search

zarf-dev / zarf

DevSecOps for Air Gap & Limited-Connection Systems. https://zarf.dev/
Apache License 2.0
1.42k stars 171 forks source link

When trying to discover images, it "discovers" false positives #3253

Open a1994sc opened 5 days ago

a1994sc commented 5 days ago

Environment

Device and OS: RHEL 9 App version: v0.43.1 Kubernetes distro being used: RKE2

Steps to reproduce

  1. clone [kyverno-policies]()
  2. at the root of the cloned repo
    • zarf.yaml 
      ---
kind: ZarfPackageConfig
metadata:
name: repo-one-kyverno-policies
components:
- name: policies
  charts:
    - name: kyverno-policies
      localPath: ./chart
      version: dev
      namespace: bigbang
      releaseName: kyverno-policies
  required: true
  3. zarf dev find-images --skip-cosign

Expected result

components:
  - name: policies
    images:
      - registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:v1.30.5

Actual Result

components:
  - name: policies
    images:
      - registry1.dso.mil*
      - registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:v1.30.5

Additional Context

When using zarf to discover images with the Ironbank chart kyverno-policies, the restrict-image-registries policy, (simple version included in tests), has an entry of:

This is a false positive and cases cosign looks up to fail as that is not a valid image.