Vulnerability scanning improvements #1658
Comments
Vad1mo
changed the title
Do you have something specifically in mind (e.g. use case, workflow) ?
Makes sense. Note though that these are two different features:
Yeah, totally. Maybe on the
👍 And maybe add a permanent link somewhere in the likes of "You have vulnerable images! See for more info" |
This commit adds two new endpoints: `/vulnerabilities` and `/vulnerabilities/:id`. Both these endpoints require admin privileges, and they will simply toggle the `scanned` column of tags so the scanning task can pick them up. This commit does not deal with the UI part, it simply provides the backend code. The frontend code can be delivered later on. See SUSE#1658 Signed-off-by: Miquel Sabaté Solà <[email protected]>
This commit adds two new endpoints: `/vulnerabilities` and `/vulnerabilities/:id`. Both these endpoints require admin privileges, and they will simply toggle the `scanned` column of tags so the scanning task can pick them up. This commit does not deal with the UI part, it simply provides the backend code. The frontend code can be delivered later on. See SUSE#1658 Signed-off-by: Miquel Sabaté Solà <[email protected]>
|
Do you have a timeline for these features? Without knowing the exact details how clair rescans known layers due to new CVEs, another approach may be to let portus be notified by clair via webhooks. With this periodical scans may not be necessary. |
Some of the things discussed here live in separate issues which are going to be handled either in 2.4 or 2.5 (e.g. #1669). Some others have not been planned, but maybe when we release 2.4 in June we can re-visit what we planned for 2.5.
That was also pointed out on another issue, and it makes total sense. Thanks for the feedback 👍 |
|
I was planning to outline how to improve the vulnerability scanner.
with the idea to derive better and automated conclusions out of the results. Especially we need to define a proper vulnerability model with own tables, then anyone can create contribution like reports, notification, audit, quality gates, APIs and so forth. |
|
I would like to close this issue. I created #1761 so we can track the progress and gather further requirements regarding the possible improvements. |
This Issue is summary about what I think should be improved with the vulnerability scanning functionality in the upcoming releases:
Vulnerability should have their own tables.
This opens the option to add more functionality like whitelisting, todo, notification and ignore.
Rescheduling of scanning,
Scanning should not only happen after pushing. Images should be scanned on a regular basis.
Better Vulnerability overview and reporting.
See which images are vulnerabel.
Add vulnerability results to audit trail
The text was updated successfully, but these errors were encountered: