Skip to content

Assorted scanning improvements#3404

Open
PE39806 wants to merge 2 commits intomainfrom
bugfix/resolve-scanning-issues
Open

Assorted scanning improvements#3404
PE39806 wants to merge 2 commits intomainfrom
bugfix/resolve-scanning-issues

Conversation

@PE39806
Copy link
Copy Markdown
Collaborator

@PE39806 PE39806 commented Mar 30, 2026

  • Add mongo transactions to all scans
  • Add scan inProgress check (to prevent DoS from same scan being re-requested, and fix a race condition)
  • Poll existence of registry tags when trying to scan (as the registry may trigger the event webhook before the tag is yet pullable)

@github-actions github-actions bot added bug Something isn't working javascript Pull requests that update Javascript code tests Improvements or additions to unit tests and / or end to end tests backend Changes affecting server-side logic, APIs, data processing, or internal services. labels Mar 30, 2026
JR40159
JR40159 requested changes Mar 30, 2026
View reviewed changes
backend/src/clients/registry.ts
return result.headers
}

export async function waitForImageTagManifest(
Copy link
Copy Markdown
Member

@JR40159 JR40159 Mar 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the issue is the tag not resolving, could we scan based on the digest hash?

ARADDCC002
ARADDCC002 requested changes Mar 30, 2026
View reviewed changes
backend/src/services/scan.ts
// cover an edge case where scans are allowed with no delay (from config) causing a race condition
const existingScanInProgress = await ScanModel.findOne({ ...scanIdentifier, state: ArtefactScanState.InProgress })
if (existingScanInProgress) {
throw InternalError('Cannot rescan an artefact while an existing scan is in progress', {
Copy link
Copy Markdown
Member

@ARADDCC002 ARADDCC002 Mar 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A 500 response is normally for unexpected actions, but in this case, this is expected behaviour. I wonder if a 409 Conflict is better? Happy to debated this one, though.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ARADDCC002 ARADDCC002 ARADDCC002 requested changes

@JR40159 JR40159 JR40159 requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

backend Changes affecting server-side logic, APIs, data processing, or internal services. bug Something isn't working javascript Pull requests that update Javascript code tests Improvements or additions to unit tests and / or end to end tests

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@PE39806 @ARADDCC002 @JR40159