├── .gitignore ├── AUTHORS ├── CODE_OF_CONDUCT.md ├── CONTRIBUTING.md ├── LICENSE ├── NOTICE.md ├── README.md ├── codebuild ├── README.md └── detect-images.sh ├── ecs ├── README.md └── detect-images.sh ├── kubernetes ├── README.md └── detect-images.sh └── source ├── README.md ├── detect-images.sh ├── public_registries.conf └── test ├── Dockerfile.go-app ├── Dockerfile.go-app-multi-stage ├── Dockerfile.jessie-node ├── Dockerfile.k8s-apiserver ├── Dockerfile.public.ecr.aws └── Dockerfile.ubuntu-postgresql /.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | -------------------------------------------------------------------------------- /AUTHORS: -------------------------------------------------------------------------------- 1 | brentley 2 | toricls 3 | rothgar 4 | mhausenblas 5 | -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | ## Code of Conduct 2 | This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). 3 | For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact 4 | opensource-codeofconduct@amazon.com with any additional questions or comments. 5 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing Guidelines 2 | 3 | Thank you for your interest in contributing to our project. Whether it's a bug report, new feature, correction, or additional 4 | documentation, we greatly value feedback and contributions from our community. 5 | 6 | Please read through this document before submitting any issues or pull requests to ensure we have all the necessary 7 | information to effectively respond to your bug report or contribution. 8 | 9 | 10 | ## Reporting Bugs/Feature Requests 11 | 12 | We welcome you to use the GitHub issue tracker to report bugs or suggest features. 13 | 14 | When filing an issue, please check existing open, or recently closed, issues to make sure somebody else hasn't already 15 | reported the issue. Please try to include as much information as you can. Details like these are incredibly useful: 16 | 17 | * A reproducible test case or series of steps 18 | * The version of our code being used 19 | * Any modifications you've made relevant to the bug 20 | * Anything unusual about your environment or deployment 21 | 22 | 23 | ## Contributing via Pull Requests 24 | Contributions via pull requests are much appreciated. Before sending us a pull request, please ensure that: 25 | 26 | 1. You are working against the latest source on the *main* branch. 27 | 2. You check existing open, and recently merged, pull requests to make sure someone else hasn't addressed the problem already. 28 | 3. You open an issue to discuss any significant work - we would hate for your time to be wasted. 29 | 30 | To send us a pull request, please: 31 | 32 | 1. Fork the repository. 33 | 2. Modify the source; please focus on the specific change you are contributing. If you also reformat all the code, it will be hard for us to focus on your change. 34 | 3. Ensure local tests pass. 35 | 4. Commit to your fork using clear commit messages. 36 | 5. Send us a pull request, answering any default questions in the pull request interface. 37 | 6. Pay attention to any automated CI failures reported in the pull request, and stay involved in the conversation. 38 | 39 | GitHub provides additional document on [forking a repository](https://help.github.com/articles/fork-a-repo/) and 40 | [creating a pull request](https://help.github.com/articles/creating-a-pull-request/). 41 | 42 | 43 | ## Finding contributions to work on 44 | Looking at the existing issues is a great way to find something to contribute on. As our projects, by default, use the default GitHub issue labels (enhancement/bug/duplicate/help wanted/invalid/question/wontfix), looking at any 'help wanted' issues is a great place to start. 45 | 46 | 47 | ## Code of Conduct 48 | This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). 49 | For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact 50 | opensource-codeofconduct@amazon.com with any additional questions or comments. 51 | 52 | 53 | ## Security issue notifications 54 | If you discover a potential security issue in this project we ask that you notify AWS/Amazon Security via our [vulnerability reporting page](http://aws.amazon.com/security/vulnerability-reporting/). Please do **not** create a public github issue. 55 | 56 | 57 | ## Licensing 58 | 59 | See the [LICENSE](LICENSE) file for our project's licensing. We will ask you to confirm the licensing of your contribution. 60 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | 2 | Apache License 3 | Version 2.0, January 2004 4 | http://www.apache.org/licenses/ 5 | 6 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 7 | 8 | 1. Definitions. 9 | 10 | "License" shall mean the terms and conditions for use, reproduction, 11 | and distribution as defined by Sections 1 through 9 of this document. 12 | 13 | "Licensor" shall mean the copyright owner or entity authorized by 14 | the copyright owner that is granting the License. 15 | 16 | "Legal Entity" shall mean the union of the acting entity and all 17 | other entities that control, are controlled by, or are under common 18 | control with that entity. For the purposes of this definition, 19 | "control" means (i) the power, direct or indirect, to cause the 20 | direction or management of such entity, whether by contract or 21 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 22 | outstanding shares, or (iii) beneficial ownership of such entity. 23 | 24 | "You" (or "Your") shall mean an individual or Legal Entity 25 | exercising permissions granted by this License. 26 | 27 | "Source" form shall mean the preferred form for making modifications, 28 | including but not limited to software source code, documentation 29 | source, and configuration files. 30 | 31 | "Object" form shall mean any form resulting from mechanical 32 | transformation or translation of a Source form, including but 33 | not limited to compiled object code, generated documentation, 34 | and conversions to other media types. 35 | 36 | "Work" shall mean the work of authorship, whether in Source or 37 | Object form, made available under the License, as indicated by a 38 | copyright notice that is included in or attached to the work 39 | (an example is provided in the Appendix below). 40 | 41 | "Derivative Works" shall mean any work, whether in Source or Object 42 | form, that is based on (or derived from) the Work and for which the 43 | editorial revisions, annotations, elaborations, or other modifications 44 | represent, as a whole, an original work of authorship. For the purposes 45 | of this License, Derivative Works shall not include works that remain 46 | separable from, or merely link (or bind by name) to the interfaces of, 47 | the Work and Derivative Works thereof. 48 | 49 | "Contribution" shall mean any work of authorship, including 50 | the original version of the Work and any modifications or additions 51 | to that Work or Derivative Works thereof, that is intentionally 52 | submitted to Licensor for inclusion in the Work by the copyright owner 53 | or by an individual or Legal Entity authorized to submit on behalf of 54 | the copyright owner. For the purposes of this definition, "submitted" 55 | means any form of electronic, verbal, or written communication sent 56 | to the Licensor or its representatives, including but not limited to 57 | communication on electronic mailing lists, source code control systems, 58 | and issue tracking systems that are managed by, or on behalf of, the 59 | Licensor for the purpose of discussing and improving the Work, but 60 | excluding communication that is conspicuously marked or otherwise 61 | designated in writing by the copyright owner as "Not a Contribution." 62 | 63 | "Contributor" shall mean Licensor and any individual or Legal Entity 64 | on behalf of whom a Contribution has been received by Licensor and 65 | subsequently incorporated within the Work. 66 | 67 | 2. Grant of Copyright License. Subject to the terms and conditions of 68 | this License, each Contributor hereby grants to You a perpetual, 69 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 70 | copyright license to reproduce, prepare Derivative Works of, 71 | publicly display, publicly perform, sublicense, and distribute the 72 | Work and such Derivative Works in Source or Object form. 73 | 74 | 3. Grant of Patent License. Subject to the terms and conditions of 75 | this License, each Contributor hereby grants to You a perpetual, 76 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 77 | (except as stated in this section) patent license to make, have made, 78 | use, offer to sell, sell, import, and otherwise transfer the Work, 79 | where such license applies only to those patent claims licensable 80 | by such Contributor that are necessarily infringed by their 81 | Contribution(s) alone or by combination of their Contribution(s) 82 | with the Work to which such Contribution(s) was submitted. If You 83 | institute patent litigation against any entity (including a 84 | cross-claim or counterclaim in a lawsuit) alleging that the Work 85 | or a Contribution incorporated within the Work constitutes direct 86 | or contributory patent infringement, then any patent licenses 87 | granted to You under this License for that Work shall terminate 88 | as of the date such litigation is filed. 89 | 90 | 4. Redistribution. You may reproduce and distribute copies of the 91 | Work or Derivative Works thereof in any medium, with or without 92 | modifications, and in Source or Object form, provided that You 93 | meet the following conditions: 94 | 95 | (a) You must give any other recipients of the Work or 96 | Derivative Works a copy of this License; and 97 | 98 | (b) You must cause any modified files to carry prominent notices 99 | stating that You changed the files; and 100 | 101 | (c) You must retain, in the Source form of any Derivative Works 102 | that You distribute, all copyright, patent, trademark, and 103 | attribution notices from the Source form of the Work, 104 | excluding those notices that do not pertain to any part of 105 | the Derivative Works; and 106 | 107 | (d) If the Work includes a "NOTICE" text file as part of its 108 | distribution, then any Derivative Works that You distribute must 109 | include a readable copy of the attribution notices contained 110 | within such NOTICE file, excluding those notices that do not 111 | pertain to any part of the Derivative Works, in at least one 112 | of the following places: within a NOTICE text file distributed 113 | as part of the Derivative Works; within the Source form or 114 | documentation, if provided along with the Derivative Works; or, 115 | within a display generated by the Derivative Works, if and 116 | wherever such third-party notices normally appear. The contents 117 | of the NOTICE file are for informational purposes only and 118 | do not modify the License. You may add Your own attribution 119 | notices within Derivative Works that You distribute, alongside 120 | or as an addendum to the NOTICE text from the Work, provided 121 | that such additional attribution notices cannot be construed 122 | as modifying the License. 123 | 124 | You may add Your own copyright statement to Your modifications and 125 | may provide additional or different license terms and conditions 126 | for use, reproduction, or distribution of Your modifications, or 127 | for any such Derivative Works as a whole, provided Your use, 128 | reproduction, and distribution of the Work otherwise complies with 129 | the conditions stated in this License. 130 | 131 | 5. Submission of Contributions. Unless You explicitly state otherwise, 132 | any Contribution intentionally submitted for inclusion in the Work 133 | by You to the Licensor shall be under the terms and conditions of 134 | this License, without any additional terms or conditions. 135 | Notwithstanding the above, nothing herein shall supersede or modify 136 | the terms of any separate license agreement you may have executed 137 | with Licensor regarding such Contributions. 138 | 139 | 6. Trademarks. This License does not grant permission to use the trade 140 | names, trademarks, service marks, or product names of the Licensor, 141 | except as required for reasonable and customary use in describing the 142 | origin of the Work and reproducing the content of the NOTICE file. 143 | 144 | 7. Disclaimer of Warranty. Unless required by applicable law or 145 | agreed to in writing, Licensor provides the Work (and each 146 | Contributor provides its Contributions) on an "AS IS" BASIS, 147 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 148 | implied, including, without limitation, any warranties or conditions 149 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 150 | PARTICULAR PURPOSE. You are solely responsible for determining the 151 | appropriateness of using or redistributing the Work and assume any 152 | risks associated with Your exercise of permissions under this License. 153 | 154 | 8. Limitation of Liability. In no event and under no legal theory, 155 | whether in tort (including negligence), contract, or otherwise, 156 | unless required by applicable law (such as deliberate and grossly 157 | negligent acts) or agreed to in writing, shall any Contributor be 158 | liable to You for damages, including any direct, indirect, special, 159 | incidental, or consequential damages of any character arising as a 160 | result of this License or out of the use or inability to use the 161 | Work (including but not limited to damages for loss of goodwill, 162 | work stoppage, computer failure or malfunction, or any and all 163 | other commercial damages or losses), even if such Contributor 164 | has been advised of the possibility of such damages. 165 | 166 | 9. Accepting Warranty or Additional Liability. While redistributing 167 | the Work or Derivative Works thereof, You may choose to offer, 168 | and charge a fee for, acceptance of support, warranty, indemnity, 169 | or other liability obligations and/or rights consistent with this 170 | License. However, in accepting such obligations, You may act only 171 | on Your own behalf and on Your sole responsibility, not on behalf 172 | of any other Contributor, and only if You agree to indemnify, 173 | defend, and hold each Contributor harmless for any liability 174 | incurred by, or claims asserted against, such Contributor by reason 175 | of your accepting any such warranty or additional liability. 176 | -------------------------------------------------------------------------------- /NOTICE.md: -------------------------------------------------------------------------------- 1 | # Open Source Software Attribution 2 | 3 | The source code of this toolkit is licensed under the Apache License, version 2.0. 4 | A copy of this license is available in the `LICENSE` file in the root directory 5 | of the Git repo. 6 | 7 | Some of the commands used in `kubernetes/detect-images.sh` are based on examples 8 | from the [Kubernetes documentation][1] without modifications. Said Kubernetes 9 | documentation is licensed under [Attribution 4.0 International (CC BY 4.0)][2]. 10 | 11 | 12 | 13 | [1]: https://kubernetes.io/docs/tasks/access-application-cluster/list-all-running-container-images/ 14 | [2]: https://creativecommons.org/licenses/by/4.0/ 15 | 16 | Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 17 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Public Container Images Detector 2 | 3 | This tool allows you to scan repositories and container orchestrators for 4 | public container images hosted in Docker Hub. 5 | 6 | 7 | ## Install 8 | 9 | In order to use the detector, either clone this repo or download it 10 | and extract it locally. 11 | 12 | ## Use 13 | 14 | ### In Dockerfiles 15 | 16 | Please have a look at the [from source](source/) part for usage details. 17 | 18 | ### ECS 19 | 20 | Please have a look at the [ECS](ecs/) part for usage details. 21 | 22 | ### Kubernetes 23 | 24 | Please have a look at the [Kubernetes](kubernetes/) part for usage details. 25 | 26 | ### CodeBuild 27 | 28 | Please have a look at the [CodeBuild](codebuild/) part for usage details. 29 | -------------------------------------------------------------------------------- /codebuild/README.md: -------------------------------------------------------------------------------- 1 | # AWS CodeBuild 2 | 3 | For AWS CodeBuild projects, use the following script provided. 4 | The script will output all publicly hosted docker images found in the projects. 5 | 6 | The script will use your current AWS CLI credentials to find CodeBuild projects and return a list of image names. 7 | 8 | ``` 9 | $ ./detect-images.sh 10 | 11 | my-cb-project-1 toricls/everlasting-hey-yo:latest 12 | my-cb-project-2 toricls/everlasting-hey-yo:custom 13 | ``` 14 | 15 | The script works with existing `aws` command and your current AWS CLI credentials. 16 | If you would like to iterate over all configured AWS profiles then you can use a loop similar to the example below. 17 | 18 | ``` 19 | for prof in $(aws configure list-profiles); do 20 | export AWS_PROFILE=$prof && ./detect-images.sh \ 21 | | sed "s/^/$prof /" 22 | done 23 | 24 | profile1 my-cb-project-1 toricls/everlasting-hey-yo:latest 25 | profile1 my-cb-project-2 toricls/everlasting-hey-yo:custom 26 | profile2 another-cb-project docker:dind 27 | ``` 28 | 29 | If you have multiple regions or AWS profiles with projects you can also use additional for loops to get containers from all your projects. 30 | 31 | ``` 32 | for prof in $(aws configure list-profiles); do 33 | export AWS_PROFILE=$prof 34 | for region in us-east-1 eu-west-1 us-west-2; do 35 | export AWS_REGION=$region && ./detect-images.sh \ 36 | | sed "s/^/$prof $region /" 37 | done 38 | done 39 | 40 | profileDev us-east-1 my-cb-project docker:dind 41 | profileStg us-east-1 another-cb-project docker:dind 42 | profileStg us-west-2 another-cb-project docker:dind 43 | profileProd us-east-1 another-cb-project docker:dind 44 | profileProd us-west-2 another-cb-project docker:dind 45 | ``` 46 | 47 | Note that at the current point we filter images based on detecting 48 | a FQDN in the first field of the image name except `docker.io`. This may not be a perfect 49 | matching strategy, but we hope it will work for the large majority of cases. 50 | -------------------------------------------------------------------------------- /codebuild/detect-images.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | set -eu 3 | 4 | function listCodeBuildProjects() { 5 | starting_token=$1 6 | 7 | cmd="aws codebuild list-projects --sort-by NAME --sort-order ASCENDING --max-items 30 --output json --query={NextToken:NextToken,projects:projects[*]}" 8 | if [[ "x$starting_token" = "x" ]]; then 9 | output=$($cmd) 10 | else 11 | output=$($cmd --starting-token $starting_token) 12 | fi 13 | echo $output 14 | } 15 | 16 | project_names="" 17 | next_token="" 18 | while [[ ! "x$next_token" = "xnull" ]] 19 | do 20 | output=$(listCodeBuildProjects "$next_token") 21 | next_token=$(echo $output | grep -Eo '"NextToken": [^,]*' | grep -Eo '[^ :]*$' | sed 's/"//g') 22 | projects=$(echo $output | grep -Eo '"projects": \[.*\]' | sed 's/"projects": \[//g' | grep -Eo '"[^,]*"' | sed 's/"//g') 23 | project_names="$projects $project_names" 24 | done 25 | 26 | if [[ -z "${project_names// }" ]]; then 27 | exit 0 28 | fi 29 | 30 | for project in $project_names; do 31 | images=$(aws codebuild batch-get-projects --names "$project" --query="projects[].environment | [?!(starts_with(image,'aws/codebuild/'))].image | sort(@) | join(' ', @)" --output text) 32 | dhimages=() 33 | for i in ${images[*]}; 34 | do 35 | if ! echo $i | awk -F '[/:]' '{print $1}' | grep -q '\.' ; then 36 | dhimages+=("$i") 37 | elif echo $i | grep -q docker.io ; then 38 | dhimages+=("$i") 39 | fi 40 | done 41 | 42 | if [[ ! -z "${dhimages[*]+"${dhimages[*]}"}" ]]; then 43 | for image in ${dhimages[*]}; do 44 | echo "$project $image" 45 | done 46 | fi 47 | done 48 | -------------------------------------------------------------------------------- /ecs/README.md: -------------------------------------------------------------------------------- 1 | # Amazon ECS 2 | 3 | For Amazon ECS clusters, use the following script provided. 4 | The script will output all publicly hosted docker images found in the clusters. 5 | 6 | The script will use your current AWS CLI credentials to find ECS clusters and return a list of image names in alphabetical order. 7 | 8 | ``` 9 | $ ./detect-images.sh 10 | 11 | arn:aws:ecs:us-west-2:123456789012:cluster/myECSCluster amazon/aws-xray-daemon 12 | arn:aws:ecs:us-west-2:123456789012:cluster/exampleCluster amazon/aws-xray-daemon:latest 13 | arn:aws:ecs:us-west-2:123456789012:cluster/exampleCluster nginx:latest 14 | ``` 15 | 16 | The script works with existing `aws` command and your current AWS CLI credentials. 17 | If you would like to iterate over all configured AWS profiles then you can use a loop similar to the example below. 18 | 19 | ``` 20 | for prof in $(aws configure list-profiles); do 21 | export AWS_PROFILE=$prof && ./detect-images.sh \ 22 | | sed "s/^/$prof /" 23 | done 24 | 25 | profile1 arn:aws:ecs:us-east-1:123456789012:cluster/myECSCluster amazon/aws-xray-daemon 26 | profile1 arn:aws:ecs:us-east-1:123456789012:cluster/exampleCluster amazon/aws-xray-daemon:latest 27 | profile1 arn:aws:ecs:us-east-1:123456789012:cluster/exampleCluster nginx:latest 28 | profile2 arn:aws:ecs:us-west-2:123456789012:cluster/myDemoCluster adam9098/ecsdemo-crystal 29 | profile2 arn:aws:ecs:us-west-2:123456789012:cluster/myDemoCluster adam9098/ecsdemo-frontend 30 | profile2 arn:aws:ecs:us-west-2:123456789012:cluster/myDemoCluster brentley/ecsdemo-nodejs:cdk 31 | ``` 32 | 33 | If you have multiple regions or AWS profiles with clusters you can also use additional for loops to get containers from all your clusters. 34 | 35 | ``` 36 | for prof in $(aws configure list-profiles); do 37 | export AWS_PROFILE=$prof 38 | for region in us-east-1 eu-west-1 us-west-2; do 39 | export AWS_REGION=$region && ./detect-images.sh \ 40 | | sed "s/^/$prof $region /" 41 | done 42 | done 43 | 44 | profileStg us-east-1 arn:aws:ecs:us-east-1:123456789012:cluster/myDemoCluster httpd:2.4 45 | profileStg us-east-1 arn:aws:ecs:us-east-1:123456789012:cluster/myDemoCluster nginx:latest 46 | profileStg us-west-2 arn:aws:ecs:us-west-2:123456789012:cluster/myWebServiceCluster adam9098/ecsdemo-crystal 47 | profileStg us-west-2 arn:aws:ecs:us-west-2:123456789012:cluster/myWebServiceCluster adam9098/ecsdemo-frontend 48 | profileStg us-west-2 arn:aws:ecs:us-west-2:123456789012:cluster/myWebServiceCluster brentley/ecsdemo-nodejs:cdk 49 | profileProd us-west-2 arn:aws:ecs:us-west-2:210987654321:cluster/myWebServiceCluster adam9098/ecsdemo-crystal 50 | profileProd us-west-2 arn:aws:ecs:us-west-2:210987654321:cluster/myWebServiceCluster adam9098/ecsdemo-frontend 51 | profileProd us-west-2 arn:aws:ecs:us-west-2:210987654321:cluster/myWebServiceCluster brentley/ecsdemo-nodejs:cdk 52 | ``` 53 | 54 | Note that at the current point we filter images based on detecting 55 | a FQDN in the first field of the image name except `docker.io`. This may not be a perfect 56 | matching strategy, but we hope it will work for the large majority of cases. 57 | -------------------------------------------------------------------------------- /ecs/detect-images.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | set -eu 3 | 4 | function listEcsClusters() { 5 | starting_token=$1 6 | 7 | cmd="aws ecs list-clusters --max-items 30 --output json --query={NextToken:NextToken,clusterArns:clusterArns[*]}" 8 | if [[ "x$starting_token" = "x" ]]; then 9 | output=$($cmd) 10 | else 11 | output=$($cmd --starting-token $starting_token) 12 | fi 13 | echo $output 14 | } 15 | 16 | function listEcsTasksInCluster() { 17 | cluster=$1 18 | starting_token=$2 19 | 20 | cmd="aws ecs list-tasks --cluster $cluster --max-items 100 --output json --query={NextToken:NextToken,taskArns:taskArns[*]}" 21 | if [[ "x$starting_token" = "x" ]]; then 22 | output=$($cmd) 23 | else 24 | output=$($cmd --starting-token $starting_token) 25 | fi 26 | echo $output 27 | } 28 | 29 | clusters="" 30 | next_token="" 31 | while [[ ! "x$next_token" = "xnull" ]] 32 | do 33 | output=$(listEcsClusters "$next_token") 34 | next_token=$(echo $output | grep -Eo '"NextToken": [^,]*' | grep -Eo '[^ :]*$' | sed 's/"//g') 35 | cluster_arns=$(echo $output | grep -Eo '"clusterArns": \[.*\]' | grep -Eo '"arn:[^,]*"' | sed 's/"//g') 36 | clusters="$cluster_arns $clusters" 37 | done 38 | 39 | if [[ -z "${clusters// }" ]]; then 40 | exit 0 41 | fi 42 | 43 | for cluster in $clusters; do 44 | cluster_images="" 45 | next_token="" 46 | while [[ ! "x$next_token" = "xnull" ]] 47 | do 48 | output=$(listEcsTasksInCluster $cluster "$next_token") 49 | next_token=$(echo $output | grep -Eo '"NextToken": [^,]*' | grep -Eo '[^ :]*$' | sed 's/"//g') 50 | task_arns=$(echo $output | grep -Eo '"taskArns": \[.*\]' | grep -Eo '"arn:[^,]*"' | sed 's/"//g' || echo "") 51 | if [[ -z "$task_arns" ]]; then 52 | break 53 | fi 54 | task_images=$(aws ecs describe-tasks --cluster $cluster --tasks $task_arns --query="tasks[].containers[].image | sort(@) | join(' ', @)" --output text) 55 | cluster_images="$task_images $cluster_images" 56 | done 57 | 58 | images=$(echo $cluster_images | tr -s " " "\n" | sort -u) 59 | dhimages=() 60 | 61 | for i in ${images[*]}; 62 | do 63 | if ! echo $i | awk -F '[/:]' '{print $1}' | grep -q '\.' ; then 64 | dhimages+=("$i") 65 | elif echo $i | grep -q docker.io ; then 66 | dhimages+=("$i") 67 | fi 68 | done 69 | 70 | if [[ ! -z "${dhimages[*]+"${dhimages[*]}"}" ]]; then 71 | for image in ${dhimages[*]}; do 72 | echo "$cluster $image" 73 | done 74 | fi 75 | done 76 | -------------------------------------------------------------------------------- /kubernetes/README.md: -------------------------------------------------------------------------------- 1 | # Kubernetes 2 | 3 | For Kubernetes clusters such as Amazon EKS, use the following script provided. 4 | The script will output all publicly hosted docker images found in the cluster. 5 | 6 | The script will use your current kubectl context and return a list of image names in alphabetical order. 7 | 8 | ``` 9 | $ ./detect-images.sh 10 | 11 | grafana/grafana:6.0.0 12 | mongo 13 | prom/alertmanager:v0.20.0 14 | prom/node-exporter:v0.18.1 15 | prom/prometheus:v2.17.2 16 | rabbitmq:3.6.8 17 | redis:alpine 18 | sentry:9.1.2 19 | ``` 20 | 21 | The script works with existing `kubectl` and your current `KUBECONFIG` and context. 22 | If you keep separate files for your clusters you can combine them into one `KUBECONFIG` variable with colon separators. 23 | 24 | ``` 25 | export KUBECONFIG=$HOME/.kube/config:$HOME/.kube/eksctl/clusters/cluster1 26 | ``` 27 | 28 | If you would like to iterate over all contexts in your `KUBECONFIG` then you can use a loop similar to the example below. 29 | 30 | ``` 31 | for CONTEXT in $(kubectl config get-contexts --output name); do 32 | kubectl config use-context $CONTEXT >/dev/null && ./detect-images.sh \ 33 | | sed "s/^/$CONTEXT /" 34 | done 35 | 36 | admin@cluster1.us-west-2.eksctl.io grafana/grafana:6.0.0 37 | admin@cluster1.us-west-2.eksctl.io mongo 38 | admin@cluster1.us-west-2.eksctl.io prom/alertmanager:v0.20.0 39 | admin@cluster1.us-west-2.eksctl.io prom/node-exporter:v0.18.1 40 | admin@cluster1.us-west-2.eksctl.io prom/prometheus:v2.17.2 41 | admin@cluster1.us-west-2.eksctl.io rabbitmq:3.6.8 42 | admin@cluster1.us-west-2.eksctl.io redis:alpine 43 | admin@cluster1.us-west-2.eksctl.io sentry:9.1.2 44 | ``` 45 | 46 | If you have multiple regions or AWS profiles with clusters you can also use additional for loops to get containers from all your clusters. 47 | Clusters that cannot be reached will silently fail. 48 | 49 | ``` 50 | for AWS_PROFILE in stage prod dev; do 51 | for AWS_REGION in us-east-1 us-west-2; do 52 | for CONTEXT in $(kubectl config get-contexts --output name); do 53 | kubectl config use-context $CONTEXT >/dev/null && ./detect-images.sh \ 54 | | sed "s/^/$AWS_PROFILE $AWS_REGION $CONTEXT /" 55 | done 56 | done 57 | done 58 | 59 | stage us-west-2 admin@cluster1.us-west-2.eksctl.io grafana/grafana:6.0.0 60 | stage us-west-2 admin@cluster1.us-west-2.eksctl.io mongo 61 | stage us-west-2 admin@cluster1.us-west-2.eksctl.io prom/alertmanager:v0.20.0 62 | stage us-west-2 admin@cluster1.us-west-2.eksctl.io prom/node-exporter:v0.18.1 63 | stage us-west-2 admin@cluster1.us-west-2.eksctl.io prom/prometheus:v2.17.2 64 | stage us-west-2 admin@cluster1.us-west-2.eksctl.io rabbitmq:3.6.8 65 | stage us-west-2 admin@cluster1.us-west-2.eksctl.io redis:alpine 66 | stage us-west-2 admin@cluster1.us-west-2.eksctl.io sentry:9.1.2 67 | ``` 68 | 69 | Note that at the current point we filter images based on detecting 70 | a FQDN in the first field of the image name. This may not be a perfect 71 | matching strategy, but we hope it will work for the large majority of cases. 72 | -------------------------------------------------------------------------------- /kubernetes/detect-images.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # set -o errexit 4 | set -o errtrace 5 | set -o pipefail 6 | 7 | ### DEPENDENCIES CHECKS 8 | 9 | if ! [ -x "$(command -v kubectl)" ]; then 10 | echo "Pre-flight check failed: kubectl is not installed." 11 | echo "Please install kubectl using https://kubernetes.io/docs/tasks/tools/install-kubectl/ and try again?" >&2 12 | exit 1 13 | fi 14 | 15 | function detectForMachine() { 16 | # could be an inactive cluster so let's first check if we can use it: 17 | kubectl version &>/dev/null 18 | outcome=$? 19 | if [ $outcome -eq 0 ]; then 20 | # Note that the following is based on the command from the upstream docs, see: 21 | # https://kubernetes.io/docs/tasks/access-application-cluster/list-all-running-container-images/ 22 | dhimages=() 23 | allimages=$(kubectl get pods --all-namespaces -o jsonpath="{..image}" | tr -s " " "\n" | sort -u) 24 | 25 | for i in ${allimages[*]} 26 | do 27 | if ! echo $i | awk -F '[/:]' '{print $1}' | grep -q '\.' ; then 28 | dhimages+=("$i") 29 | elif echo $i | grep -q docker.io ; then 30 | dhimages+=("$i") 31 | fi 32 | done 33 | 34 | if [[ ! -z "$dhimages" ]]; then 35 | for image in ${dhimages[*]}; do 36 | echo "$image" 37 | done 38 | fi 39 | fi 40 | } 41 | 42 | ### MAIN 43 | 44 | # obtain the name of the current cluster: 45 | cluster=$(kubectl config current-context) 46 | 47 | if [[ -z "$cluster" ]]; then 48 | echo "No cluster context configured, exiting." 49 | exit 2 50 | fi 51 | 52 | detectForMachine 53 | 54 | -------------------------------------------------------------------------------- /source/README.md: -------------------------------------------------------------------------------- 1 | # From source 2 | 3 | If you have a directory that contains files named `Dockerfile*`, for example in a Git repo, you can use the following script provided. 4 | 5 | The script will recurse the target directory, looking for `Dockerfile*` and probe them for `FROM xxx` statements and list all container images hosted on Docker Hub. 6 | This assumes any referenced images have an associated tag. 7 | 8 | For example, `amazonlinux:2` or `amazonlinux:latest` will be discovered. `amazonlinux` will be missed. 9 | 10 | The script will print out Dockerfile location and image on each line. 11 | If a Dockerfile has multiple `FROM` images each one will be printed. 12 | 13 | ## Examples 14 | 15 | Run the script to recursively detect Dockerfiles in your current directory. 16 | 17 | ``` 18 | ./detect-images.sh 19 | 20 | ./Dockerfile golang:1.15.0 21 | ./Dockerfile golangci/golangci-lint:v1.27-alpine 22 | ./Dockerfile amazonlinux:2 23 | ``` 24 | 25 | Optionally you can provide a directory you would like the script to search 26 | 27 | ``` 28 | ./detect-images.sh ~/src/aws-load-balancer-controller 29 | 30 | /home/user/src/aws-load-balancer-controller/Dockerfile golang:1.15.0 31 | /home/user/src/aws-load-balancer-controller/Dockerfile golangci/golangci-lint:v1.27-alpine 32 | /home/user/src/aws-load-balancer-controller/Dockerfile amazonlinux:2 33 | ``` 34 | -------------------------------------------------------------------------------- /source/detect-images.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -o errtrace 4 | set -o pipefail 5 | 6 | function detect() { 7 | 8 | tdir=$(dirname $TARGET_DIR)/$(basename $TARGET_DIR) 9 | 10 | # iterate over all Dockerfiles and list images: 11 | filelist=($(find ${tdir} -type f -name Dockerfile\*)) 12 | 13 | # capture the public registry list 14 | registrylist=$(cat public_registries.conf) 15 | 16 | for dockerfile in ${filelist[*]}; do 17 | images=$(grep "^FROM" $dockerfile | grep -E -o [^[:space:]]+:[^[:space:]]+) 18 | for image in $images; do 19 | for registry in $registrylist; do 20 | if ! echo $image | awk -F '[/:]' '{print $1}' | grep -q '\.'; then 21 | echo "$dockerfile $image" 22 | break 23 | elif echo $image | grep -q $registry ; then 24 | echo "$dockerfile $image" 25 | break 26 | fi 27 | done 28 | done 29 | done 30 | } 31 | 32 | ### MAIN 33 | TARGET_DIR=${1:-$PWD} 34 | 35 | detect 36 | -------------------------------------------------------------------------------- /source/public_registries.conf: -------------------------------------------------------------------------------- 1 | docker.io 2 | quay.io 3 | public.ecr.aws -------------------------------------------------------------------------------- /source/test/Dockerfile.go-app: -------------------------------------------------------------------------------- 1 | FROM golang:1.14 2 | 3 | WORKDIR /go/src/app 4 | COPY . . 5 | 6 | RUN go get -d -v ./... 7 | RUN go install -v ./... 8 | 9 | CMD ["app"] 10 | -------------------------------------------------------------------------------- /source/test/Dockerfile.go-app-multi-stage: -------------------------------------------------------------------------------- 1 | # from https://docs.docker.com/develop/develop-images/multistage-build/ 2 | FROM golang:1.7.3 3 | WORKDIR /go/src/github.com/alexellis/href-counter/ 4 | RUN go get -d -v golang.org/x/net/html 5 | COPY app.go . 6 | RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . 7 | 8 | FROM alpine:latest 9 | RUN apk --no-cache add ca-certificates 10 | WORKDIR /root/ 11 | COPY --from=0 /go/src/github.com/alexellis/href-counter/app . 12 | CMD ["./app"] 13 | -------------------------------------------------------------------------------- /source/test/Dockerfile.jessie-node: -------------------------------------------------------------------------------- 1 | FROM buildpack-deps:jessie 2 | 3 | RUN groupadd --gid 1000 node \ 4 | && useradd --uid 1000 --gid node --shell /bin/bash --create-home node 5 | 6 | # gpg keys listed at https://github.com/nodejs/node 7 | RUN set -ex \ 8 | && for key in \ 9 | 9554F04D7259F04124DE6B476D5A82AC7E37093B \ 10 | 94AE36675C464D64BAFA68DD7434390BDBE9B9C5 \ 11 | 0034A06D9D9B0064CE8ADF6BF1747F4AD2306D93 \ 12 | FD3A5288F042B6850C66B31F09FE44734EB7990E \ 13 | 71DCFD284A79C3B38668286BC97EC7A07EDE3FC1 \ 14 | DD8F2338BAE7501E3DD5AC78C273792F7D83545D \ 15 | B9AE9905FFD7803F25714661B63B535A4C206CA9 \ 16 | C4F0DFFF4E8C1A8236409D08E73BC641CC11F4C8 \ 17 | ; do \ 18 | gpg --keyserver ha.pool.sks-keyservers.net --recv-keys "$key"; \ 19 | done 20 | 21 | ENV NPM_CONFIG_LOGLEVEL info 22 | ENV NODE_VERSION 7.4.0 23 | 24 | RUN curl -SLO "https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION-linux-x64.tar.xz" \ 25 | && curl -SLO "https://nodejs.org/dist/v$NODE_VERSION/SHASUMS256.txt.asc" \ 26 | && gpg --batch --decrypt --output SHASUMS256.txt SHASUMS256.txt.asc \ 27 | && grep " node-v$NODE_VERSION-linux-x64.tar.xz\$" SHASUMS256.txt | sha256sum -c - \ 28 | && tar -xJf "node-v$NODE_VERSION-linux-x64.tar.xz" -C /usr/local --strip-components=1 \ 29 | && rm "node-v$NODE_VERSION-linux-x64.tar.xz" SHASUMS256.txt.asc SHASUMS256.txt \ 30 | && ln -s /usr/local/bin/node /usr/local/bin/nodejs 31 | 32 | CMD [ "node" ] 33 | -------------------------------------------------------------------------------- /source/test/Dockerfile.k8s-apiserver: -------------------------------------------------------------------------------- 1 | # Copyright 2016 The Kubernetes Authors. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # Inspired by https://github.com/kubernetes/kubernetes/tree/master/cluster/addons/addon-manager 16 | 17 | FROM k8s.gcr.io/kube-addon-manager-arm:v1.18.0 18 | 19 | RUN clean-install bash 20 | 21 | ADD kube-addons.sh /opt/ 22 | ADD kube-addons-main.sh /opt/ 23 | ADD kubectl /usr/local/bin/ 24 | 25 | CMD ["/opt/kube-addons-main.sh"] 26 | -------------------------------------------------------------------------------- /source/test/Dockerfile.public.ecr.aws: -------------------------------------------------------------------------------- 1 | FROM public.ecr.aws/amazonlinux/amazonlinux:latest 2 | 3 | # Install dependencies 4 | RUN yum update -y && \ 5 | yum install -y httpd 6 | 7 | # Install apache and write hello world message 8 | RUN echo 'Hello World!' > /var/www/html/index.html 9 | 10 | # Configure apache 11 | RUN echo 'mkdir -p /var/run/httpd' >> /root/run_apache.sh && \ 12 | echo 'mkdir -p /var/lock/httpd' >> /root/run_apache.sh && \ 13 | echo '/usr/sbin/httpd -D FOREGROUND' >> /root/run_apache.sh && \ 14 | chmod 755 /root/run_apache.sh 15 | 16 | EXPOSE 80 17 | 18 | CMD /root/run_apache.sh 19 | 20 | -------------------------------------------------------------------------------- /source/test/Dockerfile.ubuntu-postgresql: -------------------------------------------------------------------------------- 1 | # 2 | # example Dockerfile for https://docs.docker.com/engine/examples/postgresql_service/ 3 | # 4 | 5 | FROM ubuntu:16.04 6 | 7 | # Add the PostgreSQL PGP key to verify their Debian packages. 8 | # It should be the same key as https://www.postgresql.org/media/keys/ACCC4CF8.asc 9 | RUN apt-key adv --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys B97B0AFCAA1A47F044F244A07FCC7D46ACCC4CF8 10 | 11 | # Add PostgreSQL's repository. It contains the most recent stable release 12 | # of PostgreSQL. 13 | RUN echo "deb http://apt.postgresql.org/pub/repos/apt/ precise-pgdg main" > /etc/apt/sources.list.d/pgdg.list 14 | 15 | # Install ``python-software-properties``, ``software-properties-common`` and PostgreSQL 9.3 16 | # There are some warnings (in red) that show up during the build. You can hide 17 | # them by prefixing each apt-get statement with DEBIAN_FRONTEND=noninteractive 18 | RUN apt-get update && apt-get install -y python-software-properties software-properties-common postgresql-9.3 postgresql-client-9.3 postgresql-contrib-9.3 19 | 20 | # Note: The official Debian and Ubuntu images automatically ``apt-get clean`` 21 | # after each ``apt-get`` 22 | 23 | # Run the rest of the commands as the ``postgres`` user created by the ``postgres-9.3`` package when it was ``apt-get installed`` 24 | USER postgres 25 | 26 | # Create a PostgreSQL role named ``docker`` with ``docker`` as the password and 27 | # then create a database `docker` owned by the ``docker`` role. 28 | # Note: here we use ``&&\`` to run commands one after the other - the ``\`` 29 | # allows the RUN command to span multiple lines. 30 | RUN /etc/init.d/postgresql start &&\ 31 | psql --command "CREATE USER docker WITH SUPERUSER PASSWORD 'docker';" &&\ 32 | createdb -O docker docker 33 | 34 | # Adjust PostgreSQL configuration so that remote connections to the 35 | # database are possible. 36 | RUN echo "host all all 0.0.0.0/0 md5" >> /etc/postgresql/9.3/main/pg_hba.conf 37 | 38 | # And add ``listen_addresses`` to ``/etc/postgresql/9.3/main/postgresql.conf`` 39 | RUN echo "listen_addresses='*'" >> /etc/postgresql/9.3/main/postgresql.conf 40 | 41 | # Expose the PostgreSQL port 42 | EXPOSE 5432 43 | 44 | # Add VOLUMEs to allow backup of config, logs and databases 45 | VOLUME ["/etc/postgresql", "/var/log/postgresql", "/var/lib/postgresql"] 46 | 47 | # Set the default command to run when starting the container 48 | CMD ["/usr/lib/postgresql/9.3/bin/postgres", "-D", "/var/lib/postgresql/9.3/main", "-c", "config_file=/etc/postgresql/9.3/main/postgresql.conf"] 49 | --------------------------------------------------------------------------------