You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The starboard operator currently watches pods to trigger a scan. In some cases it's desirable to scan an artifact before the code is deployed and running.
A new SourceReference CRD could be defined:
kind: SourceReference
spec:
repository: github.com/myrepo
reference: # tag/branch
commit: # optional if tag not specified
secretName: # optional - for private repos
A new controller would then trigger a scan when a new SourceReference instance is created. The initial implementation could rely on the operator to update the CRD when a new commit is pushed.
The functionality could be extended to support polling the repo for new tags or commits on a branch if neither is specified. This may require a status field for the reconciler to capture what was scanned:
The implementation could largely reuse the logic of VulnerabilityReportReconciler.reconcilePods (read the artifact reference, check ownership, check for existing VulnerabilityReport/Job, check throttling, submit the scan). Changed would be needed in a few areas:
Because there is no image in this flow, the usage of corev1.PodSpec and ContainerImages would need to be abstracted.
The Trivy plugin would need an update to invoke trivy repo with appropriate parameters
The VulnerabilityReport would need appropriate metadata for a source reference instead of an image
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
The starboard operator currently watches pods to trigger a scan. In some cases it's desirable to scan an artifact before the code is deployed and running.
A new SourceReference CRD could be defined:
A new controller would then trigger a scan when a new SourceReference instance is created. The initial implementation could rely on the operator to update the CRD when a new commit is pushed.
The functionality could be extended to support polling the repo for new tags or commits on a branch if neither is specified. This may require a status field for the reconciler to capture what was scanned:
The implementation could largely reuse the logic of VulnerabilityReportReconciler.reconcilePods (read the artifact reference, check ownership, check for existing VulnerabilityReport/Job, check throttling, submit the scan). Changed would be needed in a few areas:
trivy repo
with appropriate parametersBeta Was this translation helpful? Give feedback.
All reactions