Refactor scheduled CVE scanning of our released images

[ca-scribner]

Why it needs to get done

We have several image scanning CI runs with some overlap:

1. some rocks repos do daily scanning (ex: seldonio-rocks). In this workflow we rebuild and scan the rocks.
2. bundle-kubeflow does daily scanning of images for some charmed kubeflow releases

We should define where periodic scanning should occur and apply that consistently across our repos so that we can provide a clear CVE scanning message.

What needs to get done

One proposed solution is to remove the daily scanning from the rocks repos and keep the bundle-kubeflow daily scanning. This would keep visibility on CVE progress in our released images in one central place

When is the task considered done

When a clear image scanning procedure is defined and implemented

[syncronize-issues-to-jira[bot]]

Thank you for reporting us your feedback!

The internal ticket has been created: https://warthogs.atlassian.net/browse/KF-5120.

This message was autogenerated

[ca-scribner]

If we keep the per-repo scheduled job, we should revisit the workflow design. The save-space job in the existing workflow doesn't do anything. Because it runs on a separate job it is in its own vm, so what happens is:

• save-space starts. That vm has some files deleted.
• save-space ends and that VM is discarded
• build-scan-rocks executes on a new vm

[orfeas-k]

Also, regarding scanning in rocks repos like seldonio-rocks, I think we should not build and scan since building may result in a different image than the one we 've published. We should instead scan published images, like what we do in bundle-kubeflow.