Return index manifest and digest when scanning images (#61)

Author: Samu

go.mod

@@ -5,7 +5,7 @@ go 1.24
 toolchain go1.24.2
 
 require (
-	github.com/aquasecurity/trivy v0.61.0
+	github.com/aquasecurity/trivy v0.61.1
 	github.com/containerd/containerd v1.7.27
 	github.com/docker/docker v27.5.1+incompatible
 	github.com/docker/go-connections v0.5.0
@@ -69,7 +69,7 @@ require (
 	github.com/aquasecurity/go-version v0.0.1 // indirect
 	github.com/aquasecurity/iamgo v0.0.10 // indirect
 	github.com/aquasecurity/jfather v0.0.8 // indirect
-	github.com/aquasecurity/trivy-checks v1.8.0 // indirect
+	github.com/aquasecurity/trivy-checks v1.8.1 // indirect
 	github.com/aquasecurity/trivy-db v0.0.0-20250227071930-8bd8a9b89e2d // indirect
 	github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect

go.sum

@@ -750,10 +750,10 @@ github.com/aquasecurity/testdocker v0.0.0-20240730042311-4642e94c7fc8 h1:b43UVqY
 github.com/aquasecurity/testdocker v0.0.0-20240730042311-4642e94c7fc8/go.mod h1:wXA9k3uuaxY3yu7gxrxZDPo/04FEMJtwyecdAlYrEIo=
 github.com/aquasecurity/tml v0.6.1 h1:y2ZlGSfrhnn7t4ZJ/0rotuH+v5Jgv6BDDO5jB6A9gwo=
 github.com/aquasecurity/tml v0.6.1/go.mod h1:OnYMWY5lvI9ejU7yH9LCberWaaTBW7hBFsITiIMY2yY=
-github.com/aquasecurity/trivy v0.61.0 h1:FPRAQ9w6tyAXSNsc6encybNfNoRh4l89oPNmkJm+sgM=
-github.com/aquasecurity/trivy v0.61.0/go.mod h1:pZ+6kIfGdyAX7UGr0KF8/fwR1pk36STyaQtLvkHgXLA=
-github.com/aquasecurity/trivy-checks v1.8.0 h1:frMR06SEeDff1oEO6wBaTCqZCTBmZ+j8QAAl5EM1M4w=
-github.com/aquasecurity/trivy-checks v1.8.0/go.mod h1:zc1DGUFDUP/NUEMXlfaMsnVAEEEsygJrcd4SRQ7Mpko=
+github.com/aquasecurity/trivy v0.61.1 h1:Y7Ti5Nm5C2PAlMvPaAW3U/Oe4lQ7717lkjdo0qb+Cyc=
+github.com/aquasecurity/trivy v0.61.1/go.mod h1:QaAc1AijI1d9rEyKdepEpbPDyiUan4FL+qykVA/0WdY=
+github.com/aquasecurity/trivy-checks v1.8.1 h1:7df8KhZ0du2WAdGCUNcKYdz74iubAmP89+vaCUmxGbU=
+github.com/aquasecurity/trivy-checks v1.8.1/go.mod h1:zc1DGUFDUP/NUEMXlfaMsnVAEEEsygJrcd4SRQ7Mpko=
 github.com/aquasecurity/trivy-db v0.0.0-20250227071930-8bd8a9b89e2d h1:T16WrTi21YsMLQVhtp1r1hOIYK3x4BjnftpL9cp64Eo=
 github.com/aquasecurity/trivy-db v0.0.0-20250227071930-8bd8a9b89e2d/go.mod h1:4bTsQPtMBN8v+UfUlE1aQBN1imftefnDafHBF85+aT8=
 github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48 h1:JVgBIuIYbwG+ekC5lUHUpGJboPYiCcxiz06RCtz8neI=

image/daemon.go

@@ -4,55 +4,49 @@ import (
 	"context"
 
 	"github.com/castai/image-analyzer/image/daemon"
+	itypes "github.com/castai/image-analyzer/image/types"
+
 	"github.com/google/go-containerregistry/pkg/name"
 )
 
-func NewFromContainerdDaemon(ctx context.Context, imageName string) (ImageWithIndex, func(), error) {
+func NewFromContainerdDaemon(ctx context.Context, imageName string) (itypes.ImageWithIndex, func(), error) {
 	img, cleanup, err := daemon.ContainerdImage(ctx, imageName)
 	if err != nil {
 		return nil, nil, err
 	}
 	return daemonImage{
-		Image: img,
-		name:  imageName,
+		ImageWithIndex: img,
+		name:           imageName,
 	}, cleanup, nil
 }
 
-func NewFromDockerDaemon(imageName string, ref name.Reference) (ImageWithIndex, func(), error) {
+func NewFromDockerDaemon(imageName string, ref name.Reference) (itypes.ImageWithIndex, func(), error) {
 	img, cleanup, err := daemon.DockerImage(ref)
 	if err != nil {
 		return nil, nil, err
 	}
 	return daemonImage{
-		Image: img,
-		name:  imageName,
+		ImageWithIndex: img,
+		name:           imageName,
 	}, cleanup, nil
 }
 
-func NewFromDockerDaemonTarFile(imageName, localTarPath string, ref name.Reference) (ImageWithIndex, func(), error) {
+func NewFromDockerDaemonTarFile(imageName, localTarPath string, ref name.Reference) (itypes.ImageWithIndex, func(), error) {
 	img, cleanup, err := daemon.DockerTarImage(ref, localTarPath)
 	if err != nil {
 		return nil, nil, err
 	}
 	return daemonImage{
-		Image: img,
-		name:  imageName,
+		ImageWithIndex: img,
+		name:           imageName,
 	}, cleanup, nil
 }
 
 type daemonImage struct {
-	daemon.Image
+	itypes.ImageWithIndex
 	name string
 }
 
 func (d daemonImage) Name() string {
 	return d.name
 }
-
-func (d daemonImage) ID() (string, error) {
-	return ID(d)
-}
-
-func (d daemonImage) LayerIDs() ([]string, error) {
-	return LayerIDs(d)
-}

image/daemon/containerd.go

@@ -15,6 +15,8 @@ import (
 	"os"
 	"time"
 
+	itypes "github.com/castai/image-analyzer/image/types"
+
 	"github.com/containerd/containerd"
 	"github.com/containerd/containerd/content"
 	"github.com/containerd/containerd/images/archive"
@@ -53,7 +55,7 @@ func imageWriter(client *containerd.Client, img containerd.Image) imageSave {
 }
 
 // ContainerdImage implements v1.Image
-func ContainerdImage(ctx context.Context, imageName string) (Image, func(), error) {
+func ContainerdImage(ctx context.Context, imageName string) (itypes.ImageWithIndex, func(), error) {
 	cleanup := func() {}
 
 	addr := os.Getenv("CONTAINERD_ADDRESS")

image/daemon/docker.go

@@ -11,6 +11,8 @@ import (
 	"fmt"
 	"os"
 
+	itypes "github.com/castai/image-analyzer/image/types"
+
 	"github.com/docker/docker/client"
 	"github.com/google/go-containerregistry/pkg/name"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
@@ -19,7 +21,7 @@ import (
 
 // DockerImage implements v1.Image by extending daemon.Image.
 // The caller must call cleanup() to remove a temporary file.
-func DockerImage(ref name.Reference) (Image, func(), error) {
+func DockerImage(ref name.Reference) (itypes.ImageWithIndex, func(), error) {
 	cleanup := func() {}
 
 	c, err := client.NewClientWithOpts(client.FromEnv, client.WithAPIVersionNegotiation())
@@ -70,7 +72,7 @@ func DockerImage(ref name.Reference) (Image, func(), error) {
 
 // DockerTarImage implements v1.Image by extending daemon.Image.
 // The caller must call cleanup() to remove a temporary file.
-func DockerTarImage(ref name.Reference, localTarPath string) (Image, func(), error) {
+func DockerTarImage(ref name.Reference, localTarPath string) (itypes.ImageWithIndex, func(), error) {
 	cleanup := func() {}
 
 	c, err := client.NewClientWithOpts(client.FromEnv, client.WithAPIVersionNegotiation())

image/daemon/image.go

@@ -22,13 +22,6 @@ import (
 	"github.com/google/go-containerregistry/pkg/v1/tarball"
 )
 
-type Image interface {
-	v1.Image
-	RepoTags() []string
-	RepoDigests() []string
-	Index() *v1.IndexManifest
-}
-
 var mu sync.Mutex
 
 type opener func() (v1.Image, error)
@@ -89,6 +82,14 @@ func (img *image) populateImage() (err error) {
 	return nil
 }
 
+func (img *image) Name() string {
+	return img.inspect.ID
+}
+
+func (img *image) ID() (string, error) {
+	return img.inspect.ID, nil
+}
+
 func (img *image) ConfigName() (v1.Hash, error) {
 	return v1.NewHash(img.inspect.ID)
 }
@@ -100,8 +101,14 @@ func (img *image) Manifest() (*v1.Manifest, error) {
 	return img.Image.Manifest()
 }
 
-func (img *image) Index() *v1.IndexManifest {
-	return nil
+func (img *image) IndexDigest() (v1.Hash, error) {
+	// index manifest is not available in daemon mode as the image is already pulled
+	return v1.Hash{}, nil
+}
+
+func (img *image) IndexManifest() (*v1.IndexManifest, error) {
+	// index manifest is not available in daemon mode as the image is already pulled
+	return nil, nil
 }
 
 func (img *image) ConfigFile() (*v1.ConfigFile, error) {

image/hostfs/containerd_image.go

@@ -12,6 +12,8 @@ import (
 	"path/filepath"
 	"strings"
 
+	itypes "github.com/castai/image-analyzer/image/types"
+
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 	"github.com/google/go-containerregistry/pkg/v1/tarball"
 	"github.com/google/go-containerregistry/pkg/v1/types"
@@ -24,7 +26,7 @@ const (
 	blobs = "blobs"
 )
 
-func NewContainerdImage(hash v1.Hash, cfg ContainerdHostFSConfig) (Image, error) {
+func NewContainerdImage(hash v1.Hash, cfg ContainerdHostFSConfig) (itypes.ImageWithIndex, error) {
 	metadataReader := newContainerdMetadataReader(hash, cfg)
 	metadata, err := metadataReader.readMetadata()
 	if err != nil {
@@ -37,12 +39,13 @@ func NewContainerdImage(hash v1.Hash, cfg ContainerdHostFSConfig) (Image, error)
 	}
 
 	return &containerdBlobImage{
-		manifest:    metadata.Manifest,
-		index:       metadata.Index,
-		config:      config,
-		configBytes: configBytes,
-		contentDir:  cfg.ContentDir,
-		imgHash:     metadata.Digest,
+		manifest:       metadata.Manifest,
+		manifestDigest: metadata.ManifestDigest,
+		index:          metadata.Index,
+		indexDigest:    metadata.IndexDigest,
+		config:         config,
+		configBytes:    configBytes,
+		contentDir:     cfg.ContentDir,
 	}, nil
 }
 
@@ -66,9 +69,10 @@ type ContainerdHostFSConfig struct {
 }
 
 type containerdMetadata struct {
-	Index    *v1.IndexManifest
-	Manifest *v1.Manifest
-	Digest   v1.Hash
+	Index          *v1.IndexManifest
+	IndexDigest    v1.Hash
+	Manifest       *v1.Manifest
+	ManifestDigest v1.Hash
 }
 
 type manifestOrIndex struct {
@@ -119,7 +123,7 @@ func (h *containerdMetadataReader) readMetadata() (*containerdMetadata, error) {
 		manOrIdx manifestOrIndex
 	)
 
-	metadata.Digest = h.imgHash
+	metadata.ManifestDigest = h.imgHash
 	if err := readManifest(
 		path.Join(h.cfg.ContentDir, blobs, h.imgHash.Algorithm, h.imgHash.Hex), &manOrIdx,
 	); err != nil {
@@ -138,7 +142,7 @@ func (h *containerdMetadataReader) readMetadata() (*containerdMetadata, error) {
 			return nil, err
 		}
 
-		metadata.Digest = v1.Hash{
+		metadata.ManifestDigest = v1.Hash{
 			Algorithm: "sha256",
 			Hex:       filename,
 		}
@@ -152,6 +156,7 @@ func (h *containerdMetadataReader) readMetadata() (*containerdMetadata, error) {
 	// Search manifest from index manifest.
 	if len(manOrIdx.Manifests) > 0 {
 		metadata.Index = manOrIdx.index()
+		metadata.IndexDigest = h.imgHash
 		for _, manifest := range manOrIdx.Manifests {
 			if matchingPlatform(h.cfg.Platform, *manifest.Platform) {
 				if err := readManifest(
@@ -163,7 +168,7 @@ func (h *containerdMetadataReader) readMetadata() (*containerdMetadata, error) {
 					return nil, errors.New("invalid manifest, no layers")
 				}
 				metadata.Manifest = manOrIdx.manifest()
-				metadata.Digest = manifest.Digest
+				metadata.ManifestDigest = manifest.Digest
 				return &metadata, nil
 			}
 		}
@@ -225,15 +230,28 @@ func (h *containerdMetadataReader) searchManifestPath() (string, string, error)
 }
 
 type containerdBlobImage struct {
-	manifest    *v1.Manifest
-	index       *v1.IndexManifest
-	config      *v1.ConfigFile
-	configBytes []byte
-	imgHash     v1.Hash
+	manifest       *v1.Manifest
+	manifestDigest v1.Hash
+	index          *v1.IndexManifest
+	indexDigest    v1.Hash
+	config         *v1.ConfigFile
+	configBytes    []byte
 
 	contentDir string
 }
 
+func (img *containerdBlobImage) Name() string {
+	return img.config.Config.Image
+}
+
+func (img *containerdBlobImage) ID() (string, error) {
+	h, err := img.ConfigName()
+	if err != nil {
+		return "", err
+	}
+	return h.String(), nil
+}
+
 func (b *containerdBlobImage) Layers() ([]v1.Layer, error) {
 	l := make([]v1.Layer, len(b.manifest.Layers))
 	for i, lay := range b.manifest.Layers {
@@ -259,16 +277,12 @@ func (b *containerdBlobImage) Manifest() (*v1.Manifest, error) {
 	return b.manifest, nil
 }
 
-func (b *containerdBlobImage) Index() *v1.IndexManifest {
-	return b.index
-}
-
 func (b *containerdBlobImage) RawConfigFile() ([]byte, error) {
 	return b.configBytes, nil
 }
 
 func (b *containerdBlobImage) Digest() (v1.Hash, error) {
-	return b.imgHash, nil
+	return b.manifestDigest, nil
 }
 
 func (b *containerdBlobImage) LayerByDigest(hash v1.Hash) (v1.Layer, error) {
@@ -289,6 +303,14 @@ func (b *containerdBlobImage) LayerByDiffID(hash v1.Hash) (v1.Layer, error) {
 	return b.LayerByDigest(l.Digest)
 }
 
+func (b *containerdBlobImage) IndexDigest() (v1.Hash, error) {
+	return b.indexDigest, nil
+}
+
+func (b *containerdBlobImage) IndexManifest() (*v1.IndexManifest, error) {
+	return b.index, nil
+}
+
 // currently unused
 
 func (b *containerdBlobImage) MediaType() (types.MediaType, error) {