Available Helper Scripts¶
This document provides details about the helper scripts available in the project for container scanning operations.
Overview of Scripts¶
The project includes several helper scripts designed to simplify container scanning operations:
Script | Purpose | Description |
---|---|---|
scan-container.sh |
Standard Container Scanning | Scan standard containers with shell access |
scan-distroless-container.sh |
Distroless Container Scanning | Scan distroless containers using ephemeral debug containers |
scan-with-sidecar.sh |
Sidecar Container Scanning | Scan containers using the sidecar approach |
generate-kubeconfig.sh |
Authentication | Generate a temporary kubeconfig for scanning |
setup-minikube.sh |
Environment Setup | Set up a Minikube testing environment |
Script Details¶
scan-container.sh¶
Purpose: Scan standard containers using the Kubernetes API approach
Usage:
Example:
Features:
- Automatic RBAC creation with minimal permissions
- Short-lived token generation
- Temporary kubeconfig configuration
- CINC Auditor scan execution
- Built-in threshold validation
- Automatic cleanup of resources
Parameters:
namespace
: The Kubernetes namespace where the target pod is locatedpod-name
: The name of the pod containing the target containercontainer-name
: The name of the container to scanprofile-path
: Path to the InSpec profile to use for scanningthreshold_file
(optional): Path to a threshold file for validation
scan-distroless-container.sh¶
Purpose: Scan distroless containers using ephemeral debug containers
Usage:
Example:
Features:
- Detection of distroless containers
- Creation of ephemeral debug containers
- Filesystem access through process namespace
- Chroot-based scanning
- Built-in threshold validation
- Automatic cleanup of resources
Parameters:
namespace
: The Kubernetes namespace where the target pod is locatedpod-name
: The name of the pod containing the distroless containercontainer-name
: The name of the distroless container to scanprofile-path
: Path to the InSpec profile to use for scanningthreshold_file
(optional): Path to a threshold file for validation
scan-with-sidecar.sh¶
Purpose: Deploy and scan containers using the sidecar approach
Usage:
Example:
Features:
- Deployment of sidecar container alongside target
- Process namespace sharing configuration
- Shared volume for result retrieval
- Built-in threshold validation
- Automatic cleanup of resources
Parameters:
namespace
: The Kubernetes namespace for deploymentpod-name
: The name to give the pod with sidecarprofile-path
: Path to the InSpec profile to use for scanningthreshold_file
(optional): Path to a threshold file for validation
generate-kubeconfig.sh¶
Purpose: Generate a temporary kubeconfig file for scanning
Usage:
Example:
Features:
- Creation of service account token
- Configuration of cluster connection details
- Proper permission settings for kubeconfig file
Parameters:
namespace
: The Kubernetes namespace for the service accountservice-account
: The name of the service account to useoutput-file
: Path to write the generated kubeconfig
setup-minikube.sh¶
Purpose: Set up a Minikube environment for testing
Usage:
Example:
Features:
- Minikube cluster creation
- Multi-node configuration (optional)
- Deployment of test pods
- Optional deployment of distroless test pods
- Setup of basic RBAC for testing
Parameters:
--nodes
(optional): Number of nodes to create (default: 1)--with-distroless
(optional): Deploy distroless test pods
Script Outputs¶
All scripts provide feedback through:
- Standard Output: Progress and information messages
- Exit Codes: Success (0) or failure (non-zero)
- JSON Results: Scanner results in JSON format
- Threshold Validation: Pass/fail based on threshold requirements
Common Features¶
All helper scripts share common features:
- Error Handling: Clear error messages and graceful failure
- Resource Cleanup: Automatic cleanup of temporary resources
- Usage Help: Built-in help with
-h
or--help
flags - Verbose Mode: Additional debugging with
-v
or--verbose
flags - Consistent Interface: Similar parameter patterns across scripts
Using Scripts in CI/CD¶
The helper scripts are designed for CI/CD integration:
Related Documentation¶
- Scripts vs. Commands - Comparison with direct commands
- Script Implementation - How the scripts work under the hood
- Customizing Scripts - How to modify scripts for specific requirements