sonatype/nexus-iq-cli
This Docker image wraps the Sonatype IQ CLI. It performs a component intelligence evaluation against the files in the mounted workspace.
docker run sonatype/nexus-iq-cli /sonatype/evaluate [options] <files or directories to scan>
Assuming the content to be evaluated is in the mycontent
directory (on the host machine) and
the policy evaluation results should be stored in the myresults
directory (on the host machine), the command will be:
docker run -v mycontent:/target -v myresults:/sonatype/reports sonatype/nexus-iq-cli /sonatype/evaluate -s https://iq.myCompany.com -a user:password -i WEBAPP /target/our-web-app.war
In case the target folder name contains a space, wrap the target passed in within single quotes and escape the space by using backslash. As an example, given the folder name 'target folder', the following syntax should be used:
'/target\ folder/our-web-app.war'
-s, --server-url <http[s]://...>
-a, --authentication <username:password>
-i, --application-id <app ID>
-t, --stage <stage>
-O, --organization-id <organization ID>
-r, --result-file </path/to/file.json>
-w, --fail-on-policy-warnings
-e, --ignore-system-errors
-E, --ignore-scanning-errors
-p, --proxy <host[:port]>
-U, --proxy-user <username:password>
-X, --debug
-h, --help
-c, --code-flow-analysis
-cn namespace1 -cn namespace2
-cn, --code-flow-analysis-namespaces <namespace>
This docker image can also collect Git information like the commit hash and repository URL, which are sent to Nexus IQ as part of the evaluation.
To enable it, the mounted workspace must contain the .git
folder and the image must be made aware of it
via the GIT_DIR
environment variable.
Assuming the content to be evaluated is in the current directory (on the host machine) and it contains the .git
folder directly under the current directory, the command will look like:
docker run --env GIT_DIR=/target/.git -v $(pwd):/target sonatype/nexus-iq-cli /sonatype/evaluate -s https://iq.myCompany.com -a user:password -i iq-application '/target/**/*.jar'
This approach depends on the .git
folder actually being part of the mounted folder.
It is also possible to scan a docker image instead of a component. The docker image to be scanned can be a local image, an image in a public registry or an image in a private registry.
For scanning remote images, the following environmental variables need to be passed in, if the image is private. These are the credentials to the registry where the private remote image you are scanning is at. If the image is publicly available, they are not needed.
NEXUS_CONTAINER_IMAGE_REGISTRY_USER
NEXUS_CONTAINER_IMAGE_REGISTRY_PASSWORD
An example for scanning a local docker image would be as follows:
docker run --rm -v ~/sonatype/reports:/sonatype/reports -v /var/run/docker.sock:/var/run/docker.sock sonatype/nexus-iq-cli sonatype/evaluate -s https://iq.server -a user:password -i app-name container:alpine:3.6
The final parameter can be changed as follows for scanning a remote image:
container:https://registry.hub.docker.com/library/alpine:3.4
In this case, if the image is private, environmental variables must be provided as follows:
-e NEXUS_CONTAINER_IMAGE_REGISTRY_USER=registry-username -e NEXUS_CONTAINER_IMAGE_REGISTRY_PASSWORD=registry-password
This feature is currently not supported on Windows machines.
A mount path is required for container scans in versions 1.183.0 and earlier. The following command applies specifically to these versions:
docker run --rm -v ~/sonatype/reports:/sonatype/reports -v /tmp:/tmp -v /var/run/docker.sock:/var/run/docker.sock sonatype/nexus-iq-cli sonatype/evaluate -s https://iq.server -a user:password -i app-name container:alpine:3.6
To change the mount path, set the NEXUS_CONTAINER_SCANNING_MOUNT_PATH
environment variable. Additionally, volume mapping must be modified as shown below:
-e NEXUS_CONTAINER_SCANNING_MOUNT_PATH=/Users/home/custom-tmp-folder -v /Users/home/custom-tmp-folder:/Users/home/custom-tmp-folder
Full release notes for the Sonatype IQ CLI docker image are available here.
Full IQ Server release notes are available here.
docker pull sonatype/nexus-iq-cli