Force remote image registry scanning

aquasecurity / trivy

Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more

https://aquasecurity.github.io/trivy

Apache License 2.0

23.56k stars 2.32k forks source link

Force remote image registry scanning #3929

Closed eddiezane closed 1 year ago

eddiezane commented 1 year ago

If I have an older image pulled locally and tagged, I would like to be able to force trivy to ignore it and pull/scan the latest in a registry.

It looks like trivy has the functionality to fetch an image from a registry without a container runtime so this is potentially achievable with a flag like:

trivy image cgr.dev/chainguard/nginx:latest --registry

With grype this is achieved by prefixing registry: to the image i.e. grype registry:cgr.dev/chainguard/nginx.

eddiezane commented 1 year ago

Also ref: https://github.com/anchore/grype/issues/1204. Swaping the default behavior is probably a bigger change and destined for another issue.