Skip to content

refactor(inspect): migrate Docker inspection from CLI to Docker SDK #104

Open
Open
refactor(inspect): migrate Docker inspection from CLI to Docker SDK#104
@CodeMonkeyCybersecurity

Description

@CodeMonkeyCybersecurity
CodeMonkeyCybersecurity
opened on Mar 21, 2026

Context

pkg/inspect/docker.go currently shells out to docker CLI for all container, image, network, and volume discovery. CLAUDE.md states: "ALWAYS use Docker SDK (github.com/docker/docker/client)" for container operations.

Problem

  • CLI parsing is fragile (format changes between Docker versions)
  • Shell execution has security implications (G204 gosec finding)
  • No connection pooling or socket reuse
  • Timeout handling is per-command, not per-operation

Proposal

Replace i.runCommand("docker", ...) calls with Docker SDK client methods:

  • client.ContainerList() + client.ContainerInspect()
  • client.ImageList()
  • client.NetworkList()
  • client.VolumeList()

Keep CLI fallback for environments where socket is unavailable.

Scope

  • Replace all Docker CLI calls in pkg/inspect/docker.go
  • Remove parseHumanSize in favour of SDK's native byte sizes
  • Keep readComposeFile (no SDK equivalent for compose parsing)
  • Update tests to use mock Docker client

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions