Closed michaelsauter closed 2 years ago
renedupont
commented
2 years ago IIRC there was an option for something like thresholds that can be set in Image Assurance Policies. The doc mentions:
Vulnerability Score -> Fails the image if its vulnerability score is greater or equal to the selected value Vulnerability Severity -> Fails the image if its vulnerability severity is greater or equal to the selected value.
Is that what you are looking for?
michaelsauter
commented
2 years ago @renedupont If I get it right that would mean we will not be able to control this from the scan, but it will have to be set in the Aqua server itself? In that case we could close the issue because there is nothing we can do, and the feature is already "available". Right?
renedupont
commented
2 years ago I would say so, yes. To my understanding, an admin would create such an image assurance policy (or change an existing one) in the server to set the vulnerability score and/or severity. The policies have a scope setting that determines to which images they are applicable to once scanned.
At the moment, the scan fails whenever there is a vulnerability. It should be possible to fine-tune this. For example, one may want to ignore vulnerabilities in the base image, or vulnerabilities below a certain threshold (e.g. fail only on high / critical vulnerabilities).
From the docs:
--hide-base: Hides vulnerabilities in the base image. This is used to hide any existing vulnerabilities from a base image. These vulnerabilities are known from the base image and not required to be reported on every image created from the specific base image.@renedupont do you know if there are more options?