cve: exclude the collector's own container from the scan (+ SOC_EXCLUDE_IMAGES)
Build and push soc-collector / build (push) Successful in 5s

This commit is contained in:
Steffen Skui
2026-06-25 10:31:40 +02:00
parent 9277db02a5
commit 2ff4e703c4
2 changed files with 41 additions and 2 deletions
+38 -2
View File
@@ -13,6 +13,9 @@ that you can apply it. For an image you don't build and already run :latest of,
explicit, and actionable findings sort above the can't-do-anything ones.
"""
import json
import os
import re
import socket
import subprocess
from soc import finding
@@ -23,13 +26,46 @@ OWN_PREFIX = "git.skui.io/"
STATUS_RANK = {"yours": 0, "update": 1, "upstream": 2}
def _own_container_id():
"""The collector's own container id, so we don't scan ourselves.
/proc carries the full id regardless of `--hostname`; fall back to the
hostname (== the short container id by Docker default). Empty string when
not running in a container (then nothing is excluded)."""
try:
with open("/proc/self/mountinfo") as fh: # …/containers/<id>/{hostname,hosts}
m = re.search(r"/containers/([0-9a-f]{64})/", fh.read())
if m:
return m.group(1)
except OSError:
pass
try:
with open("/proc/self/cgroup") as fh: # cgroup v1: …/docker/<id>
m = re.search(r"docker[-/]([0-9a-f]{64})", fh.read())
if m:
return m.group(1)
except OSError:
pass
try:
return socket.gethostname().strip()
except Exception:
return ""
def _running_images():
conts = _docker.get("/containers/json") or []
self_id = _own_container_id()
# optional extra exclusions: SOC_EXCLUDE_IMAGES=substr1,substr2
extra = [s.strip() for s in os.environ.get("SOC_EXCLUDE_IMAGES", "").split(",") if s.strip()]
seen = []
for c in conts:
cid = c.get("Id", "")
if self_id and cid.startswith(self_id):
continue # don't scan the collector itself
img = c.get("Image", "")
if img and img not in seen:
seen.append(img)
if not img or img in seen or any(x in img for x in extra):
continue
seen.append(img)
return seen