Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

no security scanning for deactivated and/or removed packages

See original GitHub issue

Is your feature request related to a problem? Please describe. We used to maintain a Helm chart that is failing security scanning due to it being based on outdated images:

error scanning image quay.io/k8scsi/csi-attacher:v1.2.1: schema v1 manifest not supported by trivy (package huawei-csi-plugin:0.3.0)

We have deprecated and removed the chart from our repo, but the security scanner still send mails complaining multiple times per day. We don’t plan on updating the chart, hence it being deprecated and removed.

Describe the solution you’d like Deprecated and/or removed packages should not get security scanned, or they should not send mails.

Describe alternatives you’ve considered An alternative solution would be to allow ignoring individual charts rather than just being able to deactivate security scanning on full repositories.

Additional context The affected Helm chart is here on artifacthub. The affected huawei-csi-plugin chart was deprecated in https://github.com/adfinis-sygroup/helm-charts/pull/516 and removed in https://github.com/adfinis-sygroup/helm-charts/pull/616.

Issue Analytics

State:
Created a year ago
Comments:6

Top GitHub Comments

1reaction

tegiozcommented, Apr 12, 2022

No worries! You can also opt-out of the scanner notifications from the control panel, but it works at the repository level, not per package. We’ll think a bit about adding an additional way to disable security scanning for a given package, thanks.

Will close this issue for now, please feel free to reopen it if needed.

0reactions

hairmarecommented, Apr 12, 2022

Updating it only in the index won’t be enough, you’d need to update both the chart’s tgz package and the index. We process the index to get a view of what’s available in the repo and, when we detect a chart that needs to be processed (new, updated, etc), we download the full package as there is some information on it that we need not available in the index.

Ah, thanks for the info, i’ll reinstate the chart so i can add the annotation and then remove it again as that seems like the most straigth forward way to get rid of the trivy mails for now.

An option to deactivate security scanning on individual charts might still be of value though, reviving a chart to add an annotation just to delete it again seems a bit overkill.

Top Results From Across the Web

anchore/grype: A vulnerability scanner for container ... - GitHub

Scan the contents of a container image or filesystem to find known vulnerabilities. Find vulnerabilities for major operating system packages:.

Static Application Security Testing (SAST) - GitLab Docs

The analyzer runs in a Linux container and does not have access to Windows-specific ... Enable scanning of iOS and Android apps using...

Scanning Amazon ECR container images with Amazon ...

Amazon Inspector scans container images stored in Amazon ECR for software vulnerabilities to generate Package Vulnerability findings. For information on the ...

Use Google Play Protect to help keep your apps safe and your ...

Learn how you can use Google Play Protect to scan and help protect your Android device from harmful and unsafe apps and to...

Security Code Scan

Make sure IntelliSense results are not filtered in the window: Intellisense filter. If SCS is installed as NuGet package and Entire solution is...