Closed ghost closed 4 years ago
Doing some reading and a complete assessment of how we run vulnerability scans and lookup for vulnerability reports, I have the following proposal.
By default, on-demand vulnerability scans are requested by providing the tag or digest
of an image, therefore we are going to make the vulnerability
command to be focused
in digest as much as possible. Though, we will provide a way to retrieve reports from
image IDs.
Here are some modifications we will make to the CLI.
To run an on-demand scan, a user will need the following information:
<registry> container registry where the container image has been published
<repository> repository name that contains the container image
<tag|digest> either a tag or an image digest to scan (digest format: sha256:1ee...1d3b)
Note that we can't trigger scans with an image ID.
To review vulnerability reports from container image scans that run previously either
by the periodic scan mechanism that Lacework runs every hour, or a requested
on-demand vulnerability scan, a user will need to provide a SHA256 hash of a
container with format sha256:1ee...1d3b
.
Example:
$ lacework vul report sha256:8d8f5b08727272389bc2788561bd60a8f012d3c68675dccce7dd7ee2d47a9f4d
By default, this command treads the provided SHA256 as the image digest, when a
user is trying to lookup a report by its image ID, they can use the flag --image_id
that
will tread the provided SHA256 hash as an image ID.
The flag --digest
will be deprecated, and in fact, enabled by default for the command
lacework vulnerability report
.
Revisit the vulnerability command functionality and documentation to have consistency with the use of Image ID and Image Digest.
Jira: ALLY-83