Provide option to scan an image in tar file format in container scanning
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Proposal
The upstream analyzer Trivy that is implemented for container scanning allows for scanning an image in a .tar file format. For example:
$ docker pull ruby:3.1-alpine3.15
$ docker save ruby:3.1-alpine3.15 -o ruby-3.1.tar
$ trivy image --input ruby-3.1.tarCurrently, container scanning allows scanning of an image pushed to a registry using the CS_IMAGE CI/CD variable.
This has come up while working on a ticket with a customer. For those who have access to Zendesk, here's a link to the ticket:
Zendesk Ticket - internal
Some users have a workflow where they would like to scan an image before it is ever uploaded to a registry. The current work-around would be to pass the --input=<image:.tar> value to CS_IMAGE. Note the :.tar format since the container scanning schema currently requires that a tag is present otherwise you'll receive some schema validation errors.
A side effect of passing such a value to the CS_IMAGE variable is, while viewing the vulnerability in the UI, the file location/path will be set to --input=<image:.tar> which is not desirable. A current work-around for that is to override the container scanning job by including an after_script that modifies the image value in the gl-container-scanning-report.json file before it is uploaded as an artifact.