add command to surface vulnerability scan report for a bundle

carvel-dev / imgpkg

Store application configuration files in Docker/OCI registries

https://carvel.dev/imgpkg

Apache License 2.0

263 stars 63 forks source link

add command to surface vulnerability scan report for a bundle #35

Open cppforlife opened 3 years ago

cppforlife commented 3 years ago

Describe the problem/challenge you have

would like to see a vulnerability report for images that are part of a bundle.

Describe the solution you'd like

even though vulnerability scanning is an "addon" to a registry (not part of official registry APIs), i think we should try to integrate with projects like Harbor that introduce custom APIs to expose such information. i could imagine something like this:

$ imgpkg vulnreport -b registry.corp.com/apps/my-bundle

Id     State  Details              Full reference
foo    OK     0 vulnerabilities    foo@sha256:...
blah   FAIL   100 vulnerabilities  foo@sha256:...

inspiration: https://github.com/vmware-tanzu/carvel-kbld/issues/79

joaopapereira commented 3 years ago

To try to clarify the ask here, the idea would be to try to integrate with the Registry and the Registry would do the scan. Or the idea is that imgpkg should integrate directly with tools like trivy and claire, as Harbour does?

The following registries do vulnerability check already:

Harbor does not export an API
quay
Google Cloud Registry
Azure Container Registry, does the vulnerability check but doesn't look like it gives and API to get that information
Amazon Container Registry
Docker has a CLI plugin that uses Snyk to do the scan but doesn't look like it as an API

cppforlife commented 3 years ago

Registry would do the scan

some other service (like registry) would do the scan. imgpkg hopefully would be able to retrieve results for the scan since it knows which images are in the bundle.

StevenLocke commented 3 years ago

This seems like a good idea, it's unfortunate that there isn't a universal API that we could try to target regardless of registry used. Though, we could always figure out the registry and have a mapping to their endpoints (if available).

What format should this output take? Would this be a part of some automation around e.g. failing a CI if an image has vulnerabilities? Or is there any automation component to this request?

danielhelfand commented 3 years ago

@DennisDenuto and I were reviewing this further, and we will go ahead and add a story to our backlog to further discuss how to make this happen.

PushkarJ commented 2 years ago

+1 this would be a great feature!