I'm using BlackDuck scanning use script detect.sh from Synopsys to scan docker image but I don't know how to scan path in docker image. My setting below:
./detect.sh \
--blackduck.url=https://blackduck.blackducksoftware.com \
--blackduck.always.trust.cert=true \
--blackduck.trust.cert=true \
--blackduck.api.token=\"%env.BD_HUB_TOKEN%\" \
--detect.project.name=\"%black_duck_parent_project%\" \
--detect.project.version.name="Docker-Image" \
--detect.code.location.name="Docker-Image-Scan" \
--detect.tools.excluded=DETECTOR \
--logging.level.com.synopsys.integration=DEBUG \
--detect.detector.search.depth=10000 \
--detect.docker.image=myapp:latest \
--detect.project.codelocation.unmap=true \
--detect.output.path=.\blackduck \
--detect.detector.search.exclusion.defaults=true \
--detect.policy.check.fail.on.severities=BLOCKER,CRITICAL \
--logging.level.com.synopsys=DEBUG \
--detect.report.timeout=1200 \
--blackduck.timeout=240
I want to scan directory /opt/scanning, /opt/checking in my docker image.
How to scan that folder?
From the Advanced BackDuck Docker Inspector documentation:
Running Synopsys Detect on a project directory that exists within a Docker image
When you want to run Synopsys Detect on a directory that exists within a Docker image, you can use the following approach: 1. Run Synopsys Detect on the image to generate the container filesystem for the image. 2. Run Synopsys Detect on a directory within that container filesystem.
Synopsys Detect performs these actions without running the image/container.
To see a simple example that illustrates this approach, use the following commands to download these sample files:
curl -O https://raw.githubusercontent.com/blackducksoftware/blackduck-docker-inspector/master/deployment/docker/runDetectInImageDir/runDetectInImageDir.sh
curl -O https://raw.githubusercontent.com/blackducksoftware/blackduck-docker-inspector/master/deployment/docker/runDetectInImageDir/Dockerfile
Review the script before running it to make sure the side effects (files and directories that it creates) are acceptable. You must make the script executable before you run it.
runDetectInImageDir.sh contains the following script, which "provides a simple illustration of how you might run detect on a specific
directory (say, a maven project) within an image, without running that image as a container":
curl -O https://detect.synopsys.com/detect.sh
chmod +x detect.sh
./detect.sh
--blackduck.offline.mode=true
--detect.docker.image=mavenproject:1
--detect.docker.passthrough.output.path=/tmp/output
--detect.tools.excluded=SIGNATURE_SCAN,POLARIS
rm -rf containerfilesystem
mkdir -p containerfilesystem
cd containerfilesystem
tar xvf /tmp/output/mavenproject_1_containerfilesystem.tar.gz
cd image_mavenproject_v_1/home/my-app
../../../../detect.sh
--blackduck.offline.mode=true
--detect.tools.excluded=SIGNATURE_SCAN,POLARIS
Make sure you read the instructions in the sample files! Of course, amongst others, you have to replace image_mavenproject_v_1/home/my-app by your path.