Trivy-k8s-wrapper should extract save vulnerabilities in chained configmaps
Implementation Plan
Trivy-k8s-wrapper should be updated to :
-
It should receive as input flags the gitlab-agent namespace (required for creating the configmap in the right namespace) and the agent id (required to name the configmaps as ocs-<namespace>-<agent_id>-x.xis the number of the configmap in the chain. -
Delete all HTTP related code and authentication -
Extracts Trivy report. If the report is more than 100MBs it fails. -
Extracts Vulnerabilities from the Trivy report. Vulnerabilities are mapped to the structure that is required by the OCS module to send them to Gitlab. -
Find a formula to chop Vulnerabilities into smaller chunks. Each chunk should be less than 1MB -
For each chunk use protobuf to store the message. -
Gzip the protobuf message -
Base64 the Gzip message -
We need to make sure that all configmaps from previous runs are gone. Delete all configmaps in the gitlab-agent namespace that have agent.gitlab.com/ocs-ns: <namespace>andagent.gitlab.com/scan: ocs. -
Create a configmap with binaryDatacontaining the message. Required labels:-
agent.gitlab.com/scan: ocs. -
agent.gitlab.com/ocs-next: <name_configmap>wherename_configmapis the next chained configmap. agent.gitlab.com/trivy-version: <trivy_version>agent.gitlab.com/ocs-ns``: <namespace_that_was_scanned
-
-
Update Dockerfile -
Create a list of exit codes. Each exit code will be a different reason for failing. This is required so that the OCS knows why the Scanning pod failed. Document the exit codes. -
Update Readme -
Release
All configmaps have the label agent.gitlab.com/scan: ocs and agent.gitlab.com/ocs-scan: <namespace> where namespace is the namespace to scan.
Related links
Edited by Nick Ilieskou