Docker are adding the concept of Extensions
to the Docker Desktop tool. This is an extension that allows the user to run Trivy and get pretty output in return.
The user can either select from a drop down of local images or type the name of an image into the drop down.
When you run the scan you'll get the results
When you run the scan you can optionally get the results in SBOM format
The extension runs in its own container with a web interface that calls into the Docker extension API. At a high level the flow is;
- specify an image
- create the trivy cache volume if it does not already exist
- run aquasec/trivy against the image providing the volume for docker.sock and the cache volume
- process the json results and render
The extension is React app leveraging Material UI components. The Docker extension team have provided theme support so we just use that for the look and feel.
The source is all in client/src
with the main component being App.tsx. This has the core code for running the extension and loads all of the child components.
The rest of the tsx files are detailed below
Component | Purpose |
---|---|
DefaultDisplay | After the landing page has been used to initiate the first scan the view switches to the default display with the logo and search box |
ImageList | Provides the functionality for loading the images stored locally and autocomplete functionality |
Links | Header links for github, docs and slack |
Loading | The spinner loading blackout shim |
Pill | Coloured badges to denote the severity of the vulnerability |
Success | When the scan has no vulnerabilities this 🎉 message is displayed |
Vulns | Renders the Accordion "table" of results - this includes the VulnsFilter |
VulnsFilter | This control has the numbers of each severity and allows filtering the "table" of results |
Welcome | The Landing page - has the Trivy description and the initial scan |
In addition to these there is the TrivyVulnerability which provides a class to represent a vulnerability from the Json results.
You will need
- Docker Desktop release that supports extensions (currently private repo)
- Docker Extension binary release (currently private repo)
- NPM installed
To launch the extension into your Docker Desktop you'll need
Linux/Mac
make deploy-dev
Windows
make.bat deploy-dev
To launch the extension into your Docker Desktop you'll need
Linux/Mac
make dev-debug
Windows
make.bat dev-debug
To launch the extension into your Docker Desktop you'll need
Linux/Mac
make dev-reset
Windows
make.bat dev-reset
A bit about the CI process - on a new tag a release will be built for linux/amd64
and linux/arm64
using docker buildx
with the multi arch builder.
The release-extension target in the Makefile
is fairly self explanatory and will push the new image.
It's worth noting the installation of QEmu on the GitHub action worker so that it can build the arm64
image - without that there are issues finding glibc
.