Provide option to scan an image in tar file format in container scanning

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Proposal

The upstream analyzer Trivy that is implemented for container scanning allows for scanning an image in a .tar file format. For example:

$ docker pull ruby:3.1-alpine3.15
$ docker save ruby:3.1-alpine3.15 -o ruby-3.1.tar
$ trivy image --input ruby-3.1.tar

Currently, container scanning allows scanning of an image pushed to a registry using the CS_IMAGE CI/CD variable.

This has come up while working on a ticket with a customer. For those who have access to Zendesk, here's a link to the ticket:

Zendesk Ticket - internal

Some users have a workflow where they would like to scan an image before it is ever uploaded to a registry. The current work-around would be to pass the --input=<image:.tar> value to CS_IMAGE. Note the :.tar format since the container scanning schema currently requires that a tag is present otherwise you'll receive some schema validation errors.

A side effect of passing such a value to the CS_IMAGE variable is, while viewing the vulnerability in the UI, the file location/path will be set to --input=<image:.tar> which is not desirable. A current work-around for that is to override the container scanning job by including an after_script that modifies the image value in the gl-container-scanning-report.json file before it is uploaded as an artifact.