feat(tencent/security): expose 10 scans as cobra subcommands#181
Merged
Conversation
The ten Tencent security scans (public-exposure, clb-exposure,
db-exposure, idle-eips, unencrypted-cbs, cert-expiry, cam-hygiene,
waf-coverage, antiddos-coverage, audit-coverage) were already
exposed through the clanker server HTTP API, but not as cobra
subcommands. Downstream clanker-cloud needs them as shell-out
targets so the dashboard's Security panel can run them without
standing up an in-process HTTP server.
Each scan registers via a small securityScan struct so adding a
new one means appending one entry to securityScans rather than
plumbing through every layer. The 'all' fan-out command runs
every scan in parallel and emits a wrapped envelope:
{"region":"ap-singapore","scans":[
{"name":"public-exposure","data":{...}},
{"name":"cam-hygiene","error":"permission denied"}
]}
Per-scan failures are captured in the envelope rather than
aborting the whole call so a single IAM gap doesn't black out
the other nine scans.
Tests cover the registry invariants, the cobra subtree wiring,
and the fan-out's error-capture behaviour (race-clean by passing
the scan list into runAllSecurityScans rather than mutating the
package global).
rephapeng
added a commit
to rephapeng/clanker
that referenced
this pull request
May 28, 2026
Upstream merged PR bgdnvk#165 (Tencent provider) and added work on top: k8s SRE playbooks (bgdnvk#174), SRE agent fix (bgdnvk#177), tree-wide gofmt -s (bgdnvk#176), README (bgdnvk#175), and three Tencent CLI features the fork lacked — `list --format json` (bgdnvk#179), `cost --format json` (bgdnvk#180), and security-scan CLI subcommands (bgdnvk#181). Conflict resolution: all 16 conflicts resolved to upstream's side. 14 were pure gofmt whitespace from bgdnvk#176 (identical code); billing.go and static_commands.go were upstream supersets adding the JSON/security CLI surface with no fork-unique code lost. Fixed a duplicate tencent import in cmd/ask.go left by the auto-merge. Verified in Docker (golang:1.25, -mod=mod): gofmt clean, go build ./..., go vet ./..., and go test ./... all pass.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds
clanker tencent security <scan>for the ten Tencent Cloud security scans that previously lived only on the in-process HTTP server (clanker server). The downstream clanker-cloud Security panel needs them as shell-out targets, matching the inventory / cost / expiry pattern.Each scan registers through a small
securityScanstruct so adding a new one is one append, not three. The fan-outclanker tencent security allruns every scan in parallel and emits a wrapped envelope — per-scan failures are surfaced inside the envelope rather than aborting the bundle, so a single IAM gap doesn't black out the other nine scans.Surface
All scans emit raw JSON on stdout — same shape the HTTP server already returns, so jq pipelines and the dashboard share a wire format.
Output of
security all{ "region": "ap-singapore", "scans": [ {"name":"public-exposure","data":{...}}, {"name":"cam-hygiene","error":"permission denied: cam:DescribeSubAccount"} ] }Test plan
go test -race -count=1 ./internal/tencent/... -run Security— 3/3 passgo test -race -count=1 -short ./...— full suite greengo vet ./...— cleangofmt -s -l— cleanclanker tencent security --helplists 11 subcommands (10 scans +all)