Cluster image scanning vulnerability resolution
Why are we doing this work
The agent implementation of Cluster Image Scanning currently does not have any means of determining if a vulnerability is no longer detected. Historically, all security scans have run in GitLab CI/CD and have been able to make use of StoreReportService in order to compare scans with one another and resolve / deduplicate findings. The agent uses an HTTP API which currently can only create vulnerabilities. We will need to implement a method of resolving findings which are no longer detected via the API.
Relevant links
Non-functional requirements
-
Documentation: -
Feature flag: -
Performance: -
Testing:
Implementation plan
-
backend (rails) Update
starboard_vulnerabilityinternal API to return the UUID of the vulnerability which was created -
backend (rails) Add a new API endpoint (
POST internal/kubernetes/modules/starboard_vulnerability/scan_result?) which receives a list of UUIDs from a completed scan.- Pass these UUIDs to a new vulnerability resolution service. This service will take the projects existing
Cluster Image Scanning vulnerabilities, and resolve the ones which were not detected in the latest scan (
resolve(existing_uuids - new_uuids)) - See IngestReportsService for an implementation reference.
- Pass these UUIDs to a new vulnerability resolution service. This service will take the projects existing
Cluster Image Scanning vulnerabilities, and resolve the ones which were not detected in the latest scan (
-
backend (agentk) Have agentk perform the vulnerability resolution
- As Agentk creates vulnerabilities, it will collect each UUID from the response and push it to a list.
- When the scan is done, it will send a request with the list of UUIDs to
internal/kubernetes/modules/starboard_vulnerability/scan_result
Edited by Brian Williams