Outdated image scanner with reports #2051
Labels
kind/feature
Categorizes issue or PR as related to a new feature.
priority/backlog
Higher priority than priority/awaiting-more-evidence.
target/kubernetes
Issues relating to kubernetes cluster scanning
This is a request to add a new report custom resource and scanner for outdated images in the cluster. Currently, when you view VulnerabilityReports published by Trivy Operator it contains a lot of data about a specific container image. But it doesn't tell you if there's an updated image available to change to. It would be incredible from a Kubernetes cluster administrator's perspective to filter by vulnerable images that actually have a new image version to switch to that might be less vulnerable.
For that, I'm imagining a new type of report resource (or perhaps this could just be added to the VulnerabilityReport resources) that details the current image (registry, repository, tag, digest) as well as takes a stab at scanning the registry/repository for a newer tag to switch to.
The trick with actually implementing this feature that I'm not sure how to accomplish would be finding a new image tag of a comparable image lineup. A registry/repository might contain multiple "classes" of tags (release candidates, full releases semvers, latest release, and maybe one for the current commit in the default branch of the code repo.) Maybe just does some regex to figure out of the current tag is
:latest
or:vX.X.X
/:X.X.X
tag, and then scans the registry for the newest version of the image that also matches that regex. I've used Hashicorp's go-version library for comparing SemVer strings which might help with this too (finding out which is "newer") https://github.com/hashicorp/go-versionThe text was updated successfully, but these errors were encountered: