Configuring the lite SBOM mode for the scanner in Docker

To start the scanner in lite SBOM mode in Docker:

  1. Specify the mandatory parameters for Kaspersky Container Security:

    -e API_TOKEN=<API token value>

    -e API_BASE_URL=https://company.com

    -e API_CA_CERT: <certificate in the .PEM format> or -e SKIP_API_SERVER_VALIDATION=true

  2. If necessary, specify additional parameters for Kaspersky Container Security.
  3. Specify the scanner image to run:

    repo.kcs.company.com/images/scanner:v2.1.0-lite

  4. If you need to generate an artifact for downloading, specify the following:

    --<artifact format --stdout > result.<file format>

    For example:

    --html --stdout > result.html

  5. Make sure that the .docker/config.json configuration file contains data for connection to the image registry with the scanner image. If necessary, run one of the following commands: docker login repo.company.com or docker login repo.kcs.kaspersky.com.
  6. Start scanning.

    If a domain name resolution error - Name does not resolve - appears when calling the scanner, you must specify the address before the API_BASE_URL variable before the internal DNS server of your organization. For example:

    --dns 10.0.xx.x

If the scanner image and image to be scanned are stored in your registry and you need to generate an artifact with the scanner operation results in the .JSON format, scanner starting variables are specified as follows:

docker run --dns 10.0.10.10 \

-e "API_BASE_URL=https://kcs.company.com" \

-e "SKIP_API_SERVER_VALIDATION=true" \

-e "API_TOKEN=${api_token}" \

-e "COMPANY_EXT_REGISTRY_USERNAME=${user}" \

-e "COMPANY_EXT_REGISTRY_PASSWORD=${password}"

repo.company.com/images/scanner:v2.1.0-lite \

repo.company.com/images/alpine:latest --stdout > result.json

If the scanner image is stored in a Kaspersky public registry (the node pulls this image using your proxy server), the scanned image is stored locally on the node as an archive, and you need to generate an artifact with the scanner operation results in the .SPDX format, scanner starting variables are specified as follows:

docker run --dns 10.0.10.10 \

-e "API_BASE_URL=https://kcs.company.com" \

-e "SKIP_API_SERVER_VALIDATION=true" \

-e "API_TOKEN=${api_token}" \

-e "HTTPS_PROXY=http://user:password@client.proxy.com:8080" \

-v ./image_to_scan.tar:/image.tar \

repo.kcs.kaspersky.com/images/scanner:v2.1.0-lite \

image.tar --file --spdx --stdout > result.spdx

If the scanner image is stored in a remote image registry, the image for analysis has been saved on the local host in the OCI artifact format, and you need to generate an artifact with the scanner output in the .SPDX format, the data for starting the scanner are configured as follows:

docker run --dns 10.0.10.10 \

-e "API_BASE_URL=https://kcs.company.com" \

-e "SKIP_API_SERVER_VALIDATION=true" \

-e "API_TOKEN=${api_token}" \

-e "COMPANY_EXT_REGISTRY_USERNAME=${user}" \

-e "COMPANY_EXT_REGISTRY_PASSWORD=${password}" \

-v ./image_oci_nginx:/image_oci_nginx \

repo.company.com/images/scanner:v2.0.0-lite \

./image_oci_nginx --oci --spdx --stdout > result.spdx

Before starting the scanner, make sure that the image is available on the node in the OCI artifact format. For example, you can start the skopeo tool and run the following command:
skopeo copy --override-arch amd64 --override-os linux -f oci docker://nginx:latest oci:image_oci_nginx:latest

Page top