feat: add CIS Docker Benchmark scanner

[akijakya]

Description

This PR adds dockle as CIS Docker Benchmark scanner to the family of Misconfiguration scanners.

Addressing fix: go builds commit

Additional build tags had to be added everywhere where the cli and modules using the cli module (namely orchestrator and provider) are being built (because of the github.com/containers/storage indirect package) and CGO is enabled, otherwise, this build error would occur:

0.926 # github.com/containers/storage/pkg/devicemapper
0.926 # [aarch64-linux-gnu-pkg-config --cflags  -- devmapper]
0.926 Please install dpkg-dev to use pkg-config when cross-building
0.950 # github.com/containers/storage/drivers/btrfs
0.950 /go/pkg/mod/github.com/containers/[email protected]/drivers/btrfs/btrfs.go:12:10: fatal error: btrfs/ioctl.h: No such file or directory
0.950    12 | #include <btrfs/ioctl.h>
0.950       |          ^~~~~~~~~~~~~~~
0.950 compilation terminated.

If this is unacceptable, we could think of other ways to include this scanner, e.g., adding it as a binary instead of using it as a go package.

Try it out locally

1. Get a test image (e.g. docker pull goodwithtech/test-image:v1, or any image on your system you'd like to scan)

2. Also, since Dockle can scan docker archives as well, let's create one, e.g.: docker buildx build --output type=docker,dest=./docker-test.tar --build-arg BUILD_OPTS="-tags=exclude_graphdriver_btrfs,exclude_graphdriver_devicemapper" -f Dockerfile.cli .

3. Create a config with these inputs:

   cat <<EOF >> .cisdocker-test.yaml
   misconfiguration:
     enabled: true
     scanners_list:
       - "cisdocker"
     inputs:
       - input: "goodwithtech/test-image:v1"
         input_type: "image"
       - input: "docker-test.tar"
         input_type: "docker-archive"
   EOF

4. Run the scan: go run ./cli/cmd/main.go scan --config .cisdocker-test.yaml

For trying it out locally as part of the docker provider within VMClarity, this issue needs to be resolved first.

Fixes #1254

Type of Change

[ ] Bug Fix
[X] New Feature
[ ] Breaking Change
[ ] Refactor
[ ] Documentation
[ ] Other (please describe)

Checklist

• I have read the contributing guidelines
• Existing issues have been referenced (where applicable)
• I have verified this change is not present in other open pull requests
• Functionality is documented
• All code style checks pass
• New code contribution is covered by automated tests
• All new and existing tests pass

[ramizpolic]

great work @akijakya! left a couple of comments to address, nothing major

[github-actions]

Hey!

Your images are ready:

• ghcr.io/openclarity/vmclarity-apiserver-dev:pr1303-ac16e79f40431114b087ea74da1d66c53068eeb2
• ghcr.io/openclarity/vmclarity-cli-dev:pr1303-ac16e79f40431114b087ea74da1d66c53068eeb2
• ghcr.io/openclarity/vmclarity-cr-discovery-server-dev:pr1303-ac16e79f40431114b087ea74da1d66c53068eeb2
• ghcr.io/openclarity/vmclarity-orchestrator-dev:pr1303-ac16e79f40431114b087ea74da1d66c53068eeb2
• ghcr.io/openclarity/vmclarity-ui-dev:pr1303-ac16e79f40431114b087ea74da1d66c53068eeb2
• ghcr.io/openclarity/vmclarity-ui-backend-dev:pr1303-ac16e79f40431114b087ea74da1d66c53068eeb2

[ramizpolic]

lgtm, thanks @akijakya!

[github-actions]

Hey there and thank you for opening this pull request! 👋🏼

We require pull request titles to follow the Conventional Commits specification and it looks like your proposed title needs to be adjusted.

Details:

No scope found in pull request title "feat: add CIS Docker Benchmark scanner". Scope must match one of: general, api, cli, containerruntimediscovery, core, orchestrator, plugin, provider, scanner, ui, uibackend, utils, workflow, aws, azure, docker, gcp, helm, k8s, ci, deps, e2e, testenv.