Contain CVE vulnerabilities of deleted images

[CocoWang-wql]

We have customer feedback that to contain not only deleted image list but also the vulnerabilities of the deleted images in logs.

[asifkd012020]

Hello Team,
It would be great to see this feature enabled.

• Currently eraser uses Trivy to scan vulnerabilities on running / stale images on aks cluster. However, we want to leverage this feature to surface vulnerability details in the logs and use log analytics / container insights to develop custom query alerts to detect image vulnerabilities on AKS clusters.

• This feature will be useful for us who are using Private AKS clusters in air gapped environment.

Thank you

[sozercan]

@asifkd012020 do you mind elaborating more on why are you looking for vuln details for deleted images?

or are you asking for #356 (vuln details on running images)?

[asifkd012020]

Hello @sozercan,
yes, we are looking for vuln details on running images for security and compliance requirements.
We use Jfrog Artifactory to build images and its hard to get vul details(as in ACR).

Thank you.

[sozercan]

@asifkd012020 thanks! that is out of scope for eraser at this time, but we will consider it for future. we would recommend using https://aquasecurity.github.io/trivy-operator for this feature

[asifkd012020]

@sozercan - We have airgapped environment and using Trivy operator is difficult option as mentioned in aquasecurity/trivy-operator#1342
I would love this feature enabled through Eraser and customers won't have to build their own image and maintain it.

[chen-keinan]

@sozercan @asifkd012020 could you please elaborate how the integration with Eraser will look like ?

[sozercan]

@chen-keinan if this is re: #356, please comment in that issue

if your question is about this issue (cve details for deleted images), it is passing in CVE ID and adding to this line

eraser/pkg/remover/helpers.go

Line 85 in 144e329

log.Info("removed image", "given", imgDigestOrTag, "imageID", imageID, "name", idToImageMap[imageID])