From cc319327efa083b0b9898e740ba0a2bb3b79f5f8 Mon Sep 17 00:00:00 2001
From: felixncheng <felixncheng@tencent.com>
Date: Wed, 16 Aug 2023 14:52:30 +0800
Subject: [PATCH 1/9] =?UTF-8?q?feat:=20=E6=94=AF=E6=8C=81=E6=8F=92?=
 =?UTF-8?q?=E4=BB=B6=E9=87=8D=E5=AE=9A=E5=90=91=E4=B8=8B=E8=BD=BD=20#1069?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../artifact/manager/NodeForwardExtension.kt  | 35 +++++++++++++++++++
 .../common/artifact/manager/StorageManager.kt | 17 ++++++++-
 .../bkrepo/repository/pojo/node/NodeDetail.kt |  2 ++
 3 files changed, 53 insertions(+), 1 deletion(-)
 create mode 100644 src/backend/common/common-artifact/artifact-service/src/main/kotlin/com/tencent/bkrepo/common/artifact/manager/NodeForwardExtension.kt

diff --git a/src/backend/common/common-artifact/artifact-service/src/main/kotlin/com/tencent/bkrepo/common/artifact/manager/NodeForwardExtension.kt b/src/backend/common/common-artifact/artifact-service/src/main/kotlin/com/tencent/bkrepo/common/artifact/manager/NodeForwardExtension.kt
new file mode 100644
index 0000000000..25e87513e5
--- /dev/null
+++ b/src/backend/common/common-artifact/artifact-service/src/main/kotlin/com/tencent/bkrepo/common/artifact/manager/NodeForwardExtension.kt
@@ -0,0 +1,35 @@
+/*
+ * Tencent is pleased to support the open source community by making BK-CI 蓝鲸持续集成平台 available.
+ *
+ * Copyright (C) 2023 THL A29 Limited, a Tencent company.  All rights reserved.
+ *
+ * BK-CI 蓝鲸持续集成平台 is licensed under the MIT license.
+ *
+ * A copy of the MIT License is included in this file.
+ *
+ *
+ * Terms of the MIT License:
+ * ---------------------------------------------------
+ * Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated
+ * documentation files (the "Software"), to deal in the Software without restriction, including without limitation the
+ * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
+ * permit persons to whom the Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all copies or substantial portions of
+ * the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
+ * LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
+ * NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+ * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+ * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ */
+
+package com.tencent.bkrepo.common.artifact.manager
+
+import com.tencent.bkrepo.repository.pojo.node.NodeDetail
+import com.tencent.devops.plugin.api.ExtensionPoint
+
+interface NodeForwardExtension : ExtensionPoint {
+    fun forward(node: NodeDetail, userId: String): NodeDetail?
+}
diff --git a/src/backend/common/common-artifact/artifact-service/src/main/kotlin/com/tencent/bkrepo/common/artifact/manager/StorageManager.kt b/src/backend/common/common-artifact/artifact-service/src/main/kotlin/com/tencent/bkrepo/common/artifact/manager/StorageManager.kt
index 2df7f42ba2..46929dd857 100644
--- a/src/backend/common/common-artifact/artifact-service/src/main/kotlin/com/tencent/bkrepo/common/artifact/manager/StorageManager.kt
+++ b/src/backend/common/common-artifact/artifact-service/src/main/kotlin/com/tencent/bkrepo/common/artifact/manager/StorageManager.kt
@@ -35,6 +35,7 @@ import com.tencent.bkrepo.common.artifact.stream.ArtifactInputStream
 import com.tencent.bkrepo.common.artifact.stream.EmptyInputStream
 import com.tencent.bkrepo.common.artifact.stream.Range
 import com.tencent.bkrepo.common.artifact.util.http.HttpRangeUtils.resolveRange
+import com.tencent.bkrepo.common.security.util.SecurityUtils
 import com.tencent.bkrepo.common.service.util.HttpContextHolder.getRequestOrNull
 import com.tencent.bkrepo.common.storage.core.StorageService
 import com.tencent.bkrepo.common.storage.credentials.StorageCredentials
@@ -43,6 +44,8 @@ import com.tencent.bkrepo.repository.api.NodeClient
 import com.tencent.bkrepo.repository.pojo.node.NodeDetail
 import com.tencent.bkrepo.repository.pojo.node.NodeInfo
 import com.tencent.bkrepo.repository.pojo.node.service.NodeCreateRequest
+import com.tencent.devops.plugin.api.PluginManager
+import com.tencent.devops.plugin.api.applyExtension
 import org.slf4j.LoggerFactory
 import java.util.concurrent.atomic.AtomicBoolean
 
@@ -64,6 +67,7 @@ class StorageManager(
     private val storageService: StorageService,
     private val nodeClient: NodeClient,
     private val nodeResourceFactoryImpl: NodeResourceFactoryImpl,
+    private val pluginManager: PluginManager
 ) {
 
     /**
@@ -133,7 +137,18 @@ class StorageManager(
         node: NodeDetail?,
         storageCredentials: StorageCredentials?
     ): ArtifactInputStream? {
-        return loadArtifactInputStream(node?.nodeInfo, storageCredentials)
+        if (node == null) {
+            return null
+        }
+        var forwardNode: NodeDetail? = null
+        pluginManager.applyExtension<NodeForwardExtension> {
+            forwardNode = forward(node, SecurityUtils.getUserId())
+            forwardNode?.let {
+                logger.info("Load[${node.identity()}] forward to [${it.identity()}].")
+            }
+        }
+        val load = forwardNode ?: node
+        return loadArtifactInputStream(load.nodeInfo, storageCredentials)
     }
     companion object {
         private val logger = LoggerFactory.getLogger(StorageManager::class.java)
diff --git a/src/backend/repository/api-repository/src/main/kotlin/com/tencent/bkrepo/repository/pojo/node/NodeDetail.kt b/src/backend/repository/api-repository/src/main/kotlin/com/tencent/bkrepo/repository/pojo/node/NodeDetail.kt
index 5093af688c..e87346df71 100644
--- a/src/backend/repository/api-repository/src/main/kotlin/com/tencent/bkrepo/repository/pojo/node/NodeDetail.kt
+++ b/src/backend/repository/api-repository/src/main/kotlin/com/tencent/bkrepo/repository/pojo/node/NodeDetail.kt
@@ -91,4 +91,6 @@ data class NodeDetail(
      * 获取node所属package的版本
      */
     fun packageVersion() = metadata[METADATA_KEY_PACKAGE_VERSION]?.toString()
+
+    fun identity(): String = "$projectId/$repoName/$fullPath"
 }

From b63ae0e03be1f337e8660521d2044b204400ecae Mon Sep 17 00:00:00 2001
From: felixncheng <felixncheng@tencent.com>
Date: Thu, 24 Aug 2023 18:06:20 +0800
Subject: [PATCH 2/9] =?UTF-8?q?feat:=20=E5=88=B6=E5=93=81=E5=88=86?=
 =?UTF-8?q?=E6=9E=90=E6=94=AF=E6=8C=81=E7=A7=81=E6=9C=89=E9=95=9C=E5=83=8F?=
 =?UTF-8?q?=20#1086?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../arrowhead/ArrowheadScanExecutor.kt        |  9 ++-
 .../scancodeCheck/ScancodeToolkitExecutor.kt  |  4 +-
 .../executor/standard/StandardScanExecutor.kt |  4 +-
 .../executor/trivy/TrivyScanExecutor.kt       |  8 +-
 .../executor/util/DockerScanHelper.kt         | 14 +++-
 .../analyst/dispatcher/DockerDispatcher.kt    | 12 ++-
 .../KubernetesDeploymentDispatcher.kt         |  2 +
 .../dispatcher/KubernetesDispatcher.kt        | 17 +++-
 .../bkrepo/analyst/dispatcher/dsl/PodDsl.kt   | 15 ++++
 .../analyst/dispatcher/dsl/SecretDsl.kt       | 48 +++++++++++
 .../tencent/bkrepo/analyst/utils/K8SHelper.kt | 81 +++++++++++++++++++
 .../bkrepo/analyst/utils/ScannerUtil.kt       | 58 +++++++++++++
 .../scanner/arrowhead/ArrowheadScanner.kt     |  4 +
 .../scanner/ScancodeToolkitScanner.kt         |  4 +
 .../pojo/scanner/standard/StandardScanner.kt  |  6 +-
 .../pojo/scanner/trivy/TrivyScanner.kt        |  4 +
 .../pojo/scanner/utils/DockerUtils.kt         | 29 ++++++-
 .../pojo/scanner/utils/DockerUtilsTest.kt     | 45 +++++++++++
 .../bkrepo/common/api/util/JsonUtils.kt       |  4 +-
 19 files changed, 351 insertions(+), 17 deletions(-)
 create mode 100644 src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/dispatcher/dsl/SecretDsl.kt
 create mode 100644 src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/utils/K8SHelper.kt
 create mode 100644 src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/utils/ScannerUtil.kt
 create mode 100644 src/backend/common/common-analysis/src/test/kotlin/com/tencent/bkrepo/common/analysis/pojo/scanner/utils/DockerUtilsTest.kt

diff --git a/src/backend/analysis-executor/biz-analysis-executor/src/main/kotlin/com/tencent/bkrepo/analysis/executor/arrowhead/ArrowheadScanExecutor.kt b/src/backend/analysis-executor/biz-analysis-executor/src/main/kotlin/com/tencent/bkrepo/analysis/executor/arrowhead/ArrowheadScanExecutor.kt
index 6b41fe0383..2454a50f54 100644
--- a/src/backend/analysis-executor/biz-analysis-executor/src/main/kotlin/com/tencent/bkrepo/analysis/executor/arrowhead/ArrowheadScanExecutor.kt
+++ b/src/backend/analysis-executor/biz-analysis-executor/src/main/kotlin/com/tencent/bkrepo/analysis/executor/arrowhead/ArrowheadScanExecutor.kt
@@ -75,8 +75,13 @@ class ArrowheadScanExecutor @Autowired constructor(
 
         // 执行扫描
         val result = dockerScanHelper.scan(
-            containerConfig.image, Binds(tmpBind, bind), listOf(containerConfig.args),
-            scannerInputFile, task
+            image = containerConfig.image,
+            binds=Binds(tmpBind, bind),
+            args = listOf(containerConfig.args),
+            scannerInputFile = scannerInputFile,
+            task = task,
+            userName = containerConfig.dockerRegistryUsername,
+            password = containerConfig.dockerRegistryPassword
         )
         if (!result) {
             return scanStatus(task, taskWorkDir, SubScanTaskStatus.TIMEOUT)
diff --git a/src/backend/analysis-executor/biz-analysis-executor/src/main/kotlin/com/tencent/bkrepo/analysis/executor/scancodeCheck/ScancodeToolkitExecutor.kt b/src/backend/analysis-executor/biz-analysis-executor/src/main/kotlin/com/tencent/bkrepo/analysis/executor/scancodeCheck/ScancodeToolkitExecutor.kt
index 4c5c376464..8881828494 100644
--- a/src/backend/analysis-executor/biz-analysis-executor/src/main/kotlin/com/tencent/bkrepo/analysis/executor/scancodeCheck/ScancodeToolkitExecutor.kt
+++ b/src/backend/analysis-executor/biz-analysis-executor/src/main/kotlin/com/tencent/bkrepo/analysis/executor/scancodeCheck/ScancodeToolkitExecutor.kt
@@ -89,7 +89,9 @@ class ScancodeToolkitExecutor @Autowired constructor(
             binds = Binds(Bind(taskWorkDir.absolutePath, Volume(containerConfig.workDir))),
             args = containerCmd,
             scannerInputFile = scannerInputFile,
-            task = task
+            task = task,
+            userName = containerConfig.dockerRegistryUsername,
+            password = containerConfig.dockerRegistryPassword
         )
         if (!result) {
             return scanStatus(task, taskWorkDir, SubScanTaskStatus.TIMEOUT)
diff --git a/src/backend/analysis-executor/biz-analysis-executor/src/main/kotlin/com/tencent/bkrepo/analysis/executor/standard/StandardScanExecutor.kt b/src/backend/analysis-executor/biz-analysis-executor/src/main/kotlin/com/tencent/bkrepo/analysis/executor/standard/StandardScanExecutor.kt
index 7e769821d7..292b6e8884 100644
--- a/src/backend/analysis-executor/biz-analysis-executor/src/main/kotlin/com/tencent/bkrepo/analysis/executor/standard/StandardScanExecutor.kt
+++ b/src/backend/analysis-executor/biz-analysis-executor/src/main/kotlin/com/tencent/bkrepo/analysis/executor/standard/StandardScanExecutor.kt
@@ -77,7 +77,9 @@ class StandardScanExecutor(
             binds = Binds(Bind(taskWorkDir.absolutePath, Volume(CONTAINER_WORK_DIR))),
             args = args,
             scannerInputFile = scannerInputFile,
-            task = task
+            task = task,
+            userName = scanner.dockerRegistryUsername,
+            password = scanner.dockerRegistryPassword
         )
         return if (result) {
             SubScanTaskStatus.SUCCESS
diff --git a/src/backend/analysis-executor/biz-analysis-executor/src/main/kotlin/com/tencent/bkrepo/analysis/executor/trivy/TrivyScanExecutor.kt b/src/backend/analysis-executor/biz-analysis-executor/src/main/kotlin/com/tencent/bkrepo/analysis/executor/trivy/TrivyScanExecutor.kt
index 381ebf060b..798aefb14e 100644
--- a/src/backend/analysis-executor/biz-analysis-executor/src/main/kotlin/com/tencent/bkrepo/analysis/executor/trivy/TrivyScanExecutor.kt
+++ b/src/backend/analysis-executor/biz-analysis-executor/src/main/kotlin/com/tencent/bkrepo/analysis/executor/trivy/TrivyScanExecutor.kt
@@ -103,7 +103,13 @@ class TrivyScanExecutor @Autowired constructor(
         val cacheBind = Bind(cacheDir.absolutePath, Volume(CACHE_DIR))
         val cmd = buildScanCmds(task, scannerInputFile)
         val result = dockerScanHelper.scan(
-            containerConfig.image, Binds(bind, cacheBind), cmd, scannerInputFile, task
+            image = containerConfig.image,
+            binds = Binds(bind, cacheBind),
+            args = cmd,
+            scannerInputFile = scannerInputFile,
+            task = task,
+            userName = containerConfig.dockerRegistryUsername,
+            password = containerConfig.dockerRegistryPassword
         )
         if (!result) {
             return scanStatus(task, taskWorkDir, SubScanTaskStatus.TIMEOUT)
diff --git a/src/backend/analysis-executor/biz-analysis-executor/src/main/kotlin/com/tencent/bkrepo/analysis/executor/util/DockerScanHelper.kt b/src/backend/analysis-executor/biz-analysis-executor/src/main/kotlin/com/tencent/bkrepo/analysis/executor/util/DockerScanHelper.kt
index 3260a7dcc3..1cbe10cdc0 100644
--- a/src/backend/analysis-executor/biz-analysis-executor/src/main/kotlin/com/tencent/bkrepo/analysis/executor/util/DockerScanHelper.kt
+++ b/src/backend/analysis-executor/biz-analysis-executor/src/main/kotlin/com/tencent/bkrepo/analysis/executor/util/DockerScanHelper.kt
@@ -51,6 +51,8 @@ class DockerScanHelper(
 
     fun scan(
         image: String,
+        userName: String?,
+        password: String?,
         binds: Binds,
         args: List<String>,
         scannerInputFile: File,
@@ -60,8 +62,13 @@ class DockerScanHelper(
         // 创建容器
         val maxFileSize = maxFileSize(scannerInputFile.length())
         val hostConfig = DockerUtils.dockerHostConfig(binds, maxFileSize, task.scanner.memory)
-        val containerId = dockerClient.createContainer(image, hostConfig, args)
-
+        val containerId = dockerClient.createContainer(
+            image = image,
+            hostConfig = hostConfig,
+            cmd = args,
+            userName = userName,
+            password = password
+        )
         taskContainerIdMap[task.taskId] = containerId
         logger.info(CommonUtils.buildLogMsg(task, "run container instance Id [$containerId]"))
         try {
@@ -70,7 +77,8 @@ class DockerScanHelper(
             val containerLogs = getContainerLogs(containerId)
             logger.info(
                 CommonUtils.buildLogMsg(
-                    task, "task docker run result[$result], [$containerId], logs:\n $containerLogs"
+                    task,
+                    "task docker run result[$result], [$containerId], logs:\n $containerLogs"
                 )
             )
             return result
diff --git a/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/dispatcher/DockerDispatcher.kt b/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/dispatcher/DockerDispatcher.kt
index 0e8455bf40..d874a42288 100644
--- a/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/dispatcher/DockerDispatcher.kt
+++ b/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/dispatcher/DockerDispatcher.kt
@@ -58,7 +58,11 @@ class DockerDispatcher(
     private val subScanTaskDao: SubScanTaskDao,
     private val redisTemplate: ObjectProvider<RedisTemplate<String, String>>
 ) : SubtaskPushDispatcher<DockerExecutionCluster>(
-    executionCluster, scannerProperties, scanService, subtaskStateMachine, temporaryScanTokenService
+    executionCluster,
+    scannerProperties,
+    scanService,
+    subtaskStateMachine,
+    temporaryScanTokenService
 ) {
 
     private val dockerClient by lazy {
@@ -94,7 +98,11 @@ class DockerDispatcher(
                 heartbeatTimeout = scannerProperties.heartbeatTimeout
             )
             val containerId = dockerClient.createContainer(
-                image = scanner.image, hostConfig = hostConfig(), cmd = command
+                image = scanner.image,
+                userName = scanner.dockerRegistryUsername,
+                password = scanner.dockerRegistryPassword,
+                hostConfig = hostConfig(),
+                cmd = command
             )
             dockerClient.startContainerCmd(containerId).exec()
             redisTemplate.ifAvailable
diff --git a/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/dispatcher/KubernetesDeploymentDispatcher.kt b/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/dispatcher/KubernetesDeploymentDispatcher.kt
index 29433c2af6..8f366cd207 100644
--- a/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/dispatcher/KubernetesDeploymentDispatcher.kt
+++ b/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/dispatcher/KubernetesDeploymentDispatcher.kt
@@ -3,6 +3,7 @@ package com.tencent.bkrepo.analyst.dispatcher
 import com.tencent.bkrepo.analyst.configuration.ScannerProperties
 import com.tencent.bkrepo.analyst.dao.SubScanTaskDao
 import com.tencent.bkrepo.analyst.dispatcher.dsl.addContainerItem
+import com.tencent.bkrepo.analyst.dispatcher.dsl.addImagePullSecretsItemIfNeed
 import com.tencent.bkrepo.analyst.dispatcher.dsl.limits
 import com.tencent.bkrepo.analyst.dispatcher.dsl.metadata
 import com.tencent.bkrepo.analyst.dispatcher.dsl.requests
@@ -169,6 +170,7 @@ class KubernetesDeploymentDispatcher(
                             name = deploymentName
                             image = scanner.image
                             command = cmd
+                            addImagePullSecretsItemIfNeed(scanner, k8sProps)
                             resources {
                                 limits(
                                     cpu = k8sProps.limitCpu,
diff --git a/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/dispatcher/KubernetesDispatcher.kt b/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/dispatcher/KubernetesDispatcher.kt
index 1f4b641ec1..d36e73c67a 100644
--- a/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/dispatcher/KubernetesDispatcher.kt
+++ b/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/dispatcher/KubernetesDispatcher.kt
@@ -29,6 +29,7 @@ package com.tencent.bkrepo.analyst.dispatcher
 
 import com.tencent.bkrepo.analyst.configuration.ScannerProperties
 import com.tencent.bkrepo.analyst.dispatcher.dsl.addContainerItem
+import com.tencent.bkrepo.analyst.dispatcher.dsl.addImagePullSecretsItemIfNeed
 import com.tencent.bkrepo.analyst.dispatcher.dsl.limits
 import com.tencent.bkrepo.analyst.dispatcher.dsl.metadata
 import com.tencent.bkrepo.analyst.dispatcher.dsl.requests
@@ -59,7 +60,11 @@ class KubernetesDispatcher(
     subtaskStateMachine: StateMachine,
     temporaryScanTokenService: TemporaryScanTokenService,
 ) : SubtaskPushDispatcher<KubernetesJobExecutionCluster>(
-    executionCluster, scannerProperties, scanService, subtaskStateMachine, temporaryScanTokenService
+    executionCluster,
+    scannerProperties,
+    scanService,
+    subtaskStateMachine,
+    temporaryScanTokenService
 ) {
 
     private val client by lazy { createClient(executionCluster.kubernetesProperties) }
@@ -163,6 +168,7 @@ class KubernetesDispatcher(
                             name = jobName
                             image = containerImage
                             command = cmd
+                            addImagePullSecretsItemIfNeed(scanner, k8sProps)
                             resources {
                                 requests(
                                     cpu = k8sProps.requestCpu,
@@ -219,7 +225,14 @@ class KubernetesDispatcher(
         return ignoreApiException {
             val namespace = executionCluster.kubernetesProperties.namespace
             batchV1Api.deleteNamespacedJob(
-                jobName, namespace, null, null, null, null, "Foreground", null
+                jobName,
+                namespace,
+                null,
+                null,
+                null,
+                null,
+                "Foreground",
+                null
             )
             logger.info("job[$jobName] clean success")
             true
diff --git a/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/dispatcher/dsl/PodDsl.kt b/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/dispatcher/dsl/PodDsl.kt
index ab54bfd729..93bb112eb2 100644
--- a/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/dispatcher/dsl/PodDsl.kt
+++ b/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/dispatcher/dsl/PodDsl.kt
@@ -1,7 +1,11 @@
 package com.tencent.bkrepo.analyst.dispatcher.dsl
 
+import com.tencent.bkrepo.analyst.pojo.execution.KubernetesExecutionClusterProperties
+import com.tencent.bkrepo.analyst.utils.ScannerUtil
+import com.tencent.bkrepo.common.analysis.pojo.scanner.standard.StandardScanner
 import io.kubernetes.client.custom.Quantity
 import io.kubernetes.client.openapi.models.V1Container
+import io.kubernetes.client.openapi.models.V1LocalObjectReference
 import io.kubernetes.client.openapi.models.V1ObjectMeta
 import io.kubernetes.client.openapi.models.V1PodSpec
 import io.kubernetes.client.openapi.models.V1PodTemplateSpec
@@ -69,3 +73,14 @@ fun V1ResourceRequirements.limits(cpu: Double, memory: Long, ephemeralStorage: L
         )
     )
 }
+
+fun V1PodSpec.addImagePullSecretsItemIfNeed(
+    scanner: StandardScanner,
+    k8sClusterProp: KubernetesExecutionClusterProperties
+) {
+    if (ScannerUtil.isPrivateImage(scanner)) {
+        val secret = ScannerUtil.getOrCreateSecret(scanner, k8sClusterProp)
+        val secretName = secret.metadata!!.name
+        addImagePullSecretsItem(V1LocalObjectReference().name(secretName))
+    }
+}
diff --git a/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/dispatcher/dsl/SecretDsl.kt b/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/dispatcher/dsl/SecretDsl.kt
new file mode 100644
index 0000000000..1a9602cf7d
--- /dev/null
+++ b/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/dispatcher/dsl/SecretDsl.kt
@@ -0,0 +1,48 @@
+/*
+ * Tencent is pleased to support the open source community by making BK-CI 蓝鲸持续集成平台 available.
+ *
+ * Copyright (C) 2023 THL A29 Limited, a Tencent company.  All rights reserved.
+ *
+ * BK-CI 蓝鲸持续集成平台 is licensed under the MIT license.
+ *
+ * A copy of the MIT License is included in this file.
+ *
+ *
+ * Terms of the MIT License:
+ * ---------------------------------------------------
+ * Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated
+ * documentation files (the "Software"), to deal in the Software without restriction, including without limitation the
+ * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
+ * permit persons to whom the Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all copies or substantial portions of
+ * the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
+ * LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
+ * NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+ * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+ * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ */
+
+package com.tencent.bkrepo.analyst.dispatcher.dsl
+
+import io.kubernetes.client.openapi.models.V1ObjectMeta
+import io.kubernetes.client.openapi.models.V1Secret
+
+/**
+ * 创建Secret并配置
+ */
+fun V1Secret(configuration: V1Secret.() -> Unit): V1Secret {
+    return V1Secret().apply(configuration)
+}
+
+/**
+ * 配置Secret元数据
+ */
+fun V1Secret.metadata(configuration: V1ObjectMeta.() -> Unit) {
+    if (metadata == null) {
+        metadata = V1ObjectMeta()
+    }
+    metadata!!.configuration()
+}
diff --git a/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/utils/K8SHelper.kt b/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/utils/K8SHelper.kt
new file mode 100644
index 0000000000..96613fbcd3
--- /dev/null
+++ b/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/utils/K8SHelper.kt
@@ -0,0 +1,81 @@
+/*
+ * Tencent is pleased to support the open source community by making BK-CI 蓝鲸持续集成平台 available.
+ *
+ * Copyright (C) 2023 THL A29 Limited, a Tencent company.  All rights reserved.
+ *
+ * BK-CI 蓝鲸持续集成平台 is licensed under the MIT license.
+ *
+ * A copy of the MIT License is included in this file.
+ *
+ *
+ * Terms of the MIT License:
+ * ---------------------------------------------------
+ * Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated
+ * documentation files (the "Software"), to deal in the Software without restriction, including without limitation the
+ * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
+ * permit persons to whom the Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all copies or substantial portions of
+ * the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
+ * LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
+ * NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+ * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+ * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ */
+
+package com.tencent.bkrepo.analyst.utils
+
+import com.tencent.bkrepo.analyst.dispatcher.createClient
+import com.tencent.bkrepo.analyst.dispatcher.dsl.V1Secret
+import com.tencent.bkrepo.analyst.dispatcher.dsl.metadata
+import com.tencent.bkrepo.analyst.pojo.execution.KubernetesExecutionClusterProperties
+import com.tencent.bkrepo.common.api.util.jsonCompress
+import io.kubernetes.client.openapi.apis.CoreV1Api
+import io.kubernetes.client.openapi.models.V1Secret
+import org.slf4j.LoggerFactory
+import java.util.*
+
+class K8SHelper(k8sProp: KubernetesExecutionClusterProperties) {
+
+    private val client by lazy { createClient(k8sProp) }
+    private val coreV1Api by lazy { CoreV1Api(client) }
+    private val namespace by lazy { k8sProp.namespace }
+    private val logger = LoggerFactory.getLogger(K8SHelper::class.java)
+    fun createSecret(
+        secretName: String,
+        dockerServer: String,
+        dockerUserName: String,
+        dockerPassword: String
+    ): V1Secret {
+        val dockerAuthBytes = "$dockerUserName:$dockerPassword".toByteArray()
+        val dockerAuth = Base64.getEncoder().encodeToString(dockerAuthBytes)
+        val dockerConfigJson = """
+                {
+                	"auths": {
+                		"$dockerServer": {
+                			"username": "$dockerUserName",
+                			"password": "$dockerPassword",
+                			"auth": "$dockerAuth"
+                		}
+                	}
+                }
+        """.trimIndent().jsonCompress()
+        val pullSecret = V1Secret {
+            metadata {
+                name = secretName
+                namespace = this@K8SHelper.namespace
+            }
+            type = "kubernetes.io/dockerconfigjson"
+            data = mapOf(".dockerconfigjson" to dockerConfigJson.encodeToByteArray())
+        }
+        coreV1Api.createNamespacedSecret(namespace, pullSecret, null, null, null)
+        logger.info("Success to create secret[$secretName] on $namespace.")
+        return pullSecret
+    }
+
+    fun getSecret(secretName: String): V1Secret? {
+        return coreV1Api.readNamespacedSecret(secretName, namespace, null, null, null)
+    }
+}
diff --git a/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/utils/ScannerUtil.kt b/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/utils/ScannerUtil.kt
new file mode 100644
index 0000000000..fee7e1cce4
--- /dev/null
+++ b/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/utils/ScannerUtil.kt
@@ -0,0 +1,58 @@
+/*
+ * Tencent is pleased to support the open source community by making BK-CI 蓝鲸持续集成平台 available.
+ *
+ * Copyright (C) 2023 THL A29 Limited, a Tencent company.  All rights reserved.
+ *
+ * BK-CI 蓝鲸持续集成平台 is licensed under the MIT license.
+ *
+ * A copy of the MIT License is included in this file.
+ *
+ *
+ * Terms of the MIT License:
+ * ---------------------------------------------------
+ * Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated
+ * documentation files (the "Software"), to deal in the Software without restriction, including without limitation the
+ * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
+ * permit persons to whom the Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all copies or substantial portions of
+ * the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
+ * LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
+ * NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+ * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+ * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ */
+
+package com.tencent.bkrepo.analyst.utils
+
+import com.tencent.bkrepo.analyst.pojo.execution.KubernetesExecutionClusterProperties
+import com.tencent.bkrepo.common.analysis.pojo.scanner.standard.StandardScanner
+import com.tencent.bkrepo.common.analysis.pojo.scanner.utils.DockerUtils.determineDockerServer
+import io.kubernetes.client.openapi.models.V1Secret
+
+object ScannerUtil {
+
+    fun getOrCreateSecret(scanner: StandardScanner, k8sClusterProp: KubernetesExecutionClusterProperties): V1Secret {
+        with(scanner) {
+            require(isPrivateImage(this))
+            val helper = K8SHelper(k8sClusterProp)
+            val secretName = scanner.name
+            val dockerRegistryServer = determineDockerServer(image)
+            return helper.getSecret(secretName) ?: helper.createSecret(
+                secretName,
+                dockerRegistryServer,
+                dockerRegistryUsername!!,
+                dockerRegistryPassword!!
+            )
+        }
+    }
+
+    fun isPrivateImage(scanner: StandardScanner): Boolean {
+        with(scanner) {
+            return dockerRegistryUsername != null &&
+                dockerRegistryPassword != null
+        }
+    }
+}
diff --git a/src/backend/common/common-analysis/src/main/kotlin/com/tencent/bkrepo/common/analysis/pojo/scanner/arrowhead/ArrowheadScanner.kt b/src/backend/common/common-analysis/src/main/kotlin/com/tencent/bkrepo/common/analysis/pojo/scanner/arrowhead/ArrowheadScanner.kt
index 859e2f3f0e..8791442777 100644
--- a/src/backend/common/common-analysis/src/main/kotlin/com/tencent/bkrepo/common/analysis/pojo/scanner/arrowhead/ArrowheadScanner.kt
+++ b/src/backend/common/common-analysis/src/main/kotlin/com/tencent/bkrepo/common/analysis/pojo/scanner/arrowhead/ArrowheadScanner.kt
@@ -63,6 +63,10 @@ class ArrowheadScanner(
 data class ArrowheadDockerImage(
     @ApiModelProperty("使用的镜像名和版本")
     val image: String,
+    @ApiModelProperty("docker仓库用户")
+    val dockerRegistryUsername: String?,
+    @ApiModelProperty("docker仓库密码")
+    val dockerRegistryPassword: String?,
     @ApiModelProperty("容器启动参数")
     val args: String = "/data/standalone.toml",
     @ApiModelProperty("容器内的工作目录")
diff --git a/src/backend/common/common-analysis/src/main/kotlin/com/tencent/bkrepo/common/analysis/pojo/scanner/scanCodeCheck/scanner/ScancodeToolkitScanner.kt b/src/backend/common/common-analysis/src/main/kotlin/com/tencent/bkrepo/common/analysis/pojo/scanner/scanCodeCheck/scanner/ScancodeToolkitScanner.kt
index 8ab072f3ca..16e3155944 100644
--- a/src/backend/common/common-analysis/src/main/kotlin/com/tencent/bkrepo/common/analysis/pojo/scanner/scanCodeCheck/scanner/ScancodeToolkitScanner.kt
+++ b/src/backend/common/common-analysis/src/main/kotlin/com/tencent/bkrepo/common/analysis/pojo/scanner/scanCodeCheck/scanner/ScancodeToolkitScanner.kt
@@ -47,6 +47,10 @@ class ScancodeToolkitScanner(
     data class ScancodeToolkitDockerImage(
         @ApiModelProperty("使用的镜像名和版本")
         val image: String,
+        @ApiModelProperty("docker仓库用户")
+        val dockerRegistryUsername: String?,
+        @ApiModelProperty("docker仓库密码")
+        val dockerRegistryPassword: String?,
         @ApiModelProperty("容器内的工作目录")
         val workDir: String = "/data",
         @ApiModelProperty("输入目录，相对于workDir的路径")
diff --git a/src/backend/common/common-analysis/src/main/kotlin/com/tencent/bkrepo/common/analysis/pojo/scanner/standard/StandardScanner.kt b/src/backend/common/common-analysis/src/main/kotlin/com/tencent/bkrepo/common/analysis/pojo/scanner/standard/StandardScanner.kt
index b80ec7dfed..5a50d2f0de 100644
--- a/src/backend/common/common-analysis/src/main/kotlin/com/tencent/bkrepo/common/analysis/pojo/scanner/standard/StandardScanner.kt
+++ b/src/backend/common/common-analysis/src/main/kotlin/com/tencent/bkrepo/common/analysis/pojo/scanner/standard/StandardScanner.kt
@@ -27,8 +27,8 @@
 
 package com.tencent.bkrepo.common.analysis.pojo.scanner.standard
 
-import com.tencent.bkrepo.common.api.constant.CharPool.COLON
 import com.tencent.bkrepo.common.analysis.pojo.scanner.Scanner
+import com.tencent.bkrepo.common.api.constant.CharPool.COLON
 import com.tencent.bkrepo.common.operate.api.annotation.Sensitive
 import com.tencent.bkrepo.common.operate.api.handler.MaskPartString
 import io.swagger.annotations.ApiModel
@@ -42,6 +42,10 @@ class StandardScanner(
     override val name: String,
     @ApiModelProperty("扫描器镜像")
     val image: String,
+    @ApiModelProperty("docker仓库用户")
+    val dockerRegistryUsername: String?,
+    @ApiModelProperty("docker仓库密码")
+    val dockerRegistryPassword: String?,
     @ApiModelProperty("扫描器容器启动CMD")
     val cmd: String,
     override val version: String = image.substring(image.lastIndexOf(COLON) + 1, image.length),
diff --git a/src/backend/common/common-analysis/src/main/kotlin/com/tencent/bkrepo/common/analysis/pojo/scanner/trivy/TrivyScanner.kt b/src/backend/common/common-analysis/src/main/kotlin/com/tencent/bkrepo/common/analysis/pojo/scanner/trivy/TrivyScanner.kt
index 914fe3b8af..73ce853f69 100644
--- a/src/backend/common/common-analysis/src/main/kotlin/com/tencent/bkrepo/common/analysis/pojo/scanner/trivy/TrivyScanner.kt
+++ b/src/backend/common/common-analysis/src/main/kotlin/com/tencent/bkrepo/common/analysis/pojo/scanner/trivy/TrivyScanner.kt
@@ -63,6 +63,10 @@ data class VulDbConfig(
 data class TrivyDockerImage(
     @ApiModelProperty("使用的镜像名和版本")
     val image: String,
+    @ApiModelProperty("docker仓库用户")
+    val dockerRegistryUsername: String?,
+    @ApiModelProperty("docker仓库密码")
+    val dockerRegistryPassword: String?,
     @ApiModelProperty("容器内的工作目录")
     val workDir: String = "/data",
     @ApiModelProperty("输入目录，相对于workDir的路径")
diff --git a/src/backend/common/common-analysis/src/main/kotlin/com/tencent/bkrepo/common/analysis/pojo/scanner/utils/DockerUtils.kt b/src/backend/common/common-analysis/src/main/kotlin/com/tencent/bkrepo/common/analysis/pojo/scanner/utils/DockerUtils.kt
index 3251f55358..b0aaff2fd2 100644
--- a/src/backend/common/common-analysis/src/main/kotlin/com/tencent/bkrepo/common/analysis/pojo/scanner/utils/DockerUtils.kt
+++ b/src/backend/common/common-analysis/src/main/kotlin/com/tencent/bkrepo/common/analysis/pojo/scanner/utils/DockerUtils.kt
@@ -30,6 +30,7 @@ package com.tencent.bkrepo.common.analysis.pojo.scanner.utils
 import com.github.dockerjava.api.DockerClient
 import com.github.dockerjava.api.command.PullImageResultCallback
 import com.github.dockerjava.api.command.WaitContainerResultCallback
+import com.github.dockerjava.api.model.AuthConfig
 import com.github.dockerjava.api.model.Binds
 import com.github.dockerjava.api.model.HostConfig
 import com.github.dockerjava.api.model.Ulimit
@@ -52,10 +53,16 @@ object DockerUtils {
      */
     private const val CONTAINER_CPU_SHARES = 512
 
+    const val DEFAULT_DOCKER_SERVER = "https://index.docker.io/v1/"
+
     /**
      * 拉取镜像
      */
-    fun DockerClient.pullImage(tag: String) {
+    fun DockerClient.pullImage(
+        tag: String,
+        userName: String?,
+        password: String?,
+    ) {
         val images = listImagesCmd().exec()
         val exists = images.any { image ->
             image.repoTags.any { it == tag }
@@ -66,6 +73,11 @@ object DockerUtils {
         logger.info("pulling image: $tag")
         val elapsedTime = measureTimeMillis {
             val result = pullImageCmd(tag)
+                .withAuthConfig(
+                    AuthConfig()
+                        .withUsername(userName)
+                        .withPassword(password)
+                )
                 .exec(PullImageResultCallback())
                 .awaitCompletion(DEFAULT_PULL_IMAGE_DURATION, TimeUnit.MILLISECONDS)
             if (!result) {
@@ -77,11 +89,13 @@ object DockerUtils {
 
     fun DockerClient.createContainer(
         image: String,
+        userName: String?,
+        password: String?,
         hostConfig: HostConfig? = null,
         cmd: List<String>? = null
     ): String {
         // 拉取镜像
-        pullImage(image)
+        pullImage(image, userName, password)
         // 创建容器
         val createCmd = createContainerCmd(image)
         hostConfig?.let { createCmd.withHostConfig(it) }
@@ -125,5 +139,14 @@ object DockerUtils {
             }
         }
     }
-}
 
+    fun determineDockerServer(image: String): String {
+        image.split("/").apply {
+            return if (size > 2) {
+                first()
+            } else {
+                DEFAULT_DOCKER_SERVER
+            }
+        }
+    }
+}
diff --git a/src/backend/common/common-analysis/src/test/kotlin/com/tencent/bkrepo/common/analysis/pojo/scanner/utils/DockerUtilsTest.kt b/src/backend/common/common-analysis/src/test/kotlin/com/tencent/bkrepo/common/analysis/pojo/scanner/utils/DockerUtilsTest.kt
new file mode 100644
index 0000000000..f4e723f265
--- /dev/null
+++ b/src/backend/common/common-analysis/src/test/kotlin/com/tencent/bkrepo/common/analysis/pojo/scanner/utils/DockerUtilsTest.kt
@@ -0,0 +1,45 @@
+/*
+ * Tencent is pleased to support the open source community by making BK-CI 蓝鲸持续集成平台 available.
+ *
+ * Copyright (C) 2023 THL A29 Limited, a Tencent company.  All rights reserved.
+ *
+ * BK-CI 蓝鲸持续集成平台 is licensed under the MIT license.
+ *
+ * A copy of the MIT License is included in this file.
+ *
+ *
+ * Terms of the MIT License:
+ * ---------------------------------------------------
+ * Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated
+ * documentation files (the "Software"), to deal in the Software without restriction, including without limitation the
+ * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
+ * permit persons to whom the Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all copies or substantial portions of
+ * the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
+ * LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
+ * NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+ * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+ * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ */
+
+package com.tencent.bkrepo.common.analysis.pojo.scanner.utils
+
+import com.tencent.bkrepo.common.analysis.pojo.scanner.utils.DockerUtils.DEFAULT_DOCKER_SERVER
+import org.junit.jupiter.api.Assertions
+import org.junit.jupiter.api.Test
+
+class DockerUtilsTest {
+    @Test
+    fun determineDockerServer() {
+        Assertions.assertEquals(
+            "ghcr.io",
+            DockerUtils.determineDockerServer("ghcr.io/xxx/xxx/xxx")
+        )
+        Assertions.assertEquals("ghcr.io", DockerUtils.determineDockerServer("ghcr.io/xxx/xxx"))
+        Assertions.assertEquals(DEFAULT_DOCKER_SERVER, DockerUtils.determineDockerServer("grpc/xxx"))
+        Assertions.assertEquals(DEFAULT_DOCKER_SERVER, DockerUtils.determineDockerServer("debian"))
+    }
+}
diff --git a/src/backend/common/common-api/src/main/kotlin/com/tencent/bkrepo/common/api/util/JsonUtils.kt b/src/backend/common/common-api/src/main/kotlin/com/tencent/bkrepo/common/api/util/JsonUtils.kt
index 6904c16077..77932159cb 100644
--- a/src/backend/common/common-api/src/main/kotlin/com/tencent/bkrepo/common/api/util/JsonUtils.kt
+++ b/src/backend/common/common-api/src/main/kotlin/com/tencent/bkrepo/common/api/util/JsonUtils.kt
@@ -80,10 +80,10 @@ object JsonUtils {
  */
 fun Any.toJsonString() = JsonUtils.objectMapper.writeValueAsString(this).orEmpty()
 
-
 fun toJson(any: Any): String {
     return any.toJsonString().replace(System.lineSeparator(), "")
 }
+
 /**
  * 将json字符串反序列化为对象
  */
@@ -93,3 +93,5 @@ inline fun <reified T> String.readJsonString(): T = JsonUtils.objectMapper.readV
  * 将json字符串流反序列化为对象
  */
 inline fun <reified T> InputStream.readJsonString(): T = JsonUtils.objectMapper.readValue(this, jacksonTypeRef<T>())
+
+fun String.jsonCompress() = this.replace("\\s|\\t|\\r|\\n".toRegex(), "")

From 886638f429d92d219bdb94931eae3dff257bbe4d Mon Sep 17 00:00:00 2001
From: felixncheng <felixncheng@tencent.com>
Date: Fri, 25 Aug 2023 17:16:00 +0800
Subject: [PATCH 3/9] =?UTF-8?q?feat:=20=E5=88=B6=E5=93=81=E5=88=86?=
 =?UTF-8?q?=E6=9E=90ToolInput=E6=94=AF=E6=8C=81metadata=20#1093?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../executor/standard/StandardScanExecutor.kt     |  3 ++-
 .../service/impl/TemporaryScanTokenServiceImpl.kt |  2 +-
 .../pojo/scanner/standard/StandardScanner.kt      | 12 +++++++++++-
 .../analysis/pojo/scanner/standard/ToolInput.kt   | 15 ++++++++++++++-
 4 files changed, 28 insertions(+), 4 deletions(-)

diff --git a/src/backend/analysis-executor/biz-analysis-executor/src/main/kotlin/com/tencent/bkrepo/analysis/executor/standard/StandardScanExecutor.kt b/src/backend/analysis-executor/biz-analysis-executor/src/main/kotlin/com/tencent/bkrepo/analysis/executor/standard/StandardScanExecutor.kt
index 292b6e8884..7793064e18 100644
--- a/src/backend/analysis-executor/biz-analysis-executor/src/main/kotlin/com/tencent/bkrepo/analysis/executor/standard/StandardScanExecutor.kt
+++ b/src/backend/analysis-executor/biz-analysis-executor/src/main/kotlin/com/tencent/bkrepo/analysis/executor/standard/StandardScanExecutor.kt
@@ -123,7 +123,8 @@ class StandardScanExecutor(
             task.repoType,
             scannerInputFile.length(),
             task.packageKey,
-            task.packageVersion
+            task.packageVersion,
+            task.extra
         )
         val toolInput = ToolInput.create(
             task.taskId, convertToContainerPath(scannerInputFile.absolutePath, workDir), sha256, args
diff --git a/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/service/impl/TemporaryScanTokenServiceImpl.kt b/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/service/impl/TemporaryScanTokenServiceImpl.kt
index 91c686c53f..ae87ab6118 100644
--- a/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/service/impl/TemporaryScanTokenServiceImpl.kt
+++ b/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/service/impl/TemporaryScanTokenServiceImpl.kt
@@ -166,7 +166,7 @@ class TemporaryScanTokenServiceImpl(
                 value.copy(url = url)
             }
 
-            val args = ToolInput.generateArgs(scanner, repoType, packageSize, packageKey, version)
+            val args = ToolInput.generateArgs(scanner, repoType, packageSize, packageKey, version, extra)
             return ToolInput.create(taskId, fileUrls, args)
         }
     }
diff --git a/src/backend/common/common-analysis/src/main/kotlin/com/tencent/bkrepo/common/analysis/pojo/scanner/standard/StandardScanner.kt b/src/backend/common/common-analysis/src/main/kotlin/com/tencent/bkrepo/common/analysis/pojo/scanner/standard/StandardScanner.kt
index 5a50d2f0de..c379438fdd 100644
--- a/src/backend/common/common-analysis/src/main/kotlin/com/tencent/bkrepo/common/analysis/pojo/scanner/standard/StandardScanner.kt
+++ b/src/backend/common/common-analysis/src/main/kotlin/com/tencent/bkrepo/common/analysis/pojo/scanner/standard/StandardScanner.kt
@@ -71,7 +71,17 @@ class StandardScanner(
         val value: String? = null,
         @ApiModelProperty("描述")
         val des: String = ""
-    )
+    ) {
+        companion object {
+            fun string(key: String, value: String = "", desc: String? = ""): Argument {
+                return Argument(ArgumentType.STRING.name, key, value, desc.orEmpty())
+            }
+
+            fun number(key: String, value: Number, desc: String? = ""): Argument {
+                return Argument(ArgumentType.NUMBER.name, key, value.toString(), desc.orEmpty())
+            }
+        }
+    }
 
     /**
      * 参数类型
diff --git a/src/backend/common/common-analysis/src/main/kotlin/com/tencent/bkrepo/common/analysis/pojo/scanner/standard/ToolInput.kt b/src/backend/common/common-analysis/src/main/kotlin/com/tencent/bkrepo/common/analysis/pojo/scanner/standard/ToolInput.kt
index 2a0ac282da..2c488d8d47 100644
--- a/src/backend/common/common-analysis/src/main/kotlin/com/tencent/bkrepo/common/analysis/pojo/scanner/standard/ToolInput.kt
+++ b/src/backend/common/common-analysis/src/main/kotlin/com/tencent/bkrepo/common/analysis/pojo/scanner/standard/ToolInput.kt
@@ -87,7 +87,8 @@ data class ToolInput(
             packageType: String,
             packageSize: Long,
             packageKey: String? = null,
-            packageVersion: String? = null
+            packageVersion: String? = null,
+            extra: Map<String, Any?>?
         ): List<Argument> {
             val args = scanner.args.toMutableList()
             args.add(Argument(STRING.name, StandardScanner.ARG_KEY_PKG_TYPE, packageType))
@@ -99,8 +100,20 @@ data class ToolInput(
             packageVersion?.let {
                 args.add(Argument(StandardScanner.ArgumentType.STRING.name, StandardScanner.ARG_KEY_PKG_VERSION, it))
             }
+            extra?.let { addExtra(args, extra) }
             return args
         }
+
+        private fun addExtra(args: MutableList<Argument>, extra: Map<String, Any?>) {
+            extra.forEach { (key, value) ->
+                val arg = when (value) {
+                    is String -> Argument.string(key, value)
+                    is Number -> Argument.number(key, value)
+                    else -> Argument.string(key, value.toString())
+                }
+                args.add(arg)
+            }
+        }
     }
 }
 

From 6709ac6ffcea30ebc35c8678716ba9abc1de8b70 Mon Sep 17 00:00:00 2001
From: felixncheng <felixncheng@tencent.com>
Date: Mon, 28 Aug 2023 11:58:21 +0800
Subject: [PATCH 4/9] =?UTF-8?q?feat:=20=E5=88=B6=E5=93=81=E5=88=86?=
 =?UTF-8?q?=E6=9E=90=E6=94=AF=E6=8C=81=E7=A7=81=E6=9C=89=E9=95=9C=E5=83=8F?=
 =?UTF-8?q?=20#1086?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../kotlin/com/tencent/bkrepo/analyst/utils/K8SHelper.kt  | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/utils/K8SHelper.kt b/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/utils/K8SHelper.kt
index 96613fbcd3..2ab3321849 100644
--- a/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/utils/K8SHelper.kt
+++ b/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/utils/K8SHelper.kt
@@ -32,6 +32,7 @@ import com.tencent.bkrepo.analyst.dispatcher.dsl.V1Secret
 import com.tencent.bkrepo.analyst.dispatcher.dsl.metadata
 import com.tencent.bkrepo.analyst.pojo.execution.KubernetesExecutionClusterProperties
 import com.tencent.bkrepo.common.api.util.jsonCompress
+import io.kubernetes.client.openapi.ApiException
 import io.kubernetes.client.openapi.apis.CoreV1Api
 import io.kubernetes.client.openapi.models.V1Secret
 import org.slf4j.LoggerFactory
@@ -76,6 +77,11 @@ class K8SHelper(k8sProp: KubernetesExecutionClusterProperties) {
     }
 
     fun getSecret(secretName: String): V1Secret? {
-        return coreV1Api.readNamespacedSecret(secretName, namespace, null, null, null)
+        return try {
+            coreV1Api.readNamespacedSecret(secretName, namespace, null, null, null)
+        } catch (e: ApiException) {
+            logger.info("Can't get secret[$secretName],cause ${e.message}")
+            null
+        }
     }
 }

From e736f7747bee0c3bcaa823fb947b563758f99a5c Mon Sep 17 00:00:00 2001
From: felixncheng <felixncheng@tencent.com>
Date: Tue, 29 Aug 2023 12:21:16 +0800
Subject: [PATCH 5/9] =?UTF-8?q?feat:=20=E6=A0=87=E8=AF=86=E5=88=B6?=
 =?UTF-8?q?=E5=93=81=E5=88=86=E6=9E=90=E4=B8=B4=E6=97=B6=E6=96=87=E4=BB=B6?=
 =?UTF-8?q?=E4=B8=8B=E8=BD=BD=E9=93=BE=E6=8E=A5=20#1103?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../tencent/bkrepo/analyst/api/ScanClient.kt  |  8 ++++++++
 .../analyst/controller/ScanController.kt      | 19 ++++++++++++++++---
 .../impl/TemporaryScanTokenServiceImpl.kt     |  3 ++-
 3 files changed, 26 insertions(+), 4 deletions(-)

diff --git a/src/backend/analyst/api-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/api/ScanClient.kt b/src/backend/analyst/api-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/api/ScanClient.kt
index 978a051b90..6f671f73cb 100644
--- a/src/backend/analyst/api-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/api/ScanClient.kt
+++ b/src/backend/analyst/api-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/api/ScanClient.kt
@@ -98,4 +98,12 @@ interface ScanClient {
         @ApiParam(value = "许可证唯一标识集合")
         @RequestBody licenseIds: List<String>
     ): Response<Map<String, SpdxLicenseInfo>>
+
+    /**
+     * 校验token
+     *
+     * @return 通过返回true,否则返回false
+     * */
+    @GetMapping("/token/verify")
+    fun verifyToken(@RequestParam subtaskId: String, @RequestParam token: String): Response<Boolean>
 }
diff --git a/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/controller/ScanController.kt b/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/controller/ScanController.kt
index 68fb1bc4f9..a7b6a2643b 100644
--- a/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/controller/ScanController.kt
+++ b/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/controller/ScanController.kt
@@ -33,19 +33,22 @@ import com.tencent.bkrepo.analyst.pojo.ScanTriggerType
 import com.tencent.bkrepo.analyst.pojo.SubScanTask
 import com.tencent.bkrepo.analyst.pojo.license.SpdxLicenseInfo
 import com.tencent.bkrepo.analyst.pojo.request.ReportResultRequest
-import com.tencent.bkrepo.common.api.pojo.Response
-import com.tencent.bkrepo.common.service.util.ResponseBuilder
 import com.tencent.bkrepo.analyst.pojo.request.ScanRequest
 import com.tencent.bkrepo.analyst.service.ScanService
 import com.tencent.bkrepo.analyst.service.SpdxLicenseService
+import com.tencent.bkrepo.analyst.service.TemporaryScanTokenService
+import com.tencent.bkrepo.common.api.pojo.Response
+import com.tencent.bkrepo.common.security.exception.AuthenticationException
 import com.tencent.bkrepo.common.security.util.SecurityUtils
+import com.tencent.bkrepo.common.service.util.ResponseBuilder
 import org.springframework.beans.factory.annotation.Autowired
 import org.springframework.web.bind.annotation.RestController
 
 @RestController
 class ScanController @Autowired constructor(
     private val scanService: ScanService,
-    private val licenseService: SpdxLicenseService
+    private val licenseService: SpdxLicenseService,
+    private val tokenService: TemporaryScanTokenService
 ) : ScanClient {
 
     override fun scan(scanRequest: ScanRequest): Response<ScanTask> {
@@ -75,4 +78,14 @@ class ScanController @Autowired constructor(
     override fun licenseInfoByIds(licenseIds: List<String>): Response<Map<String, SpdxLicenseInfo>> {
         return ResponseBuilder.success(licenseService.listLicenseByIds(licenseIds))
     }
+
+    override fun verifyToken(subtaskId: String, token: String): Response<Boolean> {
+        val ret = try {
+            tokenService.checkToken(subtaskId, token)
+            true
+        } catch (e: AuthenticationException) {
+            false
+        }
+        return ResponseBuilder.success(ret)
+    }
 }
diff --git a/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/service/impl/TemporaryScanTokenServiceImpl.kt b/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/service/impl/TemporaryScanTokenServiceImpl.kt
index ae87ab6118..99c2b766f3 100644
--- a/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/service/impl/TemporaryScanTokenServiceImpl.kt
+++ b/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/service/impl/TemporaryScanTokenServiceImpl.kt
@@ -157,11 +157,12 @@ class TemporaryScanTokenServiceImpl(
                 throw SystemErrorException(SYSTEM_ERROR, "create token failed, subtask[$subtask], res[$tokens]")
             }
 
+            val ssid = subtask.token
             val tokenMap = tokens.data!!.associateBy { it.fullPath }
             val fileUrls = fullPaths.map { (key, value) ->
                 val url = tokenMap[key]!!.let {
                     "$baseUrl/api/generic/temporary/download" +
-                        "/${it.projectId}/${it.repoName}${it.fullPath}?token=${it.token}"
+                        "/${it.projectId}/${it.repoName}${it.fullPath}?token=${it.token}&ssid=$ssid&sub-task-id=$taskId"
                 }
                 value.copy(url = url)
             }

From 3f2d5eb9803d6b9572a024c6b149125234400e13 Mon Sep 17 00:00:00 2001
From: felixncheng <felixncheng@tencent.com>
Date: Tue, 29 Aug 2023 14:28:01 +0800
Subject: [PATCH 6/9] =?UTF-8?q?feat:=20=E6=A0=87=E8=AF=86=E5=88=B6?=
 =?UTF-8?q?=E5=93=81=E5=88=86=E6=9E=90=E4=B8=B4=E6=97=B6=E6=96=87=E4=BB=B6?=
 =?UTF-8?q?=E4=B8=8B=E8=BD=BD=E9=93=BE=E6=8E=A5=20#1103?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../analyst/service/impl/TemporaryScanTokenServiceImpl.kt  | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/service/impl/TemporaryScanTokenServiceImpl.kt b/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/service/impl/TemporaryScanTokenServiceImpl.kt
index 99c2b766f3..bfabc0346d 100644
--- a/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/service/impl/TemporaryScanTokenServiceImpl.kt
+++ b/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/service/impl/TemporaryScanTokenServiceImpl.kt
@@ -64,7 +64,10 @@ import org.springframework.data.redis.connection.RedisStringCommands.SetOption.U
 import org.springframework.data.redis.core.RedisTemplate
 import org.springframework.data.redis.core.types.Expiration
 import org.springframework.stereotype.Service
+import java.util.*
 import java.util.concurrent.TimeUnit
+import kotlin.collections.HashMap
+import kotlin.collections.LinkedHashMap
 
 @Service
 class TemporaryScanTokenServiceImpl(
@@ -157,12 +160,12 @@ class TemporaryScanTokenServiceImpl(
                 throw SystemErrorException(SYSTEM_ERROR, "create token failed, subtask[$subtask], res[$tokens]")
             }
 
-            val ssid = subtask.token
+            val ssid = Base64.getEncoder().encodeToString("$taskId:$token".toByteArray())
             val tokenMap = tokens.data!!.associateBy { it.fullPath }
             val fileUrls = fullPaths.map { (key, value) ->
                 val url = tokenMap[key]!!.let {
                     "$baseUrl/api/generic/temporary/download" +
-                        "/${it.projectId}/${it.repoName}${it.fullPath}?token=${it.token}&ssid=$ssid&sub-task-id=$taskId"
+                        "/${it.projectId}/${it.repoName}${it.fullPath}?token=${it.token}&ssid=$ssid"
                 }
                 value.copy(url = url)
             }

From 69ef92b7558fcfca838b25f3fed6f46faed89886 Mon Sep 17 00:00:00 2001
From: felixncheng <felixncheng@tencent.com>
Date: Tue, 29 Aug 2023 15:14:37 +0800
Subject: [PATCH 7/9] =?UTF-8?q?feat:=20=E6=A0=87=E8=AF=86=E5=88=B6?=
 =?UTF-8?q?=E5=93=81=E5=88=86=E6=9E=90=E4=B8=B4=E6=97=B6=E6=96=87=E4=BB=B6?=
 =?UTF-8?q?=E4=B8=8B=E8=BD=BD=E9=93=BE=E6=8E=A5=20#1103?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../controller/user/UserTemporaryScanController.kt    | 11 +++++------
 .../analyst/service/TemporaryScanTokenService.kt      |  4 ++--
 .../service/impl/TemporaryScanTokenServiceImpl.kt     |  8 ++++----
 src/backend/generic/biz-generic/build.gradle.kts      |  1 +
 .../repository/biz-repository/build.gradle.kts        |  1 +
 5 files changed, 13 insertions(+), 12 deletions(-)

diff --git a/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/controller/user/UserTemporaryScanController.kt b/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/controller/user/UserTemporaryScanController.kt
index db0651b6ac..69ef34ddc2 100644
--- a/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/controller/user/UserTemporaryScanController.kt
+++ b/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/controller/user/UserTemporaryScanController.kt
@@ -27,12 +27,12 @@
 
 package com.tencent.bkrepo.analyst.controller.user
 
-import com.tencent.bkrepo.common.api.pojo.Response
-import com.tencent.bkrepo.common.analysis.pojo.scanner.standard.ToolInput
-import com.tencent.bkrepo.common.service.util.ResponseBuilder
 import com.tencent.bkrepo.analyst.pojo.request.ReportResultRequest
 import com.tencent.bkrepo.analyst.service.ScanService
 import com.tencent.bkrepo.analyst.service.TemporaryScanTokenService
+import com.tencent.bkrepo.common.analysis.pojo.scanner.standard.ToolInput
+import com.tencent.bkrepo.common.api.pojo.Response
+import com.tencent.bkrepo.common.service.util.ResponseBuilder
 import io.swagger.annotations.Api
 import io.swagger.annotations.ApiOperation
 import org.springframework.web.bind.annotation.GetMapping
@@ -59,7 +59,7 @@ class UserTemporaryScanController(
         @RequestParam token: String
     ): Response<ToolInput> {
         temporaryScanTokenService.checkToken(subtaskId, token)
-        return ResponseBuilder.success(temporaryScanTokenService.getToolInput(subtaskId))
+        return ResponseBuilder.success(temporaryScanTokenService.getToolInput(subtaskId, token))
     }
 
     @ApiOperation("拉取扫描子任务")
@@ -69,7 +69,7 @@ class UserTemporaryScanController(
         @RequestParam token: String
     ): Response<ToolInput?> {
         temporaryScanTokenService.checkToken(executionCluster, token)
-        val toolInput = temporaryScanTokenService.pullToolInput(executionCluster)
+        val toolInput = temporaryScanTokenService.pullToolInput(executionCluster, token)
         toolInput?.let { temporaryScanTokenService.setToken(it.taskId, token) }
         return ResponseBuilder.success(toolInput)
     }
@@ -84,7 +84,6 @@ class UserTemporaryScanController(
         return ResponseBuilder.success()
     }
 
-
     @ApiOperation("扫描任务状态更新")
     @PutMapping("/scan/subtask/{subtaskId}/status")
     fun updateSubScanTaskStatus(
diff --git a/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/service/TemporaryScanTokenService.kt b/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/service/TemporaryScanTokenService.kt
index 46dd36c614..42eca509b3 100644
--- a/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/service/TemporaryScanTokenService.kt
+++ b/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/service/TemporaryScanTokenService.kt
@@ -36,6 +36,6 @@ interface TemporaryScanTokenService {
     fun createExecutionClusterToken(executionClusterName: String): String
     fun checkToken(subtaskId: String, token: String?)
     fun deleteToken(subtaskId: String)
-    fun getToolInput(subtaskId: String): ToolInput
-    fun pullToolInput(executionCluster: String): ToolInput?
+    fun getToolInput(subtaskId: String, token: String): ToolInput
+    fun pullToolInput(executionCluster: String, token: String): ToolInput?
 }
diff --git a/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/service/impl/TemporaryScanTokenServiceImpl.kt b/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/service/impl/TemporaryScanTokenServiceImpl.kt
index bfabc0346d..5c4261afc1 100644
--- a/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/service/impl/TemporaryScanTokenServiceImpl.kt
+++ b/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/service/impl/TemporaryScanTokenServiceImpl.kt
@@ -127,14 +127,15 @@ class TemporaryScanTokenServiceImpl(
         redisTemplate.delete(tokenKey(subtaskId))
     }
 
-    override fun getToolInput(subtaskId: String): ToolInput {
-        return getToolInput(scanService.get(subtaskId))
+    override fun getToolInput(subtaskId: String, token: String): ToolInput {
+        return getToolInput(scanService.get(subtaskId).apply { this.token = token })
     }
 
-    override fun pullToolInput(executionCluster: String): ToolInput? {
+    override fun pullToolInput(executionCluster: String, token: String): ToolInput? {
         val subtask = scanService.pull(executionCluster)
         return subtask?.let {
             logger.info("executionCluster[$executionCluster] pull subtask[${it.taskId}]")
+            subtask.token = token
             getToolInput(it)
         }
     }
@@ -159,7 +160,6 @@ class TemporaryScanTokenServiceImpl(
             if (tokens.isNotOk()) {
                 throw SystemErrorException(SYSTEM_ERROR, "create token failed, subtask[$subtask], res[$tokens]")
             }
-
             val ssid = Base64.getEncoder().encodeToString("$taskId:$token".toByteArray())
             val tokenMap = tokens.data!!.associateBy { it.fullPath }
             val fileUrls = fullPaths.map { (key, value) ->
diff --git a/src/backend/generic/biz-generic/build.gradle.kts b/src/backend/generic/biz-generic/build.gradle.kts
index 07378358bd..dbcd8f93d9 100644
--- a/src/backend/generic/biz-generic/build.gradle.kts
+++ b/src/backend/generic/biz-generic/build.gradle.kts
@@ -32,5 +32,6 @@
 dependencies {
     api(project(":generic:api-generic"))
     api(project(":common:common-redis"))
+    api(project(":analyst:api-analyst"))
     api(project(":common:common-artifact:artifact-service"))
 }
diff --git a/src/backend/repository/biz-repository/build.gradle.kts b/src/backend/repository/biz-repository/build.gradle.kts
index 7b3adf4eac..17639f7b4b 100644
--- a/src/backend/repository/biz-repository/build.gradle.kts
+++ b/src/backend/repository/biz-repository/build.gradle.kts
@@ -33,6 +33,7 @@ dependencies {
     api(project(":repository:api-repository"))
     api(project(":common:common-job"))
     api(project(":common:common-mongo"))
+    api(project(":analyst:api-analyst"))
     api(project(":common:common-query:query-mongo"))
     api(project(":common:common-artifact:artifact-service"))
     testImplementation("de.flapdoodle.embed:de.flapdoodle.embed.mongo")

From fd6a0889ab8423730c1a6c1529859dfdbf8d7a3c Mon Sep 17 00:00:00 2001
From: felixncheng <felixncheng@tencent.com>
Date: Wed, 30 Aug 2023 17:31:49 +0800
Subject: [PATCH 8/9] =?UTF-8?q?feat:=20=E6=94=AF=E6=8C=81=E6=9F=A5?=
 =?UTF-8?q?=E8=AF=A2=E6=89=AB=E6=8F=8F=E4=BB=BB=E5=8A=A1=20#1103?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../kotlin/com/tencent/bkrepo/analyst/api/ScanClient.kt   | 6 ++++++
 .../tencent/bkrepo/analyst/controller/ScanController.kt   | 8 +++++++-
 .../bkrepo/analyst/service/impl/ScanTaskServiceImpl.kt    | 3 +++
 3 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/src/backend/analyst/api-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/api/ScanClient.kt b/src/backend/analyst/api-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/api/ScanClient.kt
index 6f671f73cb..3521f3c808 100644
--- a/src/backend/analyst/api-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/api/ScanClient.kt
+++ b/src/backend/analyst/api-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/api/ScanClient.kt
@@ -106,4 +106,10 @@ interface ScanClient {
      * */
     @GetMapping("/token/verify")
     fun verifyToken(@RequestParam subtaskId: String, @RequestParam token: String): Response<Boolean>
+
+    /**
+     * 查询task状态
+     * */
+    @GetMapping("/task/{taskId}")
+    fun getTask(@PathVariable taskId: String): Response<ScanTask>
 }
diff --git a/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/controller/ScanController.kt b/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/controller/ScanController.kt
index a7b6a2643b..dba344c0e6 100644
--- a/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/controller/ScanController.kt
+++ b/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/controller/ScanController.kt
@@ -35,6 +35,7 @@ import com.tencent.bkrepo.analyst.pojo.license.SpdxLicenseInfo
 import com.tencent.bkrepo.analyst.pojo.request.ReportResultRequest
 import com.tencent.bkrepo.analyst.pojo.request.ScanRequest
 import com.tencent.bkrepo.analyst.service.ScanService
+import com.tencent.bkrepo.analyst.service.ScanTaskService
 import com.tencent.bkrepo.analyst.service.SpdxLicenseService
 import com.tencent.bkrepo.analyst.service.TemporaryScanTokenService
 import com.tencent.bkrepo.common.api.pojo.Response
@@ -48,7 +49,8 @@ import org.springframework.web.bind.annotation.RestController
 class ScanController @Autowired constructor(
     private val scanService: ScanService,
     private val licenseService: SpdxLicenseService,
-    private val tokenService: TemporaryScanTokenService
+    private val tokenService: TemporaryScanTokenService,
+    private val scanTaskService: ScanTaskService,
 ) : ScanClient {
 
     override fun scan(scanRequest: ScanRequest): Response<ScanTask> {
@@ -88,4 +90,8 @@ class ScanController @Autowired constructor(
         }
         return ResponseBuilder.success(ret)
     }
+
+    override fun getTask(taskId: String): Response<ScanTask> {
+        return ResponseBuilder.success(scanTaskService.task(taskId))
+    }
 }
diff --git a/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/service/impl/ScanTaskServiceImpl.kt b/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/service/impl/ScanTaskServiceImpl.kt
index c9b98d2ae1..53a990ec73 100644
--- a/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/service/impl/ScanTaskServiceImpl.kt
+++ b/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/service/impl/ScanTaskServiceImpl.kt
@@ -107,8 +107,11 @@ class ScanTaskServiceImpl(
 
     override fun task(taskId: String): ScanTask {
         return scanTaskDao.findById(taskId)?.let { task ->
+            val repos = RuleUtil.getRepoNames(task.rule?.readJsonString())
             if (task.projectId == null) {
                 permissionCheckHandler.permissionManager.checkPrincipal(SecurityUtils.getUserId(), PrincipalType.ADMIN)
+            } else if (repos.isNotEmpty()) {
+                permissionCheckHandler.checkReposPermission(task.projectId, repos, PermissionAction.READ)
             } else {
                 permissionCheckHandler.checkProjectPermission(task.projectId, PermissionAction.MANAGE)
             }

From 840429b6df5064ddc3898963beb5c87fe8972b9c Mon Sep 17 00:00:00 2001
From: felixncheng <felixncheng@tencent.com>
Date: Mon, 11 Sep 2023 16:13:52 +0800
Subject: [PATCH 9/9] =?UTF-8?q?feat:=20=E5=A4=84=E7=90=86=E4=BB=A3?=
 =?UTF-8?q?=E7=A0=81=E6=89=AB=E6=8F=8F=E7=9A=84=E9=97=AE=E9=A2=98=20#1086?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../impl/TemporaryScanTokenServiceImpl.kt     |  2 +-
 .../tencent/bkrepo/analyst/utils/K8SHelper.kt |  4 ++--
 .../pojo/scanner/utils/DockerUtils.kt         | 22 +++++++++++++------
 3 files changed, 18 insertions(+), 10 deletions(-)

diff --git a/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/service/impl/TemporaryScanTokenServiceImpl.kt b/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/service/impl/TemporaryScanTokenServiceImpl.kt
index 5c4261afc1..24d9d24b8e 100644
--- a/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/service/impl/TemporaryScanTokenServiceImpl.kt
+++ b/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/service/impl/TemporaryScanTokenServiceImpl.kt
@@ -64,7 +64,7 @@ import org.springframework.data.redis.connection.RedisStringCommands.SetOption.U
 import org.springframework.data.redis.core.RedisTemplate
 import org.springframework.data.redis.core.types.Expiration
 import org.springframework.stereotype.Service
-import java.util.*
+import java.util.Base64
 import java.util.concurrent.TimeUnit
 import kotlin.collections.HashMap
 import kotlin.collections.LinkedHashMap
diff --git a/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/utils/K8SHelper.kt b/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/utils/K8SHelper.kt
index 2ab3321849..250daab9e4 100644
--- a/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/utils/K8SHelper.kt
+++ b/src/backend/analyst/biz-analyst/src/main/kotlin/com/tencent/bkrepo/analyst/utils/K8SHelper.kt
@@ -36,7 +36,7 @@ import io.kubernetes.client.openapi.ApiException
 import io.kubernetes.client.openapi.apis.CoreV1Api
 import io.kubernetes.client.openapi.models.V1Secret
 import org.slf4j.LoggerFactory
-import java.util.*
+import java.util.Base64
 
 class K8SHelper(k8sProp: KubernetesExecutionClusterProperties) {
 
@@ -48,7 +48,7 @@ class K8SHelper(k8sProp: KubernetesExecutionClusterProperties) {
         secretName: String,
         dockerServer: String,
         dockerUserName: String,
-        dockerPassword: String
+        dockerPassword: String,
     ): V1Secret {
         val dockerAuthBytes = "$dockerUserName:$dockerPassword".toByteArray()
         val dockerAuth = Base64.getEncoder().encodeToString(dockerAuthBytes)
diff --git a/src/backend/common/common-analysis/src/main/kotlin/com/tencent/bkrepo/common/analysis/pojo/scanner/utils/DockerUtils.kt b/src/backend/common/common-analysis/src/main/kotlin/com/tencent/bkrepo/common/analysis/pojo/scanner/utils/DockerUtils.kt
index b0aaff2fd2..b424947e50 100644
--- a/src/backend/common/common-analysis/src/main/kotlin/com/tencent/bkrepo/common/analysis/pojo/scanner/utils/DockerUtils.kt
+++ b/src/backend/common/common-analysis/src/main/kotlin/com/tencent/bkrepo/common/analysis/pojo/scanner/utils/DockerUtils.kt
@@ -28,6 +28,7 @@
 package com.tencent.bkrepo.common.analysis.pojo.scanner.utils
 
 import com.github.dockerjava.api.DockerClient
+import com.github.dockerjava.api.command.PullImageCmd
 import com.github.dockerjava.api.command.PullImageResultCallback
 import com.github.dockerjava.api.command.WaitContainerResultCallback
 import com.github.dockerjava.api.model.AuthConfig
@@ -73,11 +74,7 @@ object DockerUtils {
         logger.info("pulling image: $tag")
         val elapsedTime = measureTimeMillis {
             val result = pullImageCmd(tag)
-                .withAuthConfig(
-                    AuthConfig()
-                        .withUsername(userName)
-                        .withPassword(password)
-                )
+                .withAuthConfigIfNeed(userName, password)
                 .exec(PullImageResultCallback())
                 .awaitCompletion(DEFAULT_PULL_IMAGE_DURATION, TimeUnit.MILLISECONDS)
             if (!result) {
@@ -92,7 +89,7 @@ object DockerUtils {
         userName: String?,
         password: String?,
         hostConfig: HostConfig? = null,
-        cmd: List<String>? = null
+        cmd: List<String>? = null,
     ): String {
         // 拉取镜像
         pullImage(image, userName, password)
@@ -122,7 +119,7 @@ object DockerUtils {
         binds: Binds,
         maxSize: Long,
         mem: Long,
-        withPrivileged: Boolean = false
+        withPrivileged: Boolean = false,
     ): HostConfig {
         return HostConfig().apply {
             withBinds(binds)
@@ -149,4 +146,15 @@ object DockerUtils {
             }
         }
     }
+
+    private fun PullImageCmd.withAuthConfigIfNeed(userName: String?, password: String?): PullImageCmd {
+        if (userName != null && password != null) {
+            withAuthConfig(
+                AuthConfig()
+                    .withUsername(userName)
+                    .withPassword(password),
+            )
+        }
+        return this
+    }
 }