Hacks4Snacks
commented
1 month ago I actually think this feature functionality has been introduced via clustersbomcache, but please confirm.
Open Hacks4Snacks opened 1 month ago
Hacks4Snacks
commented
1 month ago I actually think this feature functionality has been introduced via clustersbomcache, but please confirm.
Objective: Optimize the vulnerability scanning activity taking place within the kubernetes cluster.
Problem Statement: In kubernetes cluster deployments with high-volume actions (create, modify, delete) of resources that use the same image references (e.g., creating several replicaset resources with the same image references), there is overhead incurred due to the churn of re-scanning images that have already been scanned in a different context (e.g., namespace or resource).
Proposed Solution: Implement a vulnerability scan caching solution that will store scan results based on the image digest of container images. Prior to the operator executing a scan job, a caching check can occur to determine if the image digest has been scanned in the last N hours/days (configurable). If the image is in cache, the previous scan data is used for the resource vulnerability report, otherwise a scan is executed (similar to what was proposed in: https://github.com/aquasecurity/trivy-operator/blob/main/docs/docs/design/caching_scan_results_by_repo_digest.md).
Expected Outcome: The proposed feature should optimize the vulnerability scanning process by leveraging a cache that is referenced prior to instantiating pod resource to support scanning activities of a previously scanned image.