A Python CLI that scans for vulnerabilities in Docker container images, developed as a project for the Penetration Testing and Ethical Hacking course, part of the Computer Science Master's Degree program at the University of Salerno
perCIVAl was build to provide a valuable tool in the context of Vulnerability Assessment of container images. The CLI enables users to fetch a Docker image (given its image name and tag), scan for OS packages / language dependencies vulnerabilities and then produce a report.
- Pull a Docker Image
- Scan with Trivy
- Scan for OS packages vulnerabilities
- Scan for language dependencies vulnerabilities
- Generate report
- Delete temp files (such as image layers and manifest.json)
percival/
│── data/
│ ├── images/ # Docker images
│ ├── reports/
│ └── temp/ # Image layers
│
│── percival/
│
│── core/ # React frontend
│ ├── __init.py__
│ ├── extract.py # Layers / manifest.json extraction
| ├── fetch.py # Image pull
│ ├── parse.py # Database file / language dependencies file parsers
| ├── report.py. # Report generation
| └── scan.py # Vulnerability scanner
│
│
│── helpers/
│ ├── __init.py__
│ ├── api.py # Vulnerability database queries
| ├── folders.py__
│ └── shell.py
│
│── .gitignore
|
│── main.py/ # CLI entry point
|
│── README.md
└── requirements.txt
- Clone the repository
git clone https://github.com/raffaeleav/percival.git- Install dependencies (assuming conda is being used)
conda create -n "percival"
conda activate percival
pip install -r percival/requirements.txt- Switch to the project directory
cd percival- Start the CLI
python main.py- Fetch an image (assuming Docker daemon it's running)
fetch <image-name>:<tag>- Scan for vulnerabilities
vscan <image-name>:<tag>- Generate report (found in percival/data/reports directory)
report <image-name>:<tag>- cmd2 - used for the CLI development