Merge pull request #1084 from GitGuardian/severine/handle-tar-gz-in-docker-images

fix: let tarfile auto-detect archive type

Author: sevbch

changelog.d/20250422_185842_severine.bonnechere_handle_tar_gz_in_docker_images.md

@@ -0,0 +1,3 @@
+### Fixed
+
+- Fixed error when scanning `.tar.gz` compressed files inside docker layers.

ggshield/verticals/secret/docker.py

@@ -241,7 +241,7 @@ def get_layer_scannables(
         Extracts Scannable to be scanned for given layer.
         """
         layer_filename = layer_info.filename
-        layer_archive = tarfile.TarFile(
+        layer_archive = tarfile.open(
             name=self.archive_path / layer_filename,
             fileobj=self.tar_file.extractfile(layer_filename),
         )

tests/unit/conftest.py

@@ -592,6 +592,7 @@ def is_macos():
 DOCKER__INCOMPLETE_MANIFEST_EXAMPLE_PATH = (
     DATA_PATH / "docker-incomplete-manifest-example.tar.xz"
 )
+DOCKER_EXAMPLE_TAR_GZ_LAYER_PATH = DATA_PATH / "docker-tar-gz-layer.tar.xz"
 
 # Format is { layer_id: { path: content }}
 DOCKER_EXAMPLE_LAYER_FILES = {

tests/unit/data/docker-tar-gz-layer.tar.xz

@@ -20,6 +20,7 @@
     DOCKER__INCOMPLETE_MANIFEST_EXAMPLE_PATH,
     DOCKER_EXAMPLE_LAYER_FILES,
     DOCKER_EXAMPLE_PATH,
+    DOCKER_EXAMPLE_TAR_GZ_LAYER_PATH,
 )
 
 
@@ -83,7 +84,13 @@ def test_get_config(self, members, match):
             DockerImage(Path("dummy"), tarfile)
 
     @pytest.mark.parametrize(
-        "image_path", [DOCKER_EXAMPLE_PATH, DOCKER__INCOMPLETE_MANIFEST_EXAMPLE_PATH]
+        "image_path",
+        [
+            DOCKER_EXAMPLE_PATH,
+            DOCKER__INCOMPLETE_MANIFEST_EXAMPLE_PATH,
+            # 1 of the layers contains a tar.gz file -> extraction should work
+            DOCKER_EXAMPLE_TAR_GZ_LAYER_PATH,
+        ],
     )
     def test_docker_archive(self, image_path: Path):
         with DockerImage.open(image_path) as image: