Jose-Matsuda
commented
2 years ago 
and ofc on a successful pull
Explore https://www.jfrog.com/confluence/display/JFROG/Artifactory+REST+API#ArtifactoryRESTAPI-ArtifactSyncDownload https://www.jfrog.com/confluence/display/JFROG/Artifactory+REST+API#ArtifactoryRESTAPI-RetrieveArtifact
These two options really do not play well with images (since its not a single file like say
curl -u jose-test-user:$apikey "https://jfrog.aaw.cloud.statcan.ca/artifactory/api/download//pypi-remote-cache/00/08/c037fa5d3794729fdc7967e5a174642c8e94e1988ae2bc950515e2902ca2/Sphinx-4.2.0-py3-none-any.whl?content=none"
Cannot try and say retrieve something that doesnt exist in the cache already to pre-fetch it
curl -u jose-test-user:$apikey "https://jfrog.aaw.cloud.statcan.ca/artifactory/api/download/jose-play/library/busybox/unstable-musl/manifest.json?content=none" as that will also end in failure
Adding and changing to use docker
curl -u jose-test-user:$apikey "https://jfrog.aaw.cloud.statcan.ca/artifactory/api/docker/jose-play/library/busybox/latest?content=none"
Again expects a file (so it will 'work' if i add list.manifest.json)
but trying to fetch something that doesnt already exist.
curl -u jose-test-user:$apikey "https://jfrog.aaw.cloud.statcan.ca/artifactory/api/docker/jose-play/library/busybox/unstable-musl/manifest.json?content=none"
Gives "message" : "Not Found"
If there's a vulnerability it will just get blocked.
If i can use that config.json then its so much nicer
This could be a problem however
also gives the error in the artifactory service log
EPIC https://github.com/StatCan/daaas/issues/461
Deliverable
Have the image running as a cronjob on dev.
This now relies on us getting Artifactory to proxy ACR successfully, of which I don't have the know-how or expertise on how to solve it (probably don't have permissions either)
A lot of groundwork has been done in the public repository of mine. This was also created under the assumption that we would move our images in the acr to a local repository in Artifactory so JFROG XRAY could just run nightly scans. Discuss this at Tech elab tomorrow,
Scope of this is just getting the list of images and checking their vulnerability
Extra Info: 1) We are keeping ACR for the time being. Seems like an option is to proxy the ACR and just use the remote repository option. 2) I have a general script that retrieves a list of
notebookimages used in the cluster as well as images throughout the pods so can use that when deciding what images I need to scan.Tasks
trivyand run the scans there.Thoughts
If we go with
trivywe will need to download the image from the ACR and then run the trivy on it, and then parse through the output. If we use JFROG XRAY, assuming we use a remote repository, then the situation may be to try and pull images from a remote-repository to trigger a scan. So either way, as a result of not having them stored locally some pull will need to happen for scans to happenArguments for using Artifactory as a proxy.
1) Probably the biggest one, as Blair mentioned, it would be easier for us to handle and create exceptions in the 'scanning' rules as that is supported by XRAY.
Decision
Move forward with Artifactory proxying ACR
IF we choose to leverage Artifactory
https://github.com/StatCan/daaas/issues/933
Adapt script in response to the above decision to actually do the scanning.
Work will be hosted in my personal repo (from above under 2022) Steps
Error response from daemon: unkown: Forbiddenit sees it as a vulnerability. 2) Could make it such that I make a request toxray/api/v1/violationsand get a list of violations.DECISION: I am thinking 1 hereNo, just get a list of violations, this also plays with the "ignored" violations better and does not rely on output from a docker pull.