trow icon indicating copy to clipboard operation
trow copied to clipboard

Published 20 hours ago verified publisher icon Trow-Registry

Image Security Scanning RFC

Open silenteh opened this issue 4 years ago • 3 comments

This PR contains an RFC to discuss the implementation of Trow image (and OCI artifacts in general) security scanning.
Please use this pull request for requesting changes or in general give feedback regarding this specifc RFC

silenteh avatar Aug 12 '20 07:08 silenteh

Also, is it common to have more than one scanning service? There's a fair bit of complexity associated with supporting mulitple services. Could we just skip and say you can register one for the time being?

amouat avatar Aug 12 '20 15:08 amouat

We should definitely allow only 1 scanning service to begin with. The difference in terms of complexity to support more however is not that big.
I agree we should do it in stages.
However while writing down the steps I realized that if we allow only scanning of images with push, without storing the result then how can a Trow user check the scan report ? We should then implement the Webhook I suppose or an api.
Again the API needs to be queried, so we would need to store the reports somewhere... So here my suggestion:

  1. Add the possibility to configure a scanner
  2. Scan images only when images are pushed without storage
  3. Add webhook
  4. Add storage
  5. Add Trow API to retrieve scan reports
  6. Allow scheduling of security scans

What do you think ?

silenteh avatar Aug 13 '20 08:08 silenteh

We should definitely allow only 1 scanning service to begin with. The difference in terms of complexity to support more however is not that big. I agree we should do it in stages. However while writing down the steps I realized that if we allow only scanning of images with push, without storing the result then how can a Trow user check the scan report ? We should then implement the Webhook I suppose or an api. Again the API needs to be queried, so we would need to store the reports somewhere... So here my suggestion:

1. Add the possibility to configure a scanner

2. Scan images only when images are pushed without storage

3. Add webhook

4. Add storage

5. Add Trow API to retrieve scan reports

6. Allow scheduling of security scans

What do you think ?

What about only scanning when the report is requested? So a user would send something like:

GET /vuln-scans/1234def

Where 1234def is the digest of the image they are interested in. When Trow gets the request, it will kick off scanning the image and return a not ready yet response to the client. The client can then poll at a regular interval. When the scan completes, Trow can store it in temporary storage and return to the client on it's next request.

It might be a bit simpler for the first pass. If the scans are deleted, it doesn't matter as they will get re-created on request.

amouat avatar Aug 13 '20 13:08 amouat