Skip to content

Commit f6fd97d

Browse files
nelssecnelssec
committed
Update CBOM to scan containers for certificates
- Scan containers by name/ID using docker, kubectl, crictl, nerdctl - Scan Kubernetes pods with namespace and container selection - Auto-detect container runtime - Search common certificate paths inside containers: - /etc/ssl/certs, /etc/pki/tls/certs - /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - /etc/kubernetes/pki, /certs, /etc/tls - Deduplicate certificates by fingerprint Usage: qcr cbom --container nginx-abc123 qcr cbom --pod my-pod -n default qcr cbom --pod my-pod -n default -c sidecar
1 parent 2368d88 commit f6fd97d

File tree

2 files changed

+248
-63
lines changed

2 files changed

+248
-63
lines changed

eventgen/cmd/main.go

Lines changed: 28 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -744,9 +744,12 @@ func outputSBOM(s *sbom.CBOM, format, output string) {
744744

745745
func cbomCmd(args []string) {
746746
fs := flag.NewFlagSet("cbom", flag.ExitOnError)
747-
certFile := fs.String("file", "", "PEM certificate file to scan")
748-
host := fs.String("host", "", "Host to scan for certificates")
749-
port := fs.Int("port", 443, "Port for TLS connection")
747+
container := fs.String("container", "", "Container name/ID to scan")
748+
pod := fs.String("pod", "", "Kubernetes pod name to scan")
749+
namespace := fs.String("namespace", "", "Kubernetes namespace")
750+
containerName := fs.String("c", "", "Container name within pod (for multi-container pods)")
751+
runtime := fs.String("runtime", "", "Container runtime: kubectl, docker, crictl, nerdctl (auto-detected)")
752+
certFile := fs.String("file", "", "PEM certificate file to scan (local)")
750753
expireDays := fs.Int("expire-days", 30, "Days threshold for expiring soon warning")
751754
minKeySize := fs.Int("min-key-size", 2048, "Minimum RSA key size")
752755
format := fs.String("format", "text", "Output format: text, json")
@@ -756,11 +759,26 @@ func cbomCmd(args []string) {
756759
scanner := cbom.NewScanner()
757760
scanner.SetExpirySoonDays(*expireDays)
758761
scanner.SetMinKeySize(*minKeySize)
762+
if *runtime != "" {
763+
scanner.SetRuntime(*runtime)
764+
}
759765

760766
var result *cbom.CBOM
761767
var err error
762768

763-
if *certFile != "" {
769+
if *container != "" {
770+
result, err = scanner.ScanContainer(*container, *namespace)
771+
if err != nil {
772+
fmt.Printf("Error scanning container: %v\n", err)
773+
return
774+
}
775+
} else if *pod != "" {
776+
result, err = scanner.ScanPod(*pod, *namespace, *containerName)
777+
if err != nil {
778+
fmt.Printf("Error scanning pod: %v\n", err)
779+
return
780+
}
781+
} else if *certFile != "" {
764782
data, err := os.ReadFile(*certFile)
765783
if err != nil {
766784
fmt.Printf("Error reading file: %v\n", err)
@@ -771,15 +789,13 @@ func cbomCmd(args []string) {
771789
fmt.Printf("Error parsing certificates: %v\n", err)
772790
return
773791
}
774-
} else if *host != "" {
775-
result, err = scanner.ScanEndpoint(*host, *port)
776-
if err != nil {
777-
fmt.Printf("Error scanning endpoint: %v\n", err)
778-
return
779-
}
780792
} else {
781-
fmt.Println("Error: Specify --file or --host")
782-
fs.Usage()
793+
fmt.Println("Error: Specify --container, --pod, or --file")
794+
fmt.Println("\nExamples:")
795+
fmt.Println(" qcr cbom --container nginx-abc123")
796+
fmt.Println(" qcr cbom --pod my-pod -n default")
797+
fmt.Println(" qcr cbom --pod my-pod -n default -c sidecar")
798+
fmt.Println(" qcr cbom --file /path/to/cert.pem")
783799
return
784800
}
785801

0 commit comments

Comments
 (0)