/** * @fileoverview Container Image Scanner - scans container images for vulnerabilities * @module @nahisaho/musubix-security/analyzers/container/image-scanner * @trace DES-SEC2-CONTAINER-001, REQ-SEC2-CONTAINER-001 */ import type { Vulnerability, Severity } from '../../types/vulnerability.js'; /** * Container image vulnerability */ export interface ContainerVulnerability { id: string; packageName: string; installedVersion: string; fixedVersion?: string; severity: Severity; cve?: string; description: string; layer?: string; } /** * Image scan result */ export interface ImageScanResult { image: string; tag: string; digest?: string; vulnerabilities: ContainerVulnerability[]; metadata: ImageMetadata; scanTime: Date; scanner: 'trivy' | 'grype' | 'internal'; } /** * Image metadata */ export interface ImageMetadata { os?: string; osVersion?: string; architecture?: string; size?: number; layers?: number; created?: Date; } /** * Image scan options */ export interface ImageScanOptions { /** Scanner to use (default: trivy) */ scanner?: 'trivy' | 'grype'; /** Minimum severity to report */ minSeverity?: Severity; /** Skip update of vulnerability database */ skipDbUpdate?: boolean; /** Scan timeout in milliseconds */ timeout?: number; /** Include unfixed vulnerabilities */ includeUnfixed?: boolean; /** Rule IDs to skip (e.g., ['DKR-001', 'DKR-002']) */ skipRules?: string[]; } /** * Dockerfile analysis result */ export interface DockerfileAnalysis { filePath: string; baseImage: string; issues: DockerfileIssue[]; bestPractices: BestPracticeViolation[]; } /** * Dockerfile issue */ export interface DockerfileIssue { id: string; severity: Severity; line: number; instruction: string; message: string; recommendation: string; } /** * Best practice violation */ export interface BestPracticeViolation { rule: string; description: string; line?: number; recommendation: string; } /** * Container Image Scanner * @trace DES-SEC2-CONTAINER-001 */ export declare class ImageScanner { private options; constructor(options?: ImageScanOptions); /** * Scan a container image * @trace REQ-SEC2-CONTAINER-001 */ scan(imageRef: string, options?: ImageScanOptions): Promise; /** * Analyze a Dockerfile for security issues * @trace REQ-SEC2-CONTAINER-002 */ analyzeDockerfile(dockerfilePath: string): Promise; /** * Convert container vulnerabilities to standard vulnerability format */ toVulnerabilities(result: ImageScanResult): Vulnerability[]; /** * Parse image reference into image name and tag */ private parseImageRef; /** * Run external scanner (Trivy or Grype) */ private runExternalScanner; /** * Check if a scanner is available */ private isScannerAvailable; /** * Run Trivy scanner */ private runTrivy; /** * Run Grype scanner */ private runGrype; /** * Parse Trivy JSON output */ private parseTrivyOutput; /** * Parse Grype JSON output */ private parseGrypeOutput; /** * Get numeric severity level for comparison */ private getSeverityLevel; /** * Extract base image from Dockerfile */ private extractBaseImage; /** * Check Dockerfile for security issues */ private checkDockerfileIssues; /** * Check best practices */ private checkBestPractices; /** * Map CVE to CWE */ private mapCVEToCWE; } /** * Create image scanner instance */ export declare function createImageScanner(options?: ImageScanOptions): ImageScanner; //# sourceMappingURL=image-scanner.d.ts.map