Clairctl - Auth header for private registry

[mieliespoor]

When trying to generate the manifest for a container image in AWS ECR, we need to include an Authorisation header for the GET to succeed. I don't see a way to do this, so currently clairctl manifest returns an Unauthorised response.

How do we make sure this header is being added by clairctl?

If this is not possible, how do we generate the manifest that should be submitted to the indexer? Is is just a case of pulling the manifest and then the uri of the layer is the blob url for that layer? I tried to look at the code, but my lack of experience in Go hampers me a bit to fully understand how this manifest is generated, but this is at least how I understand the code when looking at manifest.go.

[mieliespoor]

So to work with ECR is fairly straight forward in the end. The AWS ECR SDK provides a way to get a token which should then be added to the Authorization Header for subsequent http calls. The SDK also has a way to get a signed download link for a layer. The flow would most describes what need to happen.

[AWS SDK] Get ECR Auth Token
HEAD https://{aws_account_id}.dkr.ecr.{region}.amazonaws.com/v2/{repo}/manifests/{tag} (request to get image digest if the digest is unknown, the header which includes the digest is not returned with a GET)
GET https://{aws_account_id}.dkr.ecr.{region}.amazonaws.com/v2/{repo}/manifests/{tag}
For Each Layer: [AWS SDK] Get Signed Download Link

Should now have the information to build the manifest for the index_report POST

[mieliespoor]

Ideally, it should still be possible to pass in an argument to clairctl for the Authorization header. It won't work on private ECR registries as is evident from the above, but for other private registries it might help.

[hdonnay]

Clairctl should honor a docker client config file, e.g. ~/.docker/config.json.

[HariSekhon]

This is what Trivy and Grype do