Open cppforlife opened 3 years ago
To try to clarify the ask here, the idea would be to try to integrate with the Registry and the Registry would do the scan. Or the idea is that imgpkg
should integrate directly with tools like trivy
and claire
, as Harbour does?
The following registries do vulnerability check already:
Registry would do the scan
some other service (like registry) would do the scan. imgpkg hopefully would be able to retrieve results for the scan since it knows which images are in the bundle.
This seems like a good idea, it's unfortunate that there isn't a universal API that we could try to target regardless of registry used. Though, we could always figure out the registry and have a mapping to their endpoints (if available).
What format should this output take? Would this be a part of some automation around e.g. failing a CI if an image has vulnerabilities? Or is there any automation component to this request?
@DennisDenuto and I were reviewing this further, and we will go ahead and add a story to our backlog to further discuss how to make this happen.
+1 this would be a great feature!
Describe the problem/challenge you have
would like to see a vulnerability report for images that are part of a bundle.
Describe the solution you'd like
even though vulnerability scanning is an "addon" to a registry (not part of official registry APIs), i think we should try to integrate with projects like Harbor that introduce custom APIs to expose such information. i could imagine something like this:
inspiration: https://github.com/vmware-tanzu/carvel-kbld/issues/79