image_scan Trait
If defined, OCI-Images declared as resources in the current component’s Component Descriptor
are scanned using the configured scanning tools (see attributes documentation).
Note
Unless mentioned otherwise, all OCI-Layers will be scanned. This means that files that are “logically” removed by a later layer will be included in scans. In case a file is overwritten with different contents, all variants are subject to being scanned.
Attributes
name |
required? |
default |
type |
explanation |
---|---|---|---|---|
matching_config |
no |
[]
|
list |
a list of configs to use for matching |
notify |
no |
|
Notify |
whom to notify about found issues |
issue_policies |
no |
max_processing_time_days:
blocker: 0
high: 30
low: 120
medium: 90
very_high_or_greater: 30
|
IssuePolicies |
defines issues policies (e.g. SLAs for maximum processing times |
overwrite_github_issues_tgt_repository_url |
no |
None |
str |
if set, and notify is set to github_issues, overwrite target github repository |
github_issue_templates |
no |
None |
list |
use to configure custom github-issue-templates (sub-attr: - summary # contains name, version, etc in a table
- component_name
- component_version
- resource_name
- resource_version
- resource_type
- greatest_cve
- report_url
- delivery_dashboard_url
|
github_issue_labels_to_preserve |
no |
None |
list |
optional list of regexes for labels that will never be removed upon ticket-update |
email_recipients |
no |
[]
|
List[str] |
optional list of email recipients to be notified about critical scan results |
clam_av |
no |
None |
ClamAVScanCfg |
if present, perform ClamAV scanning |
os_id |
no |
None |
OsIdScan |
if present, identify operating system |
trait_depends |
no |
() |
List[str] |
if present, generated build steps depend on those generated from specified traits |
notify Enumeration Values
email_recipients
nobody
component_owners
github_issues
clam_av (ClamAVScanCfg) Attributes
name |
required? |
default |
type |
explanation |
---|---|---|---|---|
clamav_cfg_name |
yes |
None |
str |
clamav cfg name to use (see cc-config) |
parallel_jobs |
no |
8 |
int |
the amount of (maximum) parallel workers |
virus_db_max_age_days |
no |
0 |
int |
The maxmimum age difference (in days) the virus definition database of ClamAV may have when being compared to the most current database before triggering rescans. |
rescore |
no |
() |
list |
rescoring hints (e.g. to mark false-positives / accept certain scan-abortions) |
timeout |
no |
18h |
str |
go-style time interval (e.g.: ‘1h30m’) after which the image-scan-step will be interrupted and fail. |
aws_cfg_name |
no |
str |
aws-cfg used to retrieve resources of access-type “s3”. If not specified, default cfg-set aws-cfg is used. |
os_id (OsIdScan) Attributes
name |
required? |
default |
type |
explanation |
---|---|---|---|---|
parallel_jobs |
no |
8 |
int |
amount of parallel jobs to run |
timeout |
no |
2h |
str |
go-style time interval (e.g.: ‘1h30m’) after which the image-scan-step will be interrupted and fail. |
Dependencies
This trait requires the following traits to be declared: