[Scan][Auth] It doesn't block scanning when using incorrect credential

[williamshen9999]

Steps:

• The steps are similar to https://github.com/neuvector/security-ui-exts/discussions/319
• The main difference is, this time, I use wrong user/pw pair (ex: username is nvlab, and pw is "xxxooo1234" which is wrong pw)
• And the created registry is associated with that cert "wrong-pw"

root@sbomscanner-ui-1028:~# k get registry use-wrong-pw  -o yaml
apiVersion: sbomscanner.kubewarden.io/v1alpha1
kind: Registry
metadata:
  creationTimestamp: "2025-10-30T16:38:46Z"
  generation: 1
  name: use-wrong-pw
  namespace: default
  resourceVersion: "722280"
  uid: 87b40c2e-a52c-4ee6-a048-866012cd0874
spec:
  authSecret: wrong-pw
  catalogType: OCIDistribution
  repositories:
  - nvpublic/controller
  uri: docker.io

• Start scan
• It does NOT show any error message and it will keep going the scan process...

root@sbomscanner-ui-1028:~# k get scanjob use-wrong-pwlkdqh -o yaml
apiVersion: sbomscanner.kubewarden.io/v1alpha1
kind: ScanJob
metadata:
  annotations:
    sbomscanner.kubewarden.io/creation-timestamp: "2025-10-30T16:39:09.693160766Z"
    sbomscanner.kubewarden.io/registry: '{"kind":"Registry","apiVersion":"sbomscanner.kubewarden.io/v1alpha1","metadata":{"name":"use-wrong-pw","namespace":"default","uid":"87b40c2e-a52c-4ee6-a048-866012cd0874","resourceVersion":"722280","generation":1,"creationTimestamp":"2025-10-30T16:38:46Z"},"spec":{"uri":"docker.io","catalogType":"OCIDistribution","repositories":["nvpublic/controller"],"authSecret":"wrong-pw"},"status":{}}'
  creationTimestamp: "2025-10-30T16:39:09Z"
  generateName: use-wrong-pw
  generation: 1
  name: use-wrong-pwlkdqh
  namespace: default
  ownerReferences:
  - apiVersion: sbomscanner.kubewarden.io/v1alpha1
    blockOwnerDeletion: true
    controller: true
    kind: Registry
    name: use-wrong-pw
    uid: 87b40c2e-a52c-4ee6-a048-866012cd0874
  resourceVersion: "726456"
  uid: 18346f5c-bb76-4f40-a5a9-cb28fc5c3afc
spec:
  registry: use-wrong-pw
status:
  completionTime: "2025-10-30T16:58:21Z"
  conditions:
  - lastTransitionTime: "2025-10-30T16:39:09Z"
    message: ScanJob completed successfully
    observedGeneration: 1
    reason: Complete
    status: "False"
    type: Scheduled
  - lastTransitionTime: "2025-10-30T16:44:24Z"
    message: ScanJob completed successfully
    observedGeneration: 1
    reason: Complete
    status: "False"
    type: InProgress
  - lastTransitionTime: "2025-10-30T16:44:24Z"
    message: All images scanned successfully
    observedGeneration: 1
    reason: AllImagesScanned
    status: "True"
    type: Complete
  - lastTransitionTime: "2025-10-30T16:39:09Z"
    message: ScanJob completed successfully
    observedGeneration: 1
    reason: Complete
    status: "False"
    type: Failed
  imagesCount: 1
  scannedImagesCount: 1
  startTime: "2025-10-30T16:39:10Z"

Expected behavior:
It should show error message and block the scanning when using incorrect cert.

[flavio]

The registry you're using is a public one. All the registry libraries use authentication only when it's actually needed. In this case, your wrong credentials are never used.

You should repeat the test using a registry that has authentication turned on.

Also, the title of this discussion is "It doesn't block scanning when using incorrect cert" but it's wrong. This is about the credentials (username/password) used to authenticate. TLS certificates are nowhere involved.

[williamshen9999]

Hi @flavio ,
I've changed the title, thanks.
Btw, I'll add more results for this discussions, thanks.

[williamshen9999]

Hi @xingzhang-suse ,

I think we can NOT directly use the Registry Secret created by Storage/Secrets page for testing scan. You could refer to my steps.

After creating Registry Secret created by Storage/Secrets page, it will show in backend like:
root@sbomscanner-ui-1106-rke2:~# k get secret correct-credential-dockerio -o yaml
apiVersion: v1 data: .dockerconfigjson: ${token}

If we decode that ${token} and we will find its format is like:
root@sbomscanner-ui-1106-rke2:~# echo ${token} | base64 -d
{"auths":{"index.docker.io/v1/":{"username":"${user}","password":"${pw}"}}}

However, according to https://github.com/kubewarden/sbomscanner/blob/main/docs/user-guide/private-registries.md ,
The ${token}'s format should be like below. ( and ${auth_value} is the value of "echo ${user}:${pw} | base64 -w 0":
{ "auths": { "https://index.docker.io/v1/": { "auth": "${auth_value}" } } }

So, if I use the format of registry secret created by Storage/Secrets page and do the scan testing below.

• Public repo with correct credential: Finished
• Public repo with incorrect credential: Finished
• Private repo with correct credential: Failed (Error: authentication required...)
• Private repo with incorrect credential: Failed (Error: authentication required...)

I can say that the above result doesn't recognize the secret so it's like scanning without secret...

And, if I manually create the format of registry secret (followed by the backend's doc above) and do the scan testing below.

• Public repo with correct credential: Finished
• Public repo with incorrect credential: Failed (Error: 401 unauthorized...)
• Private repo with correct credential: Finished
• Private repo with incorrect credential: Failed (Error: 401 unauthorized...)

The above result makes sense. (It can recognize the secret and scan with the secret)

Could you kindly check and let me know? Thanks.

Hi @flavio,
Please also help to correct if I'm wrong. Thanks.

[flavio]

The problem is with the contents of the secret created by the UI index.docker.io/v1/ instead of https://index.docker.io/v1/.

For some reason which baffles me, Docker HUB wants to be addressed with the https:// prefix. Other registries do not require that AFAIK

[williamshen9999]

Hi @xingzhang-suse ,
Could you help to check if which rough version of UI will fix this bug? Thanks...
cc: @selvamt94