Enable the GitLab Agent for Kubernetes to initiate vulnerability scans
Why are we doing this work
Currently, the agent expects that the Starboard Operator is responsible for executing all scans. We would like to enforce that scans run via scan execution policies (#341358 (closed)). In order to do this, we need to be able to trigger new scans to run instead of relying on the operator to do this for us.
Relevant links
Non-functional requirements
-
Documentation: -
Feature flag: -
Performance: -
Testing:
Implementation plan
Scheduling
As scan execution policies define a cadence, e.g. cadence: 0 0 * * *
, we need a task scheduling library, for example robfig/cron.
We need the ability to reschedule, so that we can react to changes to the cadence.
Scanning
-
Query Kubernetes for the same workload kinds as Starboard, taking into account the namespace filter configuration of the Agent.
-
For every identified workload object, initiate a scan with
vulnerabilityreport.Scan
. The number of scans executing in parallel must be limited. Collect all resultingv1alpha1.VulnerabilityReport
s. -
Merge the resulting vulnerability reports.
-
Transmit the resulting vulnerability report.