[Feature Request] Image Digest Vulnerability Scan Caching #2192
Labels
kind/feature
Categorizes issue or PR as related to a new feature.
lifecycle/stale
Denotes an issue or PR has remained open with no activity and will be auto-closed.
Comments
Hacks4Snacks
added
the
kind/feature
|
I actually think this feature functionality has been introduced via clustersbomcache, but please confirm. |
|
This issue is stale because it has been labeled with inactivity. |
github-actions
bot
added
the
lifecycle/stale
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Objective: Optimize the vulnerability scanning activity taking place within the kubernetes cluster.
Problem Statement: In kubernetes cluster deployments with high-volume actions (create, modify, delete) of resources that use the same image references (e.g., creating several replicaset resources with the same image references), there is overhead incurred due to the churn of re-scanning images that have already been scanned in a different context (e.g., namespace or resource).
Proposed Solution: Implement a vulnerability scan caching solution that will store scan results based on the image digest of container images. Prior to the operator executing a scan job, a caching check can occur to determine if the image digest has been scanned in the last N hours/days (configurable). If the image is in cache, the previous scan data is used for the resource vulnerability report, otherwise a scan is executed (similar to what was proposed in: https://github.com/aquasecurity/trivy-operator/blob/main/docs/docs/design/caching_scan_results_by_repo_digest.md).
Expected Outcome: The proposed feature should optimize the vulnerability scanning process by leveraging a cache that is referenced prior to instantiating pod resource to support scanning activities of a previously scanned image.
The text was updated successfully, but these errors were encountered: