "a187dde48cd289ac374ad8539930628314bc581a481cdb41409c9289419ddb72",
+	}, conf)
+	assert.Nil(t, err)
+}
+
 func Test_image_ConfigFile(t *testing.T) {
 	tests := []struct {
 		name      string
@@ -156,7 +203,7 @@ func Test_image_ConfigFile(t *testing.T) {
 			ref, err := name.ParseReference(tt.imageName)
 			require.NoError(t, err)
 
-			img, cleanup, err := DockerImage(ref)
+			img, cleanup, err := DockerImage(ref, "")
 			require.NoError(t, err)
 			defer cleanup()
 
@@ -201,7 +248,7 @@ func Test_image_LayerByDiffID(t *testing.T) {
 			ref, err := name.ParseReference(tt.imageName)
 			require.NoError(t, err)
 
-			img, cleanup, err := DockerImage(ref)
+			img, cleanup, err := DockerImage(ref, "")
 			require.NoError(t, err)
 			defer cleanup()
 
@@ -230,7 +277,7 @@ func Test_image_RawConfigFile(t *testing.T) {
 			ref, err := name.ParseReference(tt.imageName)
 			require.NoError(t, err)
 
-			img, cleanup, err := DockerImage(ref)
+			img, cleanup, err := DockerImage(ref, "")
 			require.NoError(t, err)
 			defer cleanup()
 

pkg/fanal/image/image.go

@@ -67,7 +67,7 @@ func NewContainerImage(ctx context.Context, imageName string, option types.Docke
 
 	// Try accessing Docker Daemon
 	if o.dockerd {
-		img, cleanup, err := tryDockerDaemon(imageName, ref)
+		img, cleanup, err := tryDockerDaemon(imageName, ref, option)
 		if err == nil {
 			// Return v1.Image if the image is found in Docker Engine
 			return img, cleanup, nil

pkg/fanal/types/docker.go

@@ -23,4 +23,7 @@ type DockerOption struct {
 
 	// Architecture
 	Platform string
+
+	// Unix domain socket path
+	DockerHost string
 }

pkg/flag/image_flags.go

@@ -36,20 +36,28 @@ var (
 		Value:      "",
 		Usage:      "set platform in the form os/arch if image is multi-platform capable",
 	}
+	DockerHostFlag = Flag{
+		Name:       "docker-host",
+		ConfigName: "image.docker-host",
+		Value:      "",
+		Usage:      "unix domain socket path to use for docker standalone scanning",
+	}
 )
 
 type ImageFlagGroup struct {
 	Input               *Flag // local image archive
 	ImageConfigScanners *Flag
 	ScanRemovedPkgs     *Flag
 	Platform            *Flag
+	DockerHost          *Flag
 }
 
 type ImageOptions struct {
 	Input               string
 	ImageConfigScanners types.Scanners
 	ScanRemovedPkgs     bool
 	Platform            string
+	DockerHost          string
 }
 
 func NewImageFlagGroup() *ImageFlagGroup {
@@ -58,6 +66,7 @@ func NewImageFlagGroup() *ImageFlagGroup {
 		ImageConfigScanners: &ImageConfigScannersFlag,
 		ScanRemovedPkgs:     &ScanRemovedPkgsFlag,
 		Platform:            &PlatformFlag,
+		DockerHost:          &DockerHostFlag,
 	}
 }
 
@@ -66,7 +75,7 @@ func (f *ImageFlagGroup) Name() string {
 }
 
 func (f *ImageFlagGroup) Flags() []*Flag {
-	return []*Flag{f.Input, f.ImageConfigScanners, f.ScanRemovedPkgs, f.Platform}
+	return []*Flag{f.Input, f.ImageConfigScanners, f.ScanRemovedPkgs, f.Platform, f.DockerHost}
 }
 
 func (f *ImageFlagGroup) ToOptions() (ImageOptions, error) {
@@ -79,5 +88,6 @@ func (f *ImageFlagGroup) ToOptions() (ImageOptions, error) {
 		ImageConfigScanners: scanners,
 		ScanRemovedPkgs:     getBool(f.ScanRemovedPkgs),
 		Platform:            getString(f.Platform),
+		DockerHost:          getString(f.DockerHost),
 	}, nil
 }

pkg/types/docker_conf.go

@@ -16,7 +16,7 @@ type DockerConfig struct {
 }
 
 // GetDockerOption returns the Docker scanning options using DockerConfig
-func GetDockerOption(insecureTlsSkip bool, Platform string) (types.DockerOption, error) {
+func GetDockerOption(insecureTlsSkip bool, Platform string, DockerHost string) (types.DockerOption, error) {
 	cfg := DockerConfig{}
 	if err := env.Parse(&cfg); err != nil {
 		return types.DockerOption{}, xerrors.Errorf("unable to parse environment variables: %w", err)
@@ -29,5 +29,6 @@ func GetDockerOption(insecureTlsSkip bool, Platform string) (types.DockerOption,
 		InsecureSkipTLSVerify: insecureTlsSkip,
 		NonSSL:                cfg.NonSSL,
 		Platform:              Platform,
+		DockerHost:            DockerHost,
 	}, nil
 }

pkg/types/scanoptions.go

@@ -14,4 +14,5 @@ type ScanOptions struct {
 	ListAllPackages     bool
 	LicenseCategories   map[types.LicenseCategory][]string
 	FilePatterns        []string
+	DockerHost          string
 }