eraser-dev
Upgrade trivy to v0.29 or higher
Describe the solution you'd like
We are currently using trivy v0.27.1 in our scanner shim code, and trivy started supporting the containerd runtime in v0.29.0. At present, our trivy pod is thus unable to connect to the runtime socket, and therefore cannot scan nameless images.
Anything else you would like to add:
This blocks completion of #224 . The strategy for testing clusters with thousands of images is to load up the containerd store with vulnerable images on each node. Without access to the runtime, our trivy-scanner pod will simple ignore those images it can't find in the trivy database. With access to the runtime, it will analyze the layer structure of node-local images, and compare known layers (by digest) to its database of known vulnerabilities. Thus for any new image that uses (for example) alpine:vulnerable as a base image, that new image would also be considered vulnerable, even though the new image wouldn't be present in trivy's database.
Environment:
- Eraser version: v0.4.0
