Insights: perform a vulnerability scan on images #9
Description
Summary
Lagoon insights collects data about deployments (SBOM, docker layer). We can use this data to generate vulnerability scans to show current vulnerabilities.
Intended Outcome
Lagoon users have access to the Insights data about their environments - package versions and vulnerabilities, and have the ability to configure "problems" if required.
Relevant Reasoning
Lagoon-remote is the best place to be controlling tasks/builds/scans etc - and core is used to store data and update the API.
How could it work?
Lagoon-remote should be able to perform the following on a build:
- On a build, Lagoon generates a SBOM using Syft, and stores it in a configmap (and then in S3)
- Using this SBOM, Lagoon can scan it using Grype to generate and store a report of this run in a configmap (and then in S3)
- (optional) Lagoon can report "problems" from this report back to the API
- Schedule a time to perform a re-scan of this data - using a Label?
Lagoon-remote should also be able to perform the following:
- Check for existence of previously created SBOM configmap to use as source for scan
- If no configmap present, scan image from Harbor to generate SBOM
- Using this SBOM, Lagoon can scan it using Grype to generate and store a report of this run in a configmap (and then in S3)
- (optional) Lagoon can report "problems" from this report back to the API
- Schedule a time to perform a re-scan of this data - using a Label?
The Lagoon-remote may also poll namespaces/configMaps for the existence of a Label to determine whether a re-scan is necessary
- Suggest weekly scans - but to conduct outside business hours - e.g 156h (168-12)
- Weekly scans are Grype-only - they don't update the SBOMs in ConfigMap or S3
Lagoon-CLI should be extended to retrieve Insights files for a given environment
Lagoon-UI should be able to display Insights files for a given environment