Map anchore policy evaluation into "vulnerabilities" to allow showing policy violations in Harbor UI #19
Comments
|
@zhill when you plan to start to make this feature? |
Q1 of 2020. I'd like to shoot for completion by end of January, but will depend on available cycles. One thing I'm trying to do first is get a full Golang anchore client to use in both this project and the admission controller before I do much more API work. |
|
@zhill did you start working on this? |
|
@zhill any update on this? |
|
I have not started working on it but it is still something that I want to see in the adapter. I haven't been able to get time to work on this myself, so if you want to build it I'm happy to review a PR, or @markyjackson-taulia may be able to get to it in the near future as well. |
|
We'll need to have a discussion on how we'll do the mapping because I think this will be a common pattern for us: mapping and Anchore policy evaluation output into a fake vulnerability entry so i'd like to have it be consistent across integrations if at all possible. |
Do you know if harbor plans to add an interface for "vulnerability-policy-services" in the future? In the long term that would probably make more sense than a mapping inside the adapter. Not sure if a feature request already exists for this at goharbor/harbor (a quick search did not return any results). |
Since Harbor does not yet support more general policy evaluation, the adapter can map an Anchore policy evaluation into a set of virtual vulnerabilities.
Thus, Harbor admins could block images from being pulled by setting the vulnerability policy in Harbor to block on "Critical" vulnerabilities, which could for example, map to "stop" actions in the anchore policy evaluation result.
This requires:
The text was updated successfully, but these errors were encountered: