This is a scanner plugin for Copacetic that processes Docker Scout vulnerability reports and enables automatic patching of container images.
This plugin:
- Processes Docker Scout vulnerability reports
- Maps package names to their Debian equivalents
- Filters out irrelevant vulnerabilities based on their descriptions
- Generates a structured report for Copa to patch images
The following tools are required to build and run this plugin:
git: for cloning this repoGo: for building the pluginmake: for building the binarydocker: for running Docker Scout and Copacopa: the Copacetic CLI toolbuildkit: for image patching (see BuildKit Setup below)
Copa requires BuildKit for patching images. You can run BuildKit in a container:
# Stop any existing BuildKit container
docker stop buildkitd || true
docker rm buildkitd || true
# Start BuildKit with proper configuration
docker run -d --name buildkitd --privileged \
--restart always \
-v /var/run/docker.sock:/var/run/docker.sock \
moby/buildkit:v0.12.4# Clone this repo
git clone https://github.com/project-copacetic/scanner-plugin-template.git
# Change directory to the repo
cd scanner-plugin-template
# Build the copa-docker-scout binary
make
# Add copa-docker-scout binary to PATH
export PATH=$PATH:$(pwd)/dist/$(uname -s | tr '[:upper:]' '[:lower:]')_$(uname -m)/release/# test plugin with example config
copa-docker-scout ./testdata/nginx1.26.1.json
# this will print the report in JSON format. Example:
# {"apiVersion":"v1alpha1","metadata":{"os":{"type":"debian","version":"11"},"config":{"arch":""}},"updates":[{"name":"systemd","installedVersion":"247.3-7","fixedVersion":"247.3-7+deb11u6","vulnerabilityID":"CVE-2023-50868"},{"name":"libwebp","installedVersion":"0.6.1-2.1","fixedVersion":"0.6.1-2.1+deb11u2","vulnerabilityID":"CVE-2023-5129"}
First, generate a vulnerability report using Docker Scout:
# Scan an image with Docker Scout
docker scout cves nginx:1.21.6 --format gitlab --output nginx1.26.1.jsonThere are two ways to use the plugin with Copa:
# Process the report and pipe directly to Copa
copa-docker-scout nginx1.26.1.json | \
copa patch --scanner docker-scout --image nginx:1.21.6 \
-t nginx-1.21.6-patched --addr docker-container://buildkitd -# First, generate the processed report
copa-docker-scout nginx1.26.1.json > processed-report.json
# Then use Copa to patch the image
copa patch --scanner docker-scout --image nginx:1.21.6 \
-r processed-report.json -t nginx-1.21.6-patched \
--addr docker-container://buildkitd -After patching, you can verify the results:
# Check if the patched image exists
docker images | grep nginx-1.21.6-patched
# Scan the patched image for remaining vulnerabilities
docker scout cves nginx:nginx-1.21.6-patchedThe repository includes a test case using nginx-epss.json, which demonstrates:
-
Processing of various vulnerability types:
- CVEs with different severity levels
- Vulnerabilities with special status (ignored, rejected, etc.)
- Multiple vulnerabilities for the same package
-
Package name mapping:
- Direct mappings (e.g.,
openssl→openssl) - Complex mappings (e.g.,
gnutls28→libgnutls30) - Fallback to original names when no mapping exists
- Direct mappings (e.g.,
-
Version handling:
- Installed version extraction
- Fixed version identification
- Version comparison logic
The plugin includes mappings for common Debian packages. Some examples:
glibc→libc6krb5→libkrb5-3libwebp→libwebp6tiff→libtiff5
The plugin skips vulnerabilities that:
- Are marked with
<no-dsa> - Are marked with
<unfixed> - Are marked with
<ignored> - Contain
REJECTin their description
The plugin generates a structured JSON report containing:
- Operating system information (type, version, architecture)
- Package details (name, installed version, fixed version)
- Vulnerability IDs
Contributions are welcome! Please feel free to submit a Pull Request.