From 52c9b60088d5ec0e75bc4c7ed3f39a1504a9c884 Mon Sep 17 00:00:00 2001 From: Jung Choi Date: Thu, 12 Mar 2026 12:04:37 -0400 Subject: [PATCH] feat(container-pull): add unified image support for falcon-imageanalyzer --- .../falcon-container-sensor-pull/README.md | 33 +++++++++++-------- .../falcon-container-sensor-pull.sh | 31 ++++++++++++++--- 2 files changed, 47 insertions(+), 17 deletions(-) diff --git a/bash/containers/falcon-container-sensor-pull/README.md b/bash/containers/falcon-container-sensor-pull/README.md index 690b9d3..2ddd1ef 100644 --- a/bash/containers/falcon-container-sensor-pull/README.md +++ b/bash/containers/falcon-container-sensor-pull/README.md @@ -43,9 +43,10 @@ CrowdStrike now provides unified images that work across all regions: - **`falcon-sensor`** (unified) - Single sensor image for version 7.31+ - **`falcon-container`** (unified) - Single container image for version 7.33+ - **`falcon-kac`** (unified) - Single KAC image for version 7.33+ +- **`falcon-imageanalyzer`** (unified) - Single IAR image for version 1.0.24+ > [!IMPORTANT] -> **Backward Compatibility**: Existing users automatically receive unified images. For regional images, use `-t falcon-sensor-regional`, `-t falcon-container-regional`, or `-t falcon-kac-regional`. +> **Backward Compatibility**: Existing users automatically receive unified images. For regional images, use `-t falcon-sensor-regional`, `-t falcon-container-regional`, `-t falcon-kac-regional`, or `-t falcon-imageanalyzer-regional`. ## Security recommendations @@ -67,7 +68,7 @@ To check your version of cURL, run the following command: `curl --version` > [!IMPORTANT] > The following API scopes are the minimum required to retrieve the images. If you need to perform other operations post-retrieval, please refer to the CrowdStrike documentation to identify any additional scopes that may be required. -- **falcon-sensor | falcon-sensor-regional | falcon-container | falcon-container-regional | falcon-kac | falcon-kac-regional | falcon-imageanalyzer | falcon-jobcontroller | falcon-registryassessmentexecutor** +- **falcon-sensor | falcon-sensor-regional | falcon-container | falcon-container-regional | falcon-kac | falcon-kac-regional | falcon-imageanalyzer | falcon-imageanalyzer-regional | falcon-jobcontroller | falcon-registryassessmentexecutor** - `Sensor Download (read)` - `Falcon Images Download (read)` - **falcon-snapshot** @@ -107,11 +108,14 @@ Optional Flags: Available sensor types: ----------------------- falcon-container + falcon-container-regional falcon-sensor falcon-sensor-regional falcon-kac + falcon-kac-regional falcon-snapshot falcon-imageanalyzer + falcon-imageanalyzer-regional fcs falcon-jobcontroller falcon-registryassessmentexecutor @@ -146,7 +150,7 @@ Help Options: | `-c`, `--copy ` | `$COPY` | `None` (Optional) | Registry you want to copy the sensor image to. Example: `myregistry.com/mynamespace`.
*\*By default, the image name and tag are appended. Use `--copy-omit-image-name` and/or `--copy-custom-tag` to change that behavior.* | | `-v`, `--version ` | `$SENSOR_VERSION` | `None` (Optional) | Specify sensor version to retrieve from the registry | | `-p`, `--platform ` | `$SENSOR_PLATFORM` | `None` (Optional) | Specify sensor platform to retrieve from the registry | -| `-t`, `--type ` | `$SENSOR_TYPE` | `falcon-container` (Optional) | Specify which sensor to download [`falcon-container`, `falcon-sensor`, `falcon-sensor-regional`, `falcon-kac`, `falcon-snapshot`, `falcon-imageanalyzer`, `fcs`, `falcon-jobcontroller`, `falcon-registryassessmentexecutor`] ([see more details below](#sensor-types)) | +| `-t`, `--type ` | `$SENSOR_TYPE` | `falcon-container` (Optional) | Specify which sensor to download [`falcon-container`, `falcon-container-regional`, `falcon-sensor`, `falcon-sensor-regional`, `falcon-kac`, `falcon-kac-regional`, `falcon-snapshot`, `falcon-imageanalyzer`, `falcon-imageanalyzer-regional`, `fcs`, `falcon-jobcontroller`, `falcon-registryassessmentexecutor`] ([see more details below](#sensor-types)) | | `--runtime` | `$CONTAINER_TOOL` | `docker` (Optional) | Use a different container runtime [docker, podman, skopeo]. **Default is Docker**. | | `--dump-credentials` | `$CREDS` | `False` (Optional) | Print registry credentials to stdout to copy/paste into container tools | | `--get-image-path` | N/A | `None` | Get the full image path including the registry, repository, and latest tag for the specified `SENSOR_TYPE`. | @@ -171,17 +175,20 @@ Help Options: The following sensor types are available to download: -| Sensor Image Name | Description | -| :---------------------------------- | :---------------------------------------------------- | +| Sensor Image Name | Description | +| :---------------------------------- |:--------------------------------------------------------------------------------| | `falcon-sensor` | The Falcon sensor for Linux as a DaemonSet deployment (unified - version 7.31+) | -| `falcon-sensor-regional` | The Falcon sensor for Linux as a DaemonSet deployment w/ regions (traditional) | -| `falcon-container` **(default)** | The Falcon Container sensor for Linux | -| `falcon-kac` | The Falcon Kubernetes Admission Controller | -| `falcon-snapshot` | The Falcon Snapshot scanner | -| `falcon-imageanalyzer` | The Falcon Image Assessment at Runtime | -| `fcs` | The Falcon Cloud Security CLI tool | -| `falcon-jobcontroller` | The Self Hosted Registry Assessment Jobs Controller | -| `falcon-registryassessmentexecutor` | The Self Hosted Registry Assessment Executor | +| `falcon-sensor-regional` | The Falcon sensor for Linux as a DaemonSet deployment w/ regions (traditional) | +| `falcon-container` **(default)** | The Falcon Container sensor for Linux (unified - version 7.33+) | +| `falcon-container-regional` | The Falcon Container sensor for Linux w/ regions (traditional) | +| `falcon-kac` | The Falcon Kubernetes Admission Controller (unified - version 7.33+) | +| `falcon-kac-regional` | The Falcon Kubernetes Admission Controller w/ regions (traditional) | +| `falcon-snapshot` | The Falcon Snapshot scanner | +| `falcon-imageanalyzer` | The Falcon Image Assessment at Runtime (unified - version 1.0.24+) | +| `falcon-imageanalyzer-regional` | The Falcon Image Assessment at Runtime w/ regions (traditional) | +| `fcs` | The Falcon Cloud Security CLI tool | +| `falcon-jobcontroller` | The Self Hosted Registry Assessment Jobs Controller | +| `falcon-registryassessmentexecutor` | The Self Hosted Registry Assessment Executor | ### Examples diff --git a/bash/containers/falcon-container-sensor-pull/falcon-container-sensor-pull.sh b/bash/containers/falcon-container-sensor-pull/falcon-container-sensor-pull.sh index 9e601bb..75f45fd 100755 --- a/bash/containers/falcon-container-sensor-pull/falcon-container-sensor-pull.sh +++ b/bash/containers/falcon-container-sensor-pull/falcon-container-sensor-pull.sh @@ -36,6 +36,7 @@ Optional Flags: falcon-kac-regional falcon-snapshot falcon-imageanalyzer + falcon-imageanalyzer-regional fcs falcon-jobcontroller falcon-registryassessmentexecutor @@ -302,7 +303,7 @@ format_tags() { local all_tags=$1 case "${SENSOR_TYPE}" in - "falcon-snapshot" | "falcon-imageanalyzer" | "fcs" | "falcon-jobcontroller" | "falcon-registryassessmentexecutor") + "falcon-snapshot" | "falcon-imageanalyzer" | "falcon-imageanalyzer-regional" | "fcs" | "falcon-jobcontroller" | "falcon-registryassessmentexecutor") echo "$all_tags" | sed -n 's/.*"tags" : \[\(.*\)\].*/\1/p' | tr -d '"' | tr ',' '\n' | @@ -439,7 +440,7 @@ detect_container_tool() { display_api_scopes() { local sensor_type=$1 case "${sensor_type}" in - falcon-sensor | falcon-sensor-regional | falcon-container | falcon-container-regional | falcon-kac | falcon-kac-regional | falcon-imageanalyzer | falcon-jobcontroller | falcon-registryassessmentexecutor) + falcon-sensor | falcon-sensor-regional | falcon-container | falcon-container-regional | falcon-kac | falcon-kac-regional | falcon-imageanalyzer | falcon-imageanalyzer-regional | falcon-jobcontroller | falcon-registryassessmentexecutor) echo "Sensor Download [read], Falcon Images Download [read]" ;; falcon-snapshot) @@ -544,7 +545,7 @@ fi # Check if SENSOR_TYPE is set to a valid value case "${SENSOR_TYPE}" in - falcon-container | falcon-container-regional | falcon-sensor | falcon-sensor-regional | falcon-kac | falcon-kac-regional | falcon-snapshot | falcon-imageanalyzer | fcs | falcon-jobcontroller | falcon-registryassessmentexecutor) ;; + falcon-container | falcon-container-regional | falcon-sensor | falcon-sensor-regional | falcon-kac | falcon-kac-regional | falcon-snapshot | falcon-imageanalyzer | falcon-imageanalyzer-regional | fcs | falcon-jobcontroller | falcon-registryassessmentexecutor) ;; *) die """ Unrecognized sensor type: ${SENSOR_TYPE} Valid values are: @@ -556,6 +557,7 @@ case "${SENSOR_TYPE}" in falcon-kac-regional falcon-snapshot falcon-imageanalyzer + falcon-imageanalyzer-regional fcs falcon-jobcontroller falcon-registryassessmentexecutor""" ;; @@ -576,6 +578,11 @@ if [ "${SENSOR_TYPE}" = "falcon-kac-regional" ]; then echo "WARNING: Use 'falcon-kac' for the new unified KAC image as the regional KAC images will eventually be EOL." fi +# Add deprecation warning for falcon-imageanalyzer-regional +if [ "${SENSOR_TYPE}" = "falcon-imageanalyzer-regional" ]; then + echo "WARNING: Use 'falcon-imageanalyzer' for the new unified IAR image as the regional IAR images will eventually be EOL." +fi + #Check all mandatory variables set VARIABLES="FALCON_CLIENT_ID FALCON_CLIENT_SECRET" { @@ -652,6 +659,18 @@ registry_opts=$( else echo "falcon-kac/$FALCON_CLOUD" fi + # Handle unified falcon-imageanalyzer format (no region) + elif [ "${SENSOR_TYPE}" = "falcon-imageanalyzer" ]; then + echo "falcon-imageanalyzer" + # Handle falcon-imageanalyzer-regional with traditional regional paths + elif [ "${SENSOR_TYPE}" = "falcon-imageanalyzer-regional" ]; then + if [ "${FALCON_CLOUD}" = "us-gov-1" ]; then + echo "falcon-imageanalyzer/gov1" + elif [ "${FALCON_CLOUD}" = "us-gov-2" ]; then + echo "falcon-imageanalyzer/gov2" + else + echo "falcon-imageanalyzer/$FALCON_CLOUD" + fi # Account for govcloud api mismatch for other sensor types elif [ "${FALCON_CLOUD}" = "us-gov-1" ]; then echo "$SENSOR_TYPE/gov1" @@ -727,7 +746,11 @@ elif [ "${SENSOR_TYPE}" = "falcon-snapshot" ]; then repository_name="$BUILD_STAGE/cs-snapshotscanner" registry_type="snapshots" elif [ "${SENSOR_TYPE}" = "falcon-imageanalyzer" ]; then - # overrides for Image Analyzer + # Unified format: use falcon-imageanalyzer image name + IMAGE_NAME="falcon-imageanalyzer" + repository_name="$BUILD_STAGE/falcon-imageanalyzer" +elif [ "${SENSOR_TYPE}" = "falcon-imageanalyzer-regional" ]; then + # Regional format: use falcon-imageanalyzer image name (same as unified) IMAGE_NAME="falcon-imageanalyzer" repository_name="$BUILD_STAGE/falcon-imageanalyzer" elif [ "${SENSOR_TYPE}" = "fcs" ]; then