in builder/context.go [207:266]
func getScanArgs(
containerName string,
volName string,
containerWorkspaceDir string,
stepWorkDir string,
dockerfile string,
outputDir string,
tags []string,
buildArgs []string,
target string,
sourceContext string,
credentials []*graph.RegistryCredential) ([]string, []string, error) {
args := []string{
"docker",
"run",
"--rm",
"--name", containerName,
"--volume", volName + ":" + containerWorkspaceDir,
"--workdir", normalizeWorkDir(stepWorkDir),
// Mount home
"--volume", homeVol + ":" + homeWorkDir,
"--env", homeEnv,
scannerImageName,
"scan",
"-f", dockerfile,
"--destination", outputDir,
}
for _, tag := range tags {
args = append(args, "-t", tag)
}
for _, buildArg := range buildArgs {
args = append(args, "--build-arg", buildArg)
}
var censoredArgs = make([]string, len(args))
copy(censoredArgs, args)
for _, cred := range credentials {
serializedCredential, err := cred.String()
if err != nil {
return nil, nil, errors.New("credential serialization failed for given registry credential")
}
censoredArgs = append(censoredArgs, "--credential", "***")
args = append(args, "--credential", serializedCredential)
}
if len(target) > 0 {
censoredArgs = append(censoredArgs, "--target", target)
args = append(args, "--target", target)
}
// Positional context must appear last
censoredArgs = append(censoredArgs, sourceContext)
args = append(args, sourceContext)
return args, censoredArgs, nil
}