Reports as first-class entities
We are currently not able to distinguish if we have no reports, or an empty report. This is because we are storing only vulnerabilities, so no vulnerabilities cover both cases.
There are features that require a deeper knowledge and first-class reports:
- Container Registry status: #8790
- Dashboard chart counters
We need to save some information every time a report is sent to GitLab via
Each report will have its own information, for example for container scanning we can have:
- image name, list of vulns
The report will be parsed and saved with the following information:
- report time
- image name (could be multiple) - currently challenged by @gonzoyumo and @fcatteau
- image security status summary (one for each image name) - also challenged by @fcatteau
- scan settings - suggested by @fcatteau
- scan failures - suggested by @fcatteau
We can query this info to figure out if an image has been scanned, when, and which is the security status.