Investigate local Aqua scanning #144
Labels
question
Further information is requested
Comments
|
Some implementation hints: // buildahPush pushes a local image to the given imageName.
func buildahOCIArchive(opts options, workingDir, imageName string) ([]byte, []byte, error) {
return command.Run("buildah", []string{
fmt.Sprintf("--storage-driver=%s", opts.storageDriver),
"push",
imageName, fmt.Sprintf("oci-archive:/%s:%s", filepath.Join(workingDir, "image.tar"), imageName),
})
}
// aquaImport runs an Aqua scan on given imageRef.
func aquaImport(opts options, workingDir, jsonReportFile string) ([]byte, []byte, error) {
return command.Run(aquasecBin, []string{
"import",
fmt.Sprintf("--user=%s", opts.aquaUsername),
fmt.Sprintf("--password=%s", opts.aquaPassword),
fmt.Sprintf("--host=%s", opts.aquaURL),
jsonReportFile,
"-w", "/tmp",
})
} |
|
Closing in favour of opendevstack/ods-pipeline-image#3. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Since we use Buildah, it would be possible to scan the OCI archive with Aqua before pushing to the registry. We need to research what the benefits and drawbacks are compared to the push-first approach.
The text was updated successfully, but these errors were encountered: