cve: exclude the collector's own container from the scan (+ SOC_EXCLUDE_IMAGES)
Build and push soc-collector / build (push) Successful in 5s
Build and push soc-collector / build (push) Successful in 5s
This commit is contained in:
@@ -61,12 +61,15 @@ enable what you give it.
|
||||
| `SOC_TITLE` | | `Security scan — <slug>` | the report's title |
|
||||
| `SOC_VISIBILITY` | | `private` | `private` or `authenticated` |
|
||||
| `SOC_TAGS` | | `collector` | extra report tags |
|
||||
| `SOC_EXCLUDE_IMAGES` | | — | comma-separated substrings; running images matching any are skipped by the `cve` source |
|
||||
|
||||
## Notes
|
||||
|
||||
- **Docker socket** is mounted **read-only** (`:ro`) and is only used to *list* running
|
||||
containers and *inspect* their config. For extra isolation, point it at a scoped
|
||||
socket-proxy instead of the raw socket.
|
||||
- The `cve` source **skips the collector's own container**, so the scanner never reports
|
||||
on itself. Use `SOC_EXCLUDE_IMAGES` to drop any other images you don't want scanned.
|
||||
- The collector is **pure-stdlib Python**; the image just adds `nmap` and `trivy`.
|
||||
- Multi-server: run one container per server with a distinct `SOC_SLUG` — one report each.
|
||||
|
||||
|
||||
Reference in New Issue
Block a user