Gorsair hacks its way into remote docker containers that expose their APIs

Last update: Dec 31, 2022

Comments: 12

Gorsair

Gorsair is a penetration testing tool for discovering and remotely accessing Docker APIs from vulnerable Docker containers. Once it has access to the docker daemon, you can use Gorsair to directly execute commands on remote containers.

Exposing the docker API on the internet is a tremendous risk, as it can let malicious agents get information on all of the other containers, images and system, as well as potentially getting privileged access to the whole system if the image uses the root user.

Install

From a release

Set the:

GORSAIR_VERSION to whatever release you are interested in
OS to your operating system (linux, windows or darwin)
ARCH to your architecture (amd64, arm, or ppc64le)

And then run the following command to install gorsair.

curl -sS https://github.com/Ullaakut/Gorsair/releases/download/$GORSAIR_VERSION/gorsair_$OS_$ARCH --output /usr/local/bin/gorsair && chmod +x /usr/local/bin/gorsair

From the sources

Make sure that you have a go version that supports modules (versions 1.11 and above)
Make sure that your environment contains the GO111MODULE variable set to on
Run go build -o /usr/local/bin/gorsair cmd/*.go from the root of this repository

Command line options

-t, --targets: Set targets according to the nmap target format. Required. Example: --targets="192.168.1.72,192.168.1.74"
-p, --ports: (Default: 2375,2376) Set custom ports.
-s, --speed: (Default: 4) Set custom nmap discovery presets to improve speed or accuracy. It's recommended to lower it if you are attempting to scan an unstable and slow network, or to increase it if on a very performant and reliable network. You might also want to keep it low to keep your discovery stealthy. See this for more info on the nmap timing templates.
-v, --verbose: Enable more verbose logs.
-D, --decoys: List of decoy IP addresses to use (see the decoy section of the nmap documentation)
-e, --interface: Network interface to use
--proxies: List of HTTP/SOCKS4 proxies to use to deplay connections with (see documentation)
-S, --spoof-ip: IP address to use for IP spoofing
--spoof-mac: MAC address to use for MAC spoofing
-v, --verbose: Enable verbose logging
-h, --help: Display the usage information

How can I protect my containers from this attack

Avoid putting containers that have access to the docker socket on the internet
Avoid using the root account in docker containers

Owner

Brendan Le Glaunec

Software Engineer @traefik & previously R&D Software Engineer @EtixLabs / Go Contractor @fresh8

https://github.com/Ullaakut/Gorsair

Comments

Install error

Hello,

When I run "go install" I'm receiving the following error.

can't load package: package github.com/Ullaakut/Gorsair: unknown import path "github.com/Ullaakut/Gorsair": cannot find module providing package github.com/Ullaakut/Gorsair

同学，您这个项目引入了191个开源组件，存在7个漏洞，辛苦升级一下

检测到 Ullaakut/Gorsair 一共引入了191个开源组件，存在7个漏洞

漏洞标题：Docker 路径遍历漏洞
缺陷组件：github.com/docker/[email protected]
漏洞编号：CVE-2014-9356
漏洞描述：Docker是美国Docker公司的一款开源的应用容器引擎。该产品支持在Linux系统上创建一个容器（轻量级虚拟机）并部署和运行应用程序，以及通过配置文件实现应用程序的自动化安装、部署和升级。
Docker 1.3.3之前版本中存在路径遍历漏洞。该漏洞源于网络系统或产品未能正确地过滤资源或文件路径中的特殊元素。攻击者可利用该漏洞访问受限目录之外的位置。
影响范围：(∞, 1.3.3)
最小修复版本：1.3.3
缺陷组件引入路径：main@->github.com/docker/[email protected]

另外还有7个漏洞，详细报告：https://mofeisec.com/jr?p=ae8c99

Are you trying to connect to a TLS-enabled daemon without TLS?
Vulnerable docker API found: Endpoint address: xx.xxxx.xxxx.xxxx Endpoint API port: 2376 Docker version: UNKNOWN Docker API was unreachable: Get http://xxxx.xxx.xxx.xxxx:2376/v1.39/info: net/http: HTTP/1.x transport connection broken: malformed HTTP response "\x15\x03\x01\x00\x02\x02".

Are you trying to connect to a TLS-enabled daemon without TLS?

Any setting to remediate this? I saw in this article need to set the environment to enable TLS for client https://tech.paulcz.net/blog/secure-docker-with-tls/

Fail when downloading Gorsair: syntax error near unexpected token `<'

After I run: curl https://github.com/Ullaakut/Gorsair/releases/download/1.1.0/gorsair_linux_amd64 --output /usr/local/bin/gorsair

and chmod 777 /usr/local/bin/gorsair.

I run gorsair and I get an error:

/usr/local/bin/gorsair: line 1: syntax error near unexpected token `<'
/usr/local/bin/gorsair: line 1: `<html><body>You are being <a href="https://github-production-release-asset-2e65be.s3.amazonaws.com/143321747/f74b3900-2d70-11e9-8129-9506787cd596?X-Amz-Algorithm=AWS4-HMAC-SHA256&amp;X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20190214%2Fus-east-1%2Fs3%2Faws4_request&amp;X-Amz-Date=20190214T143347Z&amp;X-Amz-Expires=300&amp;X-Amz-Signature=0783c1cf5b49ae9ce92c677a923efa3f613060f1d9e67719f35d4e5801a33c4f&amp;X-Amz-SignedHeaders=host&amp;actor_id=0&amp;response-content-disposition=attachment%3B%20filename%3Dgorsair_linux_amd64&amp;response-content-type=application%2Foctet-stream">redirected</a>.</body></html>'

It seems that the command you mentioned on the main page doesn't download the file correctly.

Bump github.com/spf13/cobra from 1.5.0 to 1.6.0
Bumps github.com/spf13/cobra from 1.5.0 to 1.6.0.

Release notes

Sourced from github.com/spf13/cobra's releases.

v1.6.0

Summer 2022 Release

Some exciting changes make their way to Cobra! Command completions continue to get better and better (including adding --help and --version automatic flags to the completions list). Grouping is now possible in your help output as well! And you can now use the OnFinalize method to cleanup things when all "work" is done. Checkout the full changelog below:

Features 🌠

Add groups for commands in help: @aawsome @marckhouzam #1003

Support for case-insensitive command names: @YuviGold #1802

Expose ValidateRequiredFlags and ValidateFlagGroups: @skeetwu #1760

Add --version flag to help output: @fnickels #1707

Add --help and --version flag in completions: @marckhouzam #1813

Add OnFinalize method: @yann-soubeyrand #1788

Allow user to add completion for powershell alias: @marckhouzam #1621

Make InitDefaultcompletionCmd public: @gssbzn #1467

Deprecation 👎🏼

ExactValidArgs is deprecated (but not being removed entirely). This is abit nuanced, so checkout #1643 for further information and the updated user_guide.md on how this may affect you (and how you can take advantage of the correct behavior in the validators): @umarcor #1643

Bug fixes 🐛

Fix (bash-v2) activeHelp length check syntax: @scop #1762

Fix correct command path in see_also for yaml documentation: @zregvart #1771

Fix showing flags that shadow parent persistent flag in child help messaging: @brianpursley #1776

Dependencies 🗳️

Upgrade to use gopkg.in/yaml.v3: @tklauser #1766

Testing 🤔

Test on Golang 1.19: @umarcor & @jpmcb #1782

Renamed powershell completion tests: @marckhouzam #1803

Use action/setup-go cache: @umarcor #1783

Add workflow_dispatch to CI actions: @umarcor #1387

Add minimum GitHub token permissions for workflows: @varunsh-coder #1792

Docs ✏️

Fixup spelling for GitHub CLI: @eltociear #1744

Clarify SetContext documentation: @katexochen #1748

Instruct user to go install for binary: @marckhouzam #1726

User guide cleanup: @marckhouzam #1656

Document option to hide the default completion command: @marckhouzam #1779

Misc 💭

Add KubeVirt, CloudQuery, Cilium, Okteto, Zitadel, Allero to projects using cobra: @maiqueb #1741, @yevgenypats #1742, @tklauser #1745, @jLopezbarb #1759, @fforootd #1772, @dimabru #1819

Use correct stale action exempt yaml keys: @jpmcb #1800

Add missing license headers: @umarcor #1809

Note: Per #1804, we will be moving away from "seasonal" releases and doing more generic point release targets. Continue to track the milestones and issues in the spf13/cobra GitHub repository for more information!

Great work everyone! Cobra would never be possible without your contributions! 🐍

... (truncated)

Commits

8607918 feat: make InitDefaultCompletionCmd public (#1467)

2169adb Add groups for commands in help (#1003)

212ea40 Include --help and --version flag in completion (#1813)

d4040ad Allow user to add completion for powershell alias (#1621)

23fc5e0 ci: add minimum GitHub token permissions for workflows (#1792)

93d1913 Add OnFinalize method (#1788)

07034fe build(deps): bump actions/stale from 5 to 6 (#1815)

3dc9761 Add allero to list of projects using cobra (#1819)

7039e1f Add '--version' flag to Help output (#1707)

fce8d8a Expose ValidateRequiredFlags and ValidateFlagGroups (#1760)

Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR

@dependabot recreate will recreate this PR, overwriting any edits that have been made to it

@dependabot merge will merge this PR after your CI passes on it

@dependabot squash and merge will squash and merge this PR after your CI passes on it

@dependabot cancel merge will cancel a previously requested merge and block automerging

@dependabot reopen will reopen this PR if it is closed

@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually

@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Bump github.com/spf13/pflag from 1.0.3 to 1.0.4
Bumps github.com/spf13/pflag from 1.0.3 to 1.0.4.

Commits

e8f2996 Fix typo in go.mod

7b22f68 Merge pull request #216 from therealmitchconnors/elegant

8e39cc4 gofmt

68f4136 Add SliceValue Comments

b22fc70 Expand SliceValue support to all slice and array types.

c6c0f0f Add first SliceValue implementations

9722382 Added String-To-Int64 option parsing (#211)

6d93a82 Merge pull request #201 from Fedosin/fix_descriptions

7be56ae Merge pull request #210 from dsbrng25b/master

4890c25 Fix package doc

Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR

@dependabot recreate will recreate this PR, overwriting any edits that have been made to it

@dependabot merge will merge this PR after your CI passes on it

@dependabot squash and merge will squash and merge this PR after your CI passes on it

@dependabot cancel merge will cancel a previously requested merge and block automerging

@dependabot reopen will reopen this PR if it is closed

@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually

@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot use these labels will set the current labels as the default for future PRs for this repo and language

@dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language

@dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language

@dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

@dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

Update frequency (including time of day and day of week)

Pull request limits (per update run and/or open at any time)

Out-of-range updates (receive only lockfile updates, if desired)

Security updates (receive only security updates, if desired)

Finally, you can contact us by mentioning @dependabot.
Add docker API integration to exploit docker socket
Currently, the user is given commands to run themselves. It would be better to:

[x] Exploit the docker socket using the docker library in order to gather more precise information on the system (what is available through docker info, docker ps -a and docker images for example.)

[x] Attempt to gain root access for the user and open an interactive terminal on the container within gorsair
Bump github.com/spf13/viper from 1.13.0 to 1.14.0
Bumps github.com/spf13/viper from 1.13.0 to 1.14.0.

Release notes

Sourced from github.com/spf13/viper's releases.

v1.14.0

What's Changed

Enhancements 🚀

feat: make Viper compile on platforms unsupported by fsnotify by @sagikazarmark in spf13/viper#1457

Fsnotify improvements by @sagikazarmark in spf13/viper#1458

Disable watch on appengine by @sagikazarmark in spf13/viper#1460

Breaking Changes 🛠

Drop support for Go 1.15 by @sagikazarmark in spf13/viper#1428

Dependency Updates ⬆️

build(deps): bump github.com/spf13/afero from 1.8.2 to 1.9.2 by @dependabot in spf13/viper#1406

build(deps): bump github.com/sagikazarmark/crypt from 0.6.0 to 0.7.0 by @dependabot in spf13/viper#1437

build(deps): bump github.com/stretchr/testify from 1.8.0 to 1.8.1 by @dependabot in spf13/viper#1453

build(deps): bump github.com/fsnotify/fsnotify from 1.5.4 to 1.6.0 by @dependabot in spf13/viper#1449

chore: update crypt by @sagikazarmark in spf13/viper#1461

Full Changelog: https://github.com/spf13/viper/compare/v1.13.0...v1.14.0

Commits

b89e554 chore: update crypt

db9f89a chore: disable watch on appengine

4b8d148 refactor: use new Has fsnotify method for event matching

2e99a57 refactor: rename watch file to unsupported

dcb7f30 feat: fix compilation for all platforms unsupported by fsnotify

2e04739 ci: drop dedicated wasm build

b2234f2 ci: add build for aix

52009d3 feat: disable watcher on aix

b274f63 build(deps): bump github.com/fsnotify/fsnotify from 1.5.4 to 1.6.0

7c62cfd build(deps): bump github.com/stretchr/testify from 1.8.0 to 1.8.1

Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR

@dependabot recreate will recreate this PR, overwriting any edits that have been made to it

@dependabot merge will merge this PR after your CI passes on it

@dependabot squash and merge will squash and merge this PR after your CI passes on it

@dependabot cancel merge will cancel a previously requested merge and block automerging

@dependabot reopen will reopen this PR if it is closed

@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually

@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Bump github.com/spf13/cobra from 1.5.0 to 1.6.1
Bumps github.com/spf13/cobra from 1.5.0 to 1.6.1.

Release notes

Sourced from github.com/spf13/cobra's releases.

v1.6.1

Bug fixes 🐛

Fixes a panic when AddGroup isn't called before AddCommand(my-sub-command) is executed. This can happen within more complex cobra file structures that have many different inits to be executed. Now, the check for groups has been moved to ExecuteC and provides more flexibility when working with grouped commands - @marckhouzam (and shout out to @aawsome, @andig and @KINGSABRI for a deep investigation into this! 👏🏼)

v1.6.0

Summer 2022 Release

Some exciting changes make their way to Cobra! Command completions continue to get better and better (including adding --help and --version automatic flags to the completions list). Grouping is now possible in your help output as well! And you can now use the OnFinalize method to cleanup things when all "work" is done. Checkout the full changelog below:

Features 🌠

Add groups for commands in help: @aawsome @marckhouzam #1003

Support for case-insensitive command names: @YuviGold #1802

Expose ValidateRequiredFlags and ValidateFlagGroups: @skeetwu #1760

Add --version flag to help output: @fnickels #1707

Add --help and --version flag in completions: @marckhouzam #1813

Add OnFinalize method: @yann-soubeyrand #1788

Allow user to add completion for powershell alias: @marckhouzam #1621

Make InitDefaultcompletionCmd public: @gssbzn #1467

Deprecation 👎🏼

ExactValidArgs is deprecated (but not being removed entirely). This is abit nuanced, so checkout #1643 for further information and the updated user_guide.md on how this may affect you (and how you can take advantage of the correct behavior in the validators): @umarcor #1643

Bug fixes 🐛

Fix (bash-v2) activeHelp length check syntax: @scop #1762

Fix correct command path in see_also for yaml documentation: @zregvart #1771

Fix showing flags that shadow parent persistent flag in child help messaging: @brianpursley #1776

Dependencies 🗳️

Upgrade to use gopkg.in/yaml.v3: @tklauser #1766

Testing 🤔

Test on Golang 1.19: @umarcor & @jpmcb #1782

Renamed powershell completion tests: @marckhouzam #1803

Use action/setup-go cache: @umarcor #1783

Add workflow_dispatch to CI actions: @umarcor #1387

Add minimum GitHub token permissions for workflows: @varunsh-coder #1792

Docs ✏️

Fixup spelling for GitHub CLI: @eltociear #1744

Clarify SetContext documentation: @katexochen #1748

Instruct user to go install for binary: @marckhouzam #1726

User guide cleanup: @marckhouzam #1656

Document option to hide the default completion command: @marckhouzam #1779

Misc 💭

Add KubeVirt, CloudQuery, Cilium, Okteto, Zitadel, Allero to projects using cobra: @maiqueb #1741, @yevgenypats #1742, @tklauser #1745, @jLopezbarb #1759, @fforootd #1772, @dimabru #1819

Use correct stale action exempt yaml keys: @jpmcb #1800

... (truncated)

Commits

b43be99 Check for group presence after full initialization (#1839) (#1841)

8607918 feat: make InitDefaultCompletionCmd public (#1467)

2169adb Add groups for commands in help (#1003)

212ea40 Include --help and --version flag in completion (#1813)

d4040ad Allow user to add completion for powershell alias (#1621)

23fc5e0 ci: add minimum GitHub token permissions for workflows (#1792)

93d1913 Add OnFinalize method (#1788)

07034fe build(deps): bump actions/stale from 5 to 6 (#1815)

3dc9761 Add allero to list of projects using cobra (#1819)

7039e1f Add '--version' flag to Help output (#1707)

Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR

@dependabot recreate will recreate this PR, overwriting any edits that have been made to it

@dependabot merge will merge this PR after your CI passes on it

@dependabot squash and merge will squash and merge this PR after your CI passes on it

@dependabot cancel merge will cancel a previously requested merge and block automerging

@dependabot reopen will reopen this PR if it is closed

@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually

@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Bump github.com/spf13/viper from 1.12.0 to 1.13.0
Bumps github.com/spf13/viper from 1.12.0 to 1.13.0.

Release notes

Sourced from github.com/spf13/viper's releases.

v1.13.0

Important: This is the last release supporting Go 1.15.

What's Changed

Exciting New Features 🎉

Add etcd3 to supported remote providers by @franklinkim in spf13/viper#1371

Enhancements 🚀

Fix go-staticcheck failures (ST1005) by @mjmaisey in spf13/viper#1373

Use jsonc in markdown codeblocks for better readability by @HurSungYun in spf13/viper#1393

Add Go 1.19 support by @sagikazarmark in spf13/viper#1424

Adds support for uint16 with GetUint16 by @oxisto in spf13/viper#1405

Add a DebugTo convenience funtion by @bcrochet in spf13/viper#1414

Bug Fixes 🐛

Recurse into arrays when converting keys to lowercase by @awrichar in spf13/viper#1387

Dependency Updates ⬆️

build(deps): bump github.com/stretchr/testify from 1.7.1 to 1.7.2 by @dependabot in spf13/viper#1374

build(deps): bump github.com/subosito/gotenv from 1.3.0 to 1.4.0 by @dependabot in spf13/viper#1375

build(deps): bump github.com/pelletier/go-toml/v2 from 2.0.1 to 2.0.2 by @dependabot in spf13/viper#1378

build(deps): bump gopkg.in/yaml.v3 from 3.0.0 to 3.0.1 by @dependabot in spf13/viper#1360

build(deps): bump github.com/stretchr/testify from 1.7.2 to 1.7.3 by @dependabot in spf13/viper#1381

build(deps): bump github.com/stretchr/testify from 1.7.3 to 1.7.4 by @dependabot in spf13/viper#1384

build(deps): bump mheap/github-action-required-labels from 1 to 2 by @dependabot in spf13/viper#1383

build(deps): bump github.com/stretchr/testify from 1.7.4 to 1.8.0 by @dependabot in spf13/viper#1395

build(deps): bump github.com/subosito/gotenv from 1.4.0 to 1.4.1 by @dependabot in spf13/viper#1420

build(deps): bump github.com/pelletier/go-toml/v2 from 2.0.2 to 2.0.5 by @dependabot in spf13/viper#1422

build(deps): bump gopkg.in/ini.v1 from 1.66.4 to 1.67.0 by @dependabot in spf13/viper#1412

New Contributors

@mjmaisey made their first contribution in spf13/viper#1373

@HurSungYun made their first contribution in spf13/viper#1393

@franklinkim made their first contribution in spf13/viper#1371

@awrichar made their first contribution in spf13/viper#1387

@oxisto made their first contribution in spf13/viper#1405

@bcrochet made their first contribution in spf13/viper#1414

Full Changelog: https://github.com/spf13/viper/compare/v1.12.0...v1.13.0

Commits

57cc9a0 test: fix ini tests

8030d5b build(deps): bump gopkg.in/ini.v1 from 1.66.4 to 1.67.0

312417a Add a DebugTo convenience funtion

202060b Adds support for uint16 with GetUint16

97591f0 build: fix lint violations

9af8dae ci: upgrade golangci-lint

7b4f2b2 ci: add Go 1.19 to CI

601ec81 test: fix toml tests

d7f4832 build(deps): bump github.com/pelletier/go-toml/v2 from 2.0.2 to 2.0.5

c2f42f3 build(deps): bump github.com/subosito/gotenv from 1.4.0 to 1.4.1

Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR

@dependabot recreate will recreate this PR, overwriting any edits that have been made to it

@dependabot merge will merge this PR after your CI passes on it

@dependabot squash and merge will squash and merge this PR after your CI passes on it

@dependabot cancel merge will cancel a previously requested merge and block automerging

@dependabot reopen will reopen this PR if it is closed

@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually

@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Bump github.com/spf13/cobra from 1.4.0 to 1.5.0
Bumps github.com/spf13/cobra from 1.4.0 to 1.5.0.

Release notes

Sourced from github.com/spf13/cobra's releases.

v1.5.0

Spring 2022 Release 🌥️

Hello everyone! Welcome to another release of cobra. Completions continue to get better and better. This release adds a few really cool new features. We also continue to patch versions of our dependencies as they become available via dependabot. Happy coding!

Active help 👐🏼

Shout out to @marckhouzam for a big value add: Active Help spf13/cobra#1482. With active help, a program can provide some inline warnings or hints for users as they hit tab. Now, your CLIs can be even more intuitive to use!

Currently active help is only supported for bash V2 and zsh. Marc wrote a whole guide on how to do this, so make sure to give it a good read to learn how you can add this to your cobra code! https://github.com/spf13/cobra/blob/master/active_help.md

Group flags 🧑🏼‍🤝‍🧑🏼

Cobra now has the ability to mark flags as required or exclusive as a group. Shout out to our newest maintainer @johnSchnake for this! spf13/cobra#1654 Let's say you have a username flag that MUST be partnered with a password flag. Well, now, you can enforce those as being required together:

rootCmd.Flags().StringVarP(&u, "username", "u", "", "Username (required if password is set)") rootCmd.Flags().StringVarP(&pw, "password", "p", "", "Password (required if username is set)") rootCmd.MarkFlagsRequiredTogether("username", "password")

Flags may also be marked as "mutally exclusive" with the MarkFlagsMutuallyExclusive(string, string ... ) command API. Refer to our user guide documentation for further info!

Completions 👀

Add backwards-compatibility tests for legacyArgs() by @marckhouzam in spf13/cobra#1547

feat: Add how to load completions in your current zsh session by @ondrejsika in spf13/cobra#1608

Introduce FixedCompletions by @emersion in spf13/cobra#1574

Add shell completion to flag groups by @marckhouzam in spf13/cobra#1659

Modify brew prefix path in macOS system by @imxw in spf13/cobra#1719

perf(bash-v2): use backslash escape string expansion for tab by @scop in spf13/cobra#1682

style(bash-v2): out is not an array variable, do not refer to it as such by @scop in spf13/cobra#1681

perf(bash-v2): standard completion optimizations by @scop in spf13/cobra#1683

style(bash): out is not an array variable, do not refer to it as such by @scop in spf13/cobra#1684

perf(bash-v2): short-circuit descriptionless candidate lists by @scop in spf13/cobra#1686

perf(bash-v2): speed up filtering entries with descriptions by @scop in spf13/cobra#1689

perf(bash-v2): speed up filtering menu-complete descriptions by @scop in spf13/cobra#1692

fix(bash-v2): skip empty completions when filtering descriptions by @scop in spf13/cobra#1691

perf(bash-v2): read directly to COMPREPLY on descriptionless short circuit by @scop in spf13/cobra#1700

fix: Don't complete _command on zsh by @twpayne in spf13/cobra#1690

Improve fish_completions code quality by @t29kida in spf13/cobra#1515

Fix handling of descriptions for bash v3 by @marckhouzam in spf13/cobra#1735

undefined or nil Args default to ArbitraryArgs by @umarcor in spf13/cobra#1612

Add Command.SetContext by @joshcarp in spf13/cobra#1551

Wrap printf tab with quotes by @PapaCharlie in spf13/cobra#1665

Documentation 📝

Fixed typos in completions docs - @cuishuang spf13/cobra#1625

Removed CHANGELOG.md as it isn't updated - @johnSchnake spf13/cobra#1634

Minor typo fix in shell_completion.md - @danieldn spf13/cobra#1678

Changed branch name in the cobra generator link to 'main' - @skywalker2909 spf13/cobra#1645

Fix Command.Context comment by @katexochen in spf13/cobra#1639

... (truncated)

Commits

06b06a9 Bump golangci/golangci-lint-action from 3.1.0 to 3.2.0 (#1697)

5f2ec3c Update shell completion to respect flag groups (#1659)

b9ca594 use errors.Is() to check for errors (#1730)

ea94a3d undefined or nil Args default to ArbitraryArgs (#1612)

7c9831d Fix handling of descriptions for bash v3 (#1735)

ed7bb9d Add unit test for fish completion (#1515)

f464d6c Add Active Help support (#1482)

7dc8b00 Bump actions/setup-go from 2 to 3 (#1660)

87ea180 Modify brew prefix path in macOS system (#1719)

ca8e3c2 Add Pulumi as a project using cobra (#1720)

Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR

@dependabot recreate will recreate this PR, overwriting any edits that have been made to it

@dependabot merge will merge this PR after your CI passes on it

@dependabot squash and merge will squash and merge this PR after your CI passes on it

@dependabot cancel merge will cancel a previously requested merge and block automerging

@dependabot reopen will reopen this PR if it is closed

@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually

@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Add CLI flag to specify Docker version

my docker api version is 1.37 ,Echo is Docker API was unreachable: Error response from daemon: client version 1.39 is too new. Maximum supported API version is 1.37 ;Docker API was unreachable:error during connect: Get "http://00:0C:29:C6:5D:36:2375/v1.39/info": dial tcp: lookup 00:0C:29:C6:5D:36: no such host

This project is an implementation of Fermat's factorization method in which multiples of prime numbers are factored into their constituent primes

This project is an implementation of Fermat's factorization method in which multiples of prime numbers are factored into their constituent primes. It is a vanity attempt to break RSA Encryption which relies on prime multiples for encryption.

Jun 3, 2022

A tool to run queries in defined frequency and expose the count as prometheus metrics.

A tool to run queries in defined frequency and expose the count as prometheus metrics. Supports MongoDB and SQL

Jul 1, 2022

An easy way to add useful startup banners into your Go applications

Try browsing the code on Sourcegraph! Banner Add beautiful banners into your Go applications Table of Contents Motivation Usage API Command line flags

Jan 1, 2023

Yubigo is a Yubikey client API library that provides an easy way to integrate the Yubico Yubikey into your existing Go-based user authentication infrastructure.

yubigo Yubigo is a Yubikey client API library that provides an easy way to integrate the Yubikey into any Go application. Installation Installation is

Oct 27, 2022

Every grain of sand on Earth has its own ID.

SandID Every grain of sand on Earth has its own ID. Note that the algorithm used to generate the sandid.SandID mainly come from the UUID version 1. So

Dec 18, 2022

its a rebuild of saycheese with golang

sayBruh english |español use it at your own risk english about this Is a rebuild of saycheese with golang because the original saycheese use php and o

Sep 30, 2022

Visualize how a projects source code is distributed among its files and folders

Source Code Visualizer Visualize the code distribution in a project. Applications Applications include: Visualizing code distribution for more educate

Jul 31, 2022

Podman: A tool for managing OCI containers and pods

Podman: A tool for managing OCI containers and pods Podman (the POD MANager) is a tool for managing containers and images, volumes mounted into those

Jan 1, 2023

a tool for getting metrics in containers

read metrics in container if environment is container, the cpu ,memory is relative to container, else the metrics is relative to host. juejing link :

Oct 13, 2022

Apptainer: Application containers for Linux

Apptainer NOTE: The apptainer repo is currently working towards a v1.0.0 release and not ready for production in its current state. Until then, use th

Jan 6, 2023

Notification library for gophers and their furry friends.

Shoutrrr Notification library for gophers and their furry friends. Heavily inspired by caronc/apprise. Quick Start As a package Using shoutrrr is easy

Jan 3, 2023

[TOOL, CLI] - Filter and examine Go type structures, interfaces and their transitive dependencies and relationships. Export structural types as TypeScript value object or bare type representations.

typex Examine Go types and their transitive dependencies. Export results as TypeScript value objects (or types) declaration. Installation go get -u gi

Dec 6, 2022

Radiant is used for rapid development of enterprise application in Go, including RESTful APIs, web apps and backend services.

Mar 22, 2022

A boilerplate/starter project for quickly building APIs using Golang with Clean Architechture

Mar 2, 2022

Work with remote images registries - retrieving information, images, signing content

skopeo skopeo is a command line utility that performs various operations on container images and image repositories. skopeo does not require the user

Jan 5, 2023

Gorsair hacks its way into remote docker containers that expose their APIs

Gorsair

Install

From a release

From the sources

Command line options

How can I protect my containers from this attack

Owner

Brendan Le Glaunec

Comments

Install error

同学，您这个项目引入了191个开源组件，存在7个漏洞，辛苦升级一下

Are you trying to connect to a TLS-enabled daemon without TLS?

Fail when downloading Gorsair: syntax error near unexpected token `<'

Bump github.com/spf13/cobra from 1.5.0 to 1.6.0

v1.6.0

Summer 2022 Release

Features 🌠

Deprecation 👎🏼

Bug fixes 🐛

Dependencies 🗳️

Testing 🤔

Docs ✏️

Misc 💭

Bump github.com/spf13/pflag from 1.0.3 to 1.0.4

Add docker API integration to exploit docker socket

Bump github.com/spf13/viper from 1.13.0 to 1.14.0

v1.14.0

What's Changed

Enhancements 🚀

Breaking Changes 🛠

Dependency Updates ⬆️

Bump github.com/spf13/cobra from 1.5.0 to 1.6.1

v1.6.1

Bug fixes 🐛

v1.6.0

Summer 2022 Release

Features 🌠

Deprecation 👎🏼

Bug fixes 🐛

Dependencies 🗳️

Testing 🤔

Docs ✏️

Misc 💭

Bump github.com/spf13/viper from 1.12.0 to 1.13.0

v1.13.0

What's Changed

Exciting New Features 🎉

Enhancements 🚀

Bug Fixes 🐛

Dependency Updates ⬆️

New Contributors

Bump github.com/spf13/cobra from 1.4.0 to 1.5.0

v1.5.0

Spring 2022 Release 🌥️

Active help 👐🏼

Group flags 🧑🏼‍🤝‍🧑🏼

Completions 👀

Documentation 📝

Add CLI flag to specify Docker version

Related tags

This project is an implementation of Fermat's factorization method in which multiples of prime numbers are factored into their constituent primes

A tool to run queries in defined frequency and expose the count as prometheus metrics.

An easy way to add useful startup banners into your Go applications

Yubigo is a Yubikey client API library that provides an easy way to integrate the Yubico Yubikey into your existing Go-based user authentication infrastructure.

Every grain of sand on Earth has its own ID.

its a rebuild of saycheese with golang

Visualize how a projects source code is distributed among its files and folders

Podman: A tool for managing OCI containers and pods

a tool for getting metrics in containers

Apptainer: Application containers for Linux

Notification library for gophers and their furry friends.

[TOOL, CLI] - Filter and examine Go type structures, interfaces and their transitive dependencies and relationships. Export structural types as TypeScript value object or bare type representations.

Start of a project that would let people stay informed about safe running spaces in their area.

An implementation of standard generics APIs in Go.

A comparison of client tracing APIs

Gosfdc module - a collection of packages containing the data structures from the various Salesforce APIs and Tools

Radiant is used for rapid development of enterprise application in Go, including RESTful APIs, web apps and backend services.

A boilerplate/starter project for quickly building APIs using Golang with Clean Architechture

Work with remote images registries - retrieving information, images, signing content