snyk
diff --git a/‎.dockerignore
+1 b/‎.dockerignore
+1
diff --git a/‎Dockerfile
+19-1 b/‎Dockerfile
+19-1
diff --git a/‎package-lock.json
+65-9 b/‎package-lock.json
+65-9
diff --git a/‎package.json
+2-2 b/‎package.json
+2-2
diff --git a/‎snyk-monitor-cluster-permissions.yaml
+1 b/‎snyk-monitor-cluster-permissions.yaml
+1
diff --git a/‎snyk-monitor-deployment.yaml
+11 b/‎snyk-monitor-deployment.yaml
+11
diff --git a/‎snyk-monitor-namespaced-permissions.yaml
+1 b/‎snyk-monitor-namespaced-permissions.yaml
+1
diff --git a/‎snyk-monitor/templates/deployment.yaml
+15 b/‎snyk-monitor/templates/deployment.yaml
+15
diff --git a/‎snyk-monitor/values.yaml
+3 b/‎snyk-monitor/values.yaml
+3
diff --git a/‎src/app.ts
+2-2 b/‎src/app.ts
+2-2
diff --git a/‎src/cli/process.ts
+15-3 b/‎src/cli/process.ts
+15-3
diff --git a/‎src/common/config.ts
+2 b/‎src/common/config.ts
+2
diff --git a/‎src/common/features.ts
+5 b/‎src/common/features.ts
+5
diff --git a/‎src/images/index.ts
+27-3 b/‎src/images/index.ts
+27-3
@@ -7,6 +7,7 @@ node_modules
 
 config.local.json
 node_modules/
+dist/
 coverage/
 .nyc_output/
 .idea/
 
@@ -1,6 +1,20 @@
+#---------------------------------------------------------------------
+# STAGE 1: Build skopeo inside a temporary container
+#---------------------------------------------------------------------
+FROM golang:1.13.1-alpine3.10 AS skopeo-build
+
+RUN apk --no-cache add git make gcc musl-dev ostree-dev go-md2man
+RUN git clone --depth 1 -b 'v0.1.39' https://github.com/containers/skopeo $GOPATH/src/github.com/containers/skopeo
+RUN cd $GOPATH/src/github.com/containers/skopeo \
+  && make binary-local-static DISABLE_CGO=1 \
+  && make install
+
+#---------------------------------------------------------------------
+# STAGE 2: Build the kubernetes-monitor
+#---------------------------------------------------------------------
 FROM node:dubnium-alpine
 
-MAINTAINER Snyk Ltd
+LABEL maintainer="Snyk Ltd"
 
 ENV NODE_ENV production
 
@@ -13,6 +27,10 @@ RUN apk --no-cache add --virtual curl-dep curl \
  && rm docker-${DOCKERVERSION}.tgz \
  && apk del curl-dep
 
+COPY --from=skopeo-build /usr/bin/skopeo /usr/bin/skopeo
+COPY --from=skopeo-build /etc/containers/registries.d/default.yaml /etc/containers/registries.d/default.yaml
+COPY --from=skopeo-build /etc/containers/policy.json /etc/containers/policy.json
+
 WORKDIR /root
 
 # Add manifest files and install before adding anything else to take advantage of layer caching
 
@@ -6,7 +6,7 @@
     "pretest": "./scripts/build-image.sh",
     "test": "npm run lint && npm run build && npm run test:unit && npm run test:integration",
     "test:unit": "./tap test/unit -R spec",
-    "test:integration": "./tap test/integration -Rdot --timeout=600",
+    "test:integration": "./tap test/integration -Rdot --timeout=600 && STATIC_ANALYSIS=true ./tap test/integration -Rdot --timeout=1200",
     "test:coverage": "npm run test:unit -- --coverage",
     "test:watch": "tsc-watch --onSuccess 'npm run test:unit'",
     "start": "bin/start",
@@ -41,7 +41,7 @@
     "needle": "^2.4.0",
     "response-time": "^2.3.2",
     "snyk-config": "^2.2.0",
-    "snyk-docker-plugin": "^1.25.0",
+    "snyk-docker-plugin": "^1.32.1",
     "source-map-support": "^0.5.9",
     "tslib": "^1.9.3",
     "ws": "^7.0.0",
 
@@ -83,4 +83,5 @@ data:
   namespace: ""
   integrationApi: ""
   clusterName: ""
+  staticAnalysis: "false"
 ---
@@ -26,6 +26,8 @@ spec:
         - name: docker-config
           readOnly: true
           mountPath: "/root/.docker"
+        - name: temporary-storage
+          mountPath: "/snyk-monitor"
         env:
           - name: SNYK_INTEGRATION_ID
             valueFrom:
@@ -50,6 +52,12 @@ spec:
                 name: snyk-monitor
                 key: clusterName
                 optional: true
+          - name: SNYK_STATIC_ANALYSIS
+            valueFrom:
+              configMapKeyRef:
+                name: snyk-monitor
+                key: staticAnalysis
+                optional: true
         resources:
           requests:
             cpu: '250m'
@@ -69,4 +77,7 @@ spec:
           items:
             - key: dockercfg.json
               path: config.json
+      - name: temporary-storage
+        emptyDir:
+          sizeLimit: 20Gi
       serviceAccountName: snyk-monitor
@@ -75,4 +75,5 @@ data:
   namespace: snyk-monitor
   integrationApi: ""
   clusterName: ""
+  staticAnalysis: "false"
 ---
@@ -27,11 +27,17 @@ spec:
           terminationMessagePath: /dev/termination-log
           terminationMessagePolicy: File
           volumeMounts:
+          {{- if ne .Values.featureFlags.staticAnalysis true }}
           - name: docker-socket-mount
             mountPath: /var/run/docker.sock
+          {{- end }}
           - name: docker-config
             readOnly: true
             mountPath: "/root/.docker"
+          {{- if eq .Values.featureFlags.staticAnalysis true }}
+          - name: temporary-storage
+            mountPath: "/snyk-monitor"
+          {{- end }}
           env:
           - name: SNYK_INTEGRATION_ID
             valueFrom:
@@ -44,6 +50,8 @@ spec:
             value: {{ .Values.integrationApi }}
           - name: SNYK_CLUSTER_NAME
             value: {{ .Values.clusterName }}
+          - name: SNYK_STATIC_ANALYSIS
+            value: {{ quote .Values.featureFlags.staticAnalysis }}
           resources:
             requests:
               cpu: '250m'
@@ -52,12 +60,19 @@ spec:
               cpu: '1'
               memory: '2Gi'
       volumes:
+        {{- if ne .Values.featureFlags.staticAnalysis true }}
         - name: docker-socket-mount
           hostPath:
             path: {{ .Values.dockerSocketHostPath }}
+        {{- end }}
         - name: docker-config
           secret:
             secretName: {{ .Values.monitorSecrets }}
             items:
               - key: dockercfg.json
                 path: config.json
+        {{- if eq .Values.featureFlags.staticAnalysis true }}
+        - name: temporary-storage
+          emptyDir:
+            sizeLimit: 20Gi
+        {{- end }}
@@ -27,3 +27,6 @@ clusterName: ""
 
 # The path of the docker socket on the node. For PKS: /var/vcap/data/sys/run/docker/docker.sock
 dockerSocketHostPath: "/var/run/docker.sock"
+
+featureFlags:
+  staticAnalysis: false
@@ -5,10 +5,10 @@ import { beginWatchingWorkloads } from './kube-scanner/watchers/namespaces';
 
 function safeMonitoring() {
   try {
-    logger.info({cluster: currentClusterName}, 'Starting to monitor');
+    logger.info({cluster: currentClusterName}, 'starting to monitor');
     beginWatchingWorkloads();
   } catch (error) {
-    logger.error({error}, 'An error occurred while monitoring the cluster');
+    logger.error({error}, 'an error occurred while monitoring the cluster');
   }
 }
 
 
@@ -1,10 +1,22 @@
-import { ChildProcessPromise, spawn, SpawnPromiseResult } from 'child-process-promise';
+import { spawn, SpawnPromiseResult } from 'child-process-promise';
+import logger = require('../common/logger');
 
 export function exec(bin: string, ...args: string[]):
-    ChildProcessPromise<SpawnPromiseResult> {
+    Promise<SpawnPromiseResult> {
   if (process.env.DEBUG === 'true') {
     args.push('--debug');
   }
 
-  return spawn(bin, args, { env: process.env, capture: [ 'stdout', 'stderr' ] });
+  // Ensure we're not passing the whole environment to the shelled out process...
+  // For example, that process doesn't need to know secrets like our integrationId!
+  const env = {
+    PATH: process.env.PATH,
+  };
+
+  return spawn(bin, args, { env, capture: [ 'stdout', 'stderr' ] })
+    .catch((error) => {
+      const message = (error && error.stderr) || 'Unknown reason';
+      logger.warn({message, bin, args}, 'could not spawn the process');
+      throw error;
+    });
 }
@@ -7,5 +7,7 @@ const config = require('snyk-config')(__dirname + '/../..', {
 config.AGENT_ID = uuidv4();
 config.INTEGRATION_ID = config.INTEGRATION_ID.trim();
 config.CLUSTER_NAME = config.CLUSTER_NAME || 'Default cluster';
+config.IMAGE_STORAGE_ROOT = '/snyk-monitor';
+config.STATIC_ANALYSIS = config.STATIC_ANALYSIS || false;
 
 export = config;
@@ -0,0 +1,5 @@
+import * as config from './config';
+
+export function isStaticAnalysisEnabled(): boolean {
+  return config.STATIC_ANALYSIS === true;
+}
@@ -1,17 +1,41 @@
 import logger = require('../common/logger');
-import { pull } from './docker';
+import { pull as dockerPull } from './docker';
+import { pull as skopeoCopy, getDestinationForImage } from './skopeo';
+import { unlink } from 'fs';
+import { isStaticAnalysisEnabled } from '../common/features';
+
+export { getDestinationForImage };
 
 export async function pullImages(images: string[]): Promise<string[]> {
   const pulledImages: string[] = [];
 
   for (const image of images) {
     try {
-      await pull(image);
+      if (isStaticAnalysisEnabled()) {
+        await skopeoCopy(image);
+      } else {
+        await dockerPull(image);
+      }
       pulledImages.push(image);
     } catch (error) {
-      logger.error({error, image}, 'Failed to pull image');
+      logger.error({error, image}, 'failed to pull image');
     }
   }
 
   return pulledImages;
 }
+
+export async function removePulledImages(images: string[]) {
+  if (!isStaticAnalysisEnabled()) {
+    return;
+  }
+
+  for (const image of images) {
+    try {
+      const destination = getDestinationForImage(image);
+      await new Promise((resolve) => unlink(destination, resolve));
+    } catch (error) {
+      logger.warn({error, image}, 'failed to delete pulled image');
+    }
+  }
+}
Original file line number	Diff line number	Diff line change
`@@ -5,10 +5,10 @@ import { beginWatchingWorkloads } from './kube-scanner/watchers/namespaces';`
`5`	`5`
`6`	`6`	`function safeMonitoring() {`
`7`	`7`	`try {`
`8`		`- logger.info({cluster: currentClusterName}, 'Starting to monitor');`
	`8`	`+ logger.info({cluster: currentClusterName}, 'starting to monitor');`
`9`	`9`	`beginWatchingWorkloads();`
`10`	`10`	`} catch (error) {`
`11`		`- logger.error({error}, 'An error occurred while monitoring the cluster');`
	`11`	`+ logger.error({error}, 'an error occurred while monitoring the cluster');`
`12`	`12`	`}`
`13`	`13`	`}`
`14`	`14`