Revisit how we execute container scanning on Composition Analysis analyzers

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Problem to solve

Since we currently run scans in CI pipelines during development and due to how these are configured, we actually scan temporary images that later get retagged as we release them. As a result, the Container Scanning reports for multiple Major releases collide.

Our current biggest issue is to improve on vulnerability management as part of our FedRAMP process. And we don't really leverage the CS scans in the MR review process.

Proposal

• Remove CS scans from the default pipelines that run when pushing changes to the repository
• Add a specific scheduled pipeline to scan the production images with their release MAJOR tag

Prior to do this change globally, we should verify the impact on the reported location for these findings and how this might duplicate all the existing vulnerabilities (mark old as no longer detected and create new ones). If this happens, we also might need to revisit the link to existing issues.