carvel-dev
add command to surface vulnerability scan report for a bundle
Describe the problem/challenge you have
would like to see a vulnerability report for images that are part of a bundle.
Describe the solution you'd like
even though vulnerability scanning is an "addon" to a registry (not part of official registry APIs), i think we should try to integrate with projects like Harbor that introduce custom APIs to expose such information. i could imagine something like this:
$ imgpkg vulnreport -b registry.corp.com/apps/my-bundle
Id State Details Full reference
foo OK 0 vulnerabilities foo@sha256:...
blah FAIL 100 vulnerabilities foo@sha256:...
inspiration: https://github.com/vmware-tanzu/carvel-kbld/issues/79
To try to clarify the ask here, the idea would be to try to integrate with the Registry and the Registry would do the scan. Or the idea is that imgpkg should integrate directly with tools like trivy and claire, as Harbour does?
The following registries do vulnerability check already:
- Harbor does not export an API
- quay
- Google Cloud Registry
- Azure Container Registry, does the vulnerability check but doesn't look like it gives and API to get that information
- Amazon Container Registry
- Docker has a CLI plugin that uses Snyk to do the scan but doesn't look like it as an API
Registry would do the scan
some other service (like registry) would do the scan. imgpkg hopefully would be able to retrieve results for the scan since it knows which images are in the bundle.
This seems like a good idea, it's unfortunate that there isn't a universal API that we could try to target regardless of registry used. Though, we could always figure out the registry and have a mapping to their endpoints (if available).
What format should this output take? Would this be a part of some automation around e.g. failing a CI if an image has vulnerabilities? Or is there any automation component to this request?
@DennisDenuto and I were reviewing this further, and we will go ahead and add a story to our backlog to further discuss how to make this happen.
