Story #6871
closed
[Epic] Add security scanner integration
Status:
CLOSED - DUPLICATE
Description
Ticket moved to GitHub: "pulp/pulp_container/463":https://github.com/pulp/pulp_container/issues/463
Goal¶
Users storing content in pulp_container should derive benefit from security scanning of docker containers that are out there.
Existing Tools¶
The idea is to integrate a tool not make a new one. Here are some options I've read about from this article.
Would this be implemented as a webhook (e.g. to an existing CI system) or as a celery task?
Where would the report artifacts be saved?
What are the least possible privileges for a celery task? (A task that runs one or more container analysis tools and saves the report artifacts(s) somewhere)
https://github.com/goharbor/pluggable-scanner-spec :
Open API spec definition for the scanners that can be plugged into Harbor to do artifact scanning.
Add support to Harbor for using other image scanners than just Clair by replacing the current Clair-specific scanning job implementation with an adapter layer implemented as an HTTP API between Harbor and the scanners' native interfaces. This will provide runtime configurable scanner invocation to provide vulnerability scanning initially with the option for other types of scanning in the future.
https://github.com/goharbor/harbor-scanner-clair
("DOC,SEC: Docker Notary / TUF support" #7419 could also be tagged 'security' if there was such an issue tag)
- Description updated (diff)
- Status changed from NEW to CLOSED - DUPLICATE
Also available in: Atom
PDF