Have security findings/vulnerabilities created as a result of operational container scanning created in originating projects
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Proposal
Associate the OCS reports with the project where the image was deployed from instead of the project where the agent is defined.
From this (internal only) ticket:
We have a common GitLab Agent for Kubernetes in use for a magnitude of groups and projects.
The newly published Operational Container Scanning (https://docs.gitlab.com/ee/user/clusters/agent/vulnerabilities.html) reports all its findings into the project where the agent is defined, and not where the deployment is initiated.
On our case, we currently have thousands of Operational Vulnerabilities on singe project which does not have any application source code.
If an issue is created out of the finding, it goes into this incorrect project, too.
Please have the utility find the original deploying project (e.g. by registry path or app.gitlab.com/app annotation and assign the findings to a place where they can be worked on.