feat(registry-scanner): ovveride platform scanning logic (#1496)

Author: fedemengo

charts/registry-scanner/Chart.yaml

@@ -4,7 +4,7 @@ description: Sysdig Registry Scanner
 type: application
 home: https://www.sysdig.com/
 icon: https://avatars.githubusercontent.com/u/5068817?s=200&v=4
-version: 1.1.25
-appVersion: 0.2.60
+version: 1.1.26
+appVersion: 0.2.61
 maintainers:
   - name: sysdiglabs

charts/registry-scanner/README.md

@@ -93,6 +93,7 @@ The following table lists the configurable parameters of the Sysdig Registry Sca
 | config.scan.jobs.resources.requests.cpu          | The CPU request for the scanner job.                                                                                                                                                                                                       | <code>500m</code>                            |
 | config.scan.jobs.resources.limits.memory         | The memory limit for the scanner job.                                                                                                                                                                                                      | <code>2Gi</code>                             |
 | config.scan.jobs.temporaryVolumeSizeLimit        | The size limit for the emptyDir volume used by the scanner job.<br/> This volume is used to store both the vulnerability database and the image to scan.                                                                                   | <code>2Gi</code>                             |
+| config.scan.disablePlatformScanning              | Force the scan to happen on the client component rather than relying on backend scanning                                                                                                                                                   | <code>false</code>                           |
 | config.parallelGoRoutines                        | Number of goroutines running in parallel in metadata phase for ECR Org setup.                                                                                                                                                              | <code>100</code>                             |
 | ssl.ca.certs                                     | For outbound connections. <br/>List of PEM-encoded x509 certificate authority.                                                                                                                                                             | <code>[]</code>                              |
 | customLabels                                     | The additional labels to add to CronJob and Scanning Jobs. The custom labels to be added to kubernetes manifests of all the resources created.                                                                                             | <code>{}</code>                              |
@@ -129,7 +130,7 @@ Use the following command to deploy:
 helm upgrade --install registry-scanner \
    --namespace sysdig-agent \
    --create-namespace \
-   --version=1.1.25  \
+   --version=1.1.26 \
    --set config.secureBaseURL=<SYSDIG_SECURE_URL> \
    --set config.secureAPIToken=<SYSDIG_SECURE_API_TOKEN> \
    --set config.secureSkipTLS=true \

charts/registry-scanner/README.tpl

@@ -62,7 +62,7 @@ Use the following command to deploy:
 helm upgrade --install registry-scanner \
    --namespace sysdig-agent \
    --create-namespace \
-   {{ with .Chart.Version }}--version={{.}} {{ end }} \
+   {{ with .Chart.Version }}--version={{.}}{{ end }} \
    --set config.secureBaseURL=<SYSDIG_SECURE_URL> \
    --set config.secureAPIToken=<SYSDIG_SECURE_API_TOKEN> \
    --set config.secureSkipTLS=true \

charts/registry-scanner/templates/_job.tpl

@@ -128,6 +128,8 @@
           - name: REGISTRYSCANNER_PROFILING_ENABLED
             value: /profiling
           {{- end }}
+          - name: REGISTRYSCANNER_CRONJOB_SCHEDULE
+            value: {{ .Values.cronjob.schedule | quote }}
           {{- if .Values.extraEnvVars }}
           {{- toYaml .Values.extraEnvVars | nindent 10 }}
           {{- end }}

charts/registry-scanner/templates/configmap.yaml

@@ -54,6 +54,7 @@ data:
       k8sInCluster: true
       namespace: {{ .Release.Namespace }}
       workers: {{ .Values.config.maxWorkers }}
+      disablePlatformScanning: {{ default false .Values.config.scan.disablePlatformScanning }}
       jobs:
         ttlSecondsAfterFinished: {{ .Values.config.scan.jobs.ttlSecondsAfterFinished }}
         serviceAccountName: {{ include "registry-scanner.serviceAccountName" . }}

charts/registry-scanner/tests/configmap_test.yaml

@@ -139,3 +139,17 @@ tests:
       - matchRegex:
           path: data['config.yaml']
           pattern: allowListMemberAccountIDs:\n\s*- 123456789
+  - it: platform scanning is not disable by default
+    asserts:
+      - matchRegex:
+          path: data['config.yaml']
+          pattern: scan:((.|\n)*)disablePlatformScanning:\s*false
+  - it: force scanning on the client component regardless of backend config
+    set:
+      config:
+        scan:
+          disablePlatformScanning: "true"
+    asserts:
+      - matchRegex:
+          path: data['config.yaml']
+          pattern: scan:((.|\n)*)disablePlatformScanning:\s*true

charts/registry-scanner/values.yaml

@@ -105,6 +105,8 @@ config:
       # The size limit for the emptyDir volume used by the scanner job.<br/>
       # This volume is used to store both the vulnerability database and the image to scan.
       temporaryVolumeSizeLimit: 2Gi
+    # Force the scan to happen on the client component rather than relying on backend scanning
+    disablePlatformScanning: false
   # Number of goroutines running in parallel in metadata phase for ECR Org setup.
   parallelGoRoutines: 100
 ssl: