Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Need a way to always prefer registry over local Docker when scanning an image #1204

Closed
luhring opened this issue Mar 29, 2023 · 0 comments · Fixed by #1215
Closed

Need a way to always prefer registry over local Docker when scanning an image #1204

luhring opened this issue Mar 29, 2023 · 0 comments · Fixed by #1215
Labels
enhancement New feature or request

Comments

@luhring
Copy link
Contributor

luhring commented Mar 29, 2023
edited
Loading

What would you like to be added:

It'd be great to have an easy way to avoid ever accidentally scanning a stale version of a container image, specifically because Grype retrieved the image from Docker instead of directly from the registry. Scanning stale images results in wasted time, pointless escalations/firedrills, etc.

Short of changing the default behavior in the tool itself, it'd be great to have a persistent fix available to the user, like setting a value in a config file on disk.

Why is this needed:

Today's behavior is a common footgun for folks. They intuitively type a command like grype alpine:3.16, or grype my-registry.io/my-company/my-image, and they don't realize until much later that what they've scanned is not reflective of the latest state of the image.

This happens primarily when scanning images that the user didn't build themselves. So any time you scan an official Docker Hub image, or an open source project's image, this is a mistake waiting to happen. Even for an organization's own image, it's increasingly common that images are built by CI instead of locally — in which case, defaulting to retrieving the image from Docker just means introducing the risk that you're scanning a stale image.

Additional context:

IIRC, there's no strong reason why today Grype prefers Docker over the registry — I believe it was simply that the developers (myself included) added support for Docker first, and for the registry second.

This might be implicit — but it'd probably be a good UX for whatever solution is applied to Grype for this ticket to also be applied to Syft.

cc: @spiffcslink to community Slack discussion
@luhring luhring added the enhancement New feature or request label Mar 29, 2023
@spiffcs spiffcs mentioned this issue Mar 29, 2023
Closed
@eddiezane eddiezane mentioned this issue Mar 29, 2023
Closed
@spiffcs spiffcs mentioned this issue Mar 30, 2023
Merged
@spiffcs spiffcs linked a pull request Apr 3, 2023 that will close this issue
feat: default image source config option #1215
Merged
@spiffcs spiffcs mentioned this issue Apr 3, 2023
Merged
spiffcs added a commit that referenced this issue Apr 4, 2023
@spiffcs
feat: add default-image-source-config option (#1215)
8dec5c3 
#1204 surfaces the need for allowing a user to express a preference over the default-image-pull-source to be used when building an SBOM for vulnerability scanning.

This adds a config option into grype to consume the new syft behavior.

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
This was referenced Apr 5, 2023
Merged
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
OSS
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: default image source config option anchore/grype
1 participant
@luhring