Add support for scanning images hosted on remote registries when FIPS mode is enabled

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Release notes

Problem to solve

If FIPS mode is enabled, it's not possible to scan images that are hosted on a remote registry. The following are the reasons why we removed this capability in FIPS mode.

• When authenticating to the remote registry, it’s possible that the authentication could occur on an insecure registry. This would break the FIPS compliance.
• Remote registries that use TLS could still use a cipher than is not FIPS approved.

The purpose of this issue is to bring feature parity between FIPS and non-FIPS container scanning.

Proposal

Investigate what requirements are needed to enable remote registry support. For example, it may be required for container-scanning to authenticate only over TLS using FIPS approved cipher suites. After establishing the requirements for authenticating to remote registries, we should enforce this in container-scanning.

Intended users

• Cameron (Compliance Manager)
• Sasha (Software Developer)
• Alex (Security Operations Engineer)

Feature Usage Metrics