Allow for comments in whitelist file

optiopay / klar

Integration of Clair and Docker Registry

MIT License

506 stars 138 forks source link

Hello, To appease auditor types, it would be useful to allow for comments in the whitelist.yaml file. This will allow us to version control our whitelist file, but also give some human reason for performing the whitelist. As we know, people and knowledge are lost over time, so would be nice to be able to put this information right into the whitelist file.

Suggested behavior

general:
  - RHSA-2018:1345: This finding represents a collection of kernel vulnerabilities. In the container world, containers share the same kernel as the host operating system, and thus, kernel vulnerabilities can not accurately be detected at the container layer. Accurate scans for this vulnerability need to occur on the docker host itself. 
images:
  centos:
    - RHSA-2017:2479: This finding represents vulnerabilities to the basic auth function of httpd. Since we do not use basic auth in applications using the centos container, this finding is not relevant. 
    - RHSA-2018:0805: blah
  alpine:
    - CVE-2017-9671: you get the point
  fluent/fluent-bit:
    - CVE-2017-14062: more
    - CVE-2018-6485: comments

general: # This finding represents a collection of kernel vulnerabilities. In the container world, containers share the same kernel as the host operating system, and thus, kernel vulnerabilities can not accurately be detected at the container layer. Accurate scans for this vulnerability need to occur on the docker host itself. - RHSA-2018:1345 images: centos: # This finding represents vulnerabilities to the basic auth function of httpd. Since we do not use basic auth in applications using the centos container, this finding is not relevant. - RHSA-2017:2479 # blah - RHSA-2018:0805 alpine: # you get the point - CVE-2017-9671 fluent/fluent-bit: # more - CVE-2017-14062 # comments - CVE-2018-6485

optiopay / klar

Allow for comments in whitelist file #162