Enable the GitLab Agent for Kubernetes to initiate vulnerability scans

Why are we doing this work

Currently, the agent expects that the Starboard Operator is responsible for executing all scans. We would like to enforce that scans run via scan execution policies (#341358 (closed)). In order to do this, we need to be able to trigger new scans to run instead of relying on the operator to do this for us.

Relevant links

Non-functional requirements

• Documentation:
• Feature flag:
• Performance:
• Testing:

Implementation plan

Scheduling

As scan execution policies define a cadence, e.g. cadence: 0 0 * * *, we need a task scheduling library, for example robfig/cron.

We need the ability to reschedule, so that we can react to changes to the cadence.

Scanning

1. Query Kubernetes for the same workload kinds as Starboard, taking into account the namespace filter configuration of the Agent.

2. For every identified workload object, initiate a scan with vulnerabilityreport.Scan . The number of scans executing in parallel must be limited. Collect all resulting v1alpha1.VulnerabilityReports.

3. Merge the resulting vulnerability reports.

4. Transmit the resulting vulnerability report.