The community team at Sonatype has been working hard on upgrading docker-nancy from a Post Panamax cargo ship to a new and improved Triple E vessel. (See the diagram below). As a result, this project is being archived.

You can get a hold of a dockerized version of Nancy now at nancy (https://github.com/sonatype-nexus-community/nancy)

Bon Voyage!

docker-nancy- it's like nancy... on a boat!

Nancy is a tool to check for vulnerabilities in your Golang dependencies, powered by Sonatype OSS Index and docker-nancy wraps the nancy executable in a Docker image.

You can see an example of using nancy in Travis-CI at this intentionally vulnerable repo we made.

The best way to get up and running is to clone this repository and build the image as follows and create an alias to execute against a running image:

	 docker build -t sonatype-nexus-community/docker-nancy:latest .
	 alias nancy="docker run -it --rm -v $(pwd):/tmp --name nancy sonatype-nexus-community/docker-nancy:latest"

Once the image is built and the alias has been created, run nancy in a directory containing a go.sum file as follows:

nancy go.sum

There is a known limitation right now where the container will only process go.sum files that exist in the current directory. This is different than the implementation of the non-containerized nancy binary.

To view other commands and options simply run the nancy alias:

$ nancy
Usage:
nancy [options] </path/to/Gopkg.lock>
nancy [options] </path/to/go.sum>

Options:
  -exclude-vulnerability value
    	Comma seperated list of CVEs to exclude
  -no-color
    	indicate output should not be colorized
  -noColor
    	indicate output should not be colorized (deprecated: please use no-color)
  -quiet
    	indicate output should contain only packages with vulnerabilities
  -version
    	prints current nancy version

We care a lot about making the world a safer place, and that's why we created docker-nancy. If you as well want to speed up the pace of software development by working on this project, jump on in! Before you start work, create a new issue, or comment on an existing issue, to let others know you are!

The nancy logo was created using a combo of Gopherize.me and good ole Photoshop. Thanks to the creators of Gopherize for an easy way to make a fun Gopher :)

Thank you to The Lonely Island for your late night inspiration about boats...

It is worth noting that this is NOT SUPPORTED by Sonatype, and is a contribution of ours to the open source community (read: you!)

Remember:

• Use this contribution at the risk tolerance that you have
• Do NOT file Sonatype support tickets related to docker-nancy support in regard to this project
• DO file issues here on GitHub, so that the community can pitch in

Looking to contribute to our code but need some help? There's a few ways to get information:

• Chat with us on Gitter
• DM @djschleen