feat(image): Add image-src flag to specify which runtime(s) to use

[pmengelbert]

Description

Enable a new trivy image --image-src flag. For example

before:

trivy image alpine:3.7.3 # tries docker, containerd, podman, remote in that order (hardcoded)

after:

trivy image alpine:3.7.3 # behavior is the same as in the *before* example
trivy image --image-src=podman,containerd alpine:3.7.3 # tries only podman, containerd in the specified order

Related issues

• Close Select scan socket (containerd, podman, docker) #3049
• Provide ability to disable specific runtimes for trivy image. #4044
• Close Force remote image registry scanning #3929

Related PRs

• Replaces feat(cli): add registry-only flag #4015

Remove this section if you don't have related PRs.

Checklist

• I've read the guidelines for contributing to this repository.
• I've followed the conventions in the PR title.
• I've added tests that prove my fix is effective or that my feature works. (there were existing tests that hit this codepath, but no new tests written)
• I've updated the documentation with the relevant information (if needed).
• I've added usage information (if the PR introduces new options)
• I've included a "before" and "after" example to the description (if the PR is a user interface change).

=======

Description

Related issues

@knqyf263 This is what I got done today on the socket selection. Feel free to use this as a starting point for your future work to include this feature in 0.41.0

Opening as a draft PR since I have not written tests or docs for this yet.

[knqyf263]

@DmitriyLewen I think we may want to replace your PR with this approach. Can you take a look?

Also, I suggested as below.
#3049 (comment)

[DmitriyLewen]

@pmengelbert Thanks for your work!

Looks good. I added some comments. Can you take a look?

[DmitriyLewen]

LGTM
I added some comments.

Take a look, please.

Also i think we need add some information about this in docs - https://github.com/aquasecurity/trivy/blob/main/docs/docs/target/container_image.md#supported
i mean default value, priority, etc...

[pmengelbert]

LGTM I added some comments.

Take a look, please.

Also i think we need add some information about this in docs - https://github.com/aquasecurity/trivy/blob/main/docs/docs/target/container_image.md#supported i mean default value, priority, etc...

I added some docs in container_image.md:

diff --git a/docs/docs/target/container_image.md b/docs/docs/target/container_image.md
index 7350a6a93..108c667a9 100644
--- a/docs/docs/target/container_image.md
+++ b/docs/docs/target/container_image.md
@@ -224,6 +224,23 @@ GitHub Personal Access Token
     You can see environment variables with `docker inspect`.
 
 ## Supported
+
+Trivy will look for the specified image in a series of locations. By default, it
+will first look in the local Docker Engine, then Containerd, Podman, and
+finally container registry.
+
+This behavior can be modified with the `--runtimes` flag. For example, the
+command
+
+```bash
+trivy image --runtimes podman,containerd alpine:3.7.3
+```
+
+Will first search in Podman. If the image is found there, it will be scanned
+and the results returned. If the image is not found in Podman, then Trivy will
+search in Containerd. If the image is not found there either, the scan will
+fail and no more runtimes will be searched.
+
 ### Docker Engine
 Trivy tries to looks for the specified image in your local Docker Engine.
 It will be skipped if Docker Engine is not running locally.

[DmitriyLewen]

Good work! Can you resolve conflicts?

[knqyf263]

It should be defined under ImageOptions.

trivy/pkg/fanal/types/image.go

Lines 17 to 22 in 9bc3269

	type ImageOptions struct {
	RegistryOptions RegistryOptions
	DockerOptions DockerOptions
	PodmanOptions PodmanOptions
	ContainerdOptions ContainerdOptions
	}

[pmengelbert]

done

[knqyf263]

It should be defined under ImageOptions.

trivy/pkg/fanal/types/image.go

Lines 17 to 22 in 9bc3269

	type ImageOptions struct {
	RegistryOptions RegistryOptions
	DockerOptions DockerOptions
	PodmanOptions PodmanOptions
	ContainerdOptions ContainerdOptions
	}

[pmengelbert]

done

[knqyf263]

I think it can be done in NewContainerImage. Is there any benefit in exporting this function?

[pmengelbert]

I moved this to NewContainerImage, and made the function private. The function was also renamed

[pmengelbert]

--runtimes strings Runtime(s) to use, in priority order (docker,containerd,podman,remote) (default [docker,containerd,podman,remote])

remote runtime sounds like a remote Docker daemon or other daemons. How about --image-src, --image-from, or something like that? docker,containerd,podman,registry.

Renamed to image-src, and in the code things like Runtime have been renamed to ImageSource

[pmengelbert]

@knqyf263 Is there anything else that this PR needs to be accepted?

[knqyf263]

@pmengelbert I'm back from vacation. We plan to take another look at this PR next week. Thanks for your patience.

[knqyf263]

I've added some tweaks, such as comments, formatting, etc., but it looks great to me! Thanks for your contribution.