banzaicloud / anchore-image-validator Goto Github PK

Substring matching is used on whitelisted image names instead of full-string match.

MatchString reports whether the string s contains any match of the regular expression re.

Should surround with ^(/)$

To track changes and create a usable event log we decided to store this information in custom resource.

Custom respurce name: TODO

Content:

When new image scan is initiated and deployment is already whitelisted, scanlog image detail fields are empty.

Is your feature request related to a problem? Please describe.
Instead of the implemented anchore-engine client inside the project use https://github.com/anchore/client-go

Webhook should run as nobody.
It would be better if webhook used unprivileged port.

ValidatingWebhookConfiguration should be created by image-validator instead of helm.

Describe the bug
If a deployment is scaled out for a large number of pods, sending images to scan will take a long time.

Steps to reproduce the issue:
In a test deployment set replicas to 100

Expected behavior
Shorten the response time of the anchore-engine using a precheck.

Additional context
If an image is sent to analysis, the anchore-engine puts it in the queue and it will affect response time. Using the precheck the queue will be skipped.

Is your feature request related to a problem? Please describe.
The default policy creator K8s kob isn't necessary after banzaicloud/pipeline#3166 is merged.

Describe the solution you'd like to see
The chart shouldn't deploy the default policy creator job by default.
It would be deployed depending on a flag.

Incorrect parsing of images in CheckImage

The parsing of an image tag is by the CheckImage function in ./pkg/anchore/client.go is incorrect when the port number is specified for a registry.

For exemple if the image name is:

myregistry.example.com:5000/myrepo/myimage:mytag

Then the parsed image name will be:

myregistry.example.com

instead of:

myregistry.example.com:5000/myrepo/myimage

and the parsed tag will be

5000

instead of

mytag

I am also suspecting that if the image name specifies the image digest, then the parsing will also be incorrect (but I have not tested it yet).

Exemple:

myregistry.example.com/myrepo/myimage@sha256:d004d...35a2

Steps to reproduce the issue:

Try to validate an image hosted on a registry running on a non-standard port or specified with a digest.

Expected behavior

Maybe this could help doing the proper parsing:

• https://github.com/docker/distribution/blob/master/reference/reference.go
• https://github.com/docker/distribution/blob/release/2.7/reference/normalize.go

Is your feature request related to a problem? Please describe.
Before getting the images based on the tag, the imagePullPolicy should be checked. ( related issues: #70 )

It should be fixed in both anchore-image-validator and pipleine.

This issue was automatically created by Allstar.

Security Policy Violation
Dismiss stale reviews not configured for branch master

This issue will auto resolve when the policy is in compliance.

Issue created by Allstar. See https://github.com/ossf/allstar/ for more information. For questions specific to the repository, please contact the owner or maintainer.