ROX-27689: provide example for non-delegated roxctl image scan #87112
Conversation
openshift-ci-robot
added
the
jira/valid-reference
|
@RTann: This pull request references ROX-27689 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci
bot
added
the
size/M
RTann
force-pushed
the
ross-roxctl-update
branch
from
8f38296 to
eba9dba
Compare
RTann
force-pushed
the
ross-roxctl-update
branch
from
eba9dba to
3d45f5a
Compare
|
🤖 Wed Jan 15 22:38:52 - Prow CI generated the docs preview: |
|
@RTann: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
| @@ -9,6 +9,58 @@ toc::[] | |||
| [role="_abstract"] | |||
| You can scan images stored in image registries, including cluster local registries such as the {ocp} integrated image registry by using the `roxctl` CLI. | |||
|
|
|||
| [id="scanning-images-by-using-a-remote-cluster_{context}"] | |||
| == Scanning images by using the Central cluster | |||
There was a problem hiding this comment.
Not sure how to best message this, but IF the delegated scanning config has an entry matching the image being scanned, it will be sent to a secured cluster / not scanned by Central.
| <reference> may be: | ||
| * blank | ||
| * a tag preceded by a colon, for example, `:latest` | ||
| * a digest preceded by an at sign, for example, `@sha256:710ecc84318c54c9d1e08fe89d03e74cc09350909e5b12e5d07ac6941fd02b27` |
There was a problem hiding this comment.
Would adding the actual characters render correctly / be more clear here? For example:
| * a digest preceded by an at sign, for example, `@sha256:710ecc84318c54c9d1e08fe89d03e74cc09350909e5b12e5d07ac6941fd02b27` | |
| * a digest preceded by '@', for example, `@sha256:710ecc84318c54c9d1e08fe89d03e74cc09350909e5b12e5d07ac6941fd02b27` |
Or perhaps stating that the reference must be valid per... (and link the spec?)
There was a problem hiding this comment.
I think we should shorten the SHA id for security reasons?
There was a problem hiding this comment.
FWIW - the SHAs (digests) are not secrets in the image context, from a risk perspective it's generally recommended to reference images by digest instead of the tags because tags change, digests do not. Are other ways to address this 'tag change' risk, but a bit off-topic for this PR.
To be a valid sha256 the length has to be exactly 64 'hex' characters (each character represent 4 bits, for a total of 256 bits).
| @@ -9,6 +9,58 @@ toc::[] | |||
| [role="_abstract"] | |||
| You can scan images stored in image registries, including cluster local registries such as the {ocp} integrated image registry by using the `roxctl` CLI. | |||
|
|
|||
| [id="scanning-images-by-using-a-remote-cluster_{context}"] | |||
| == Scanning images by using the Central cluster | |||
There was a problem hiding this comment.
| == Scanning images by using the Central cluster | |
| == Scanning images by using StackRox Scanner or Scanner V4 installed in the Central cluster |
| [id="scanning-images-by-using-a-remote-cluster_{context}"] | ||
| == Scanning images by using the Central cluster | ||
|
|
||
| The following outlines the procedure for scanning images via the StackRox Scanner or Scanner V4 installed in the Central cluster. |
There was a problem hiding this comment.
| The following outlines the procedure for scanning images via the StackRox Scanner or Scanner V4 installed in the Central cluster. | |
| To scan the images, you can use StackRox Scanner or Scanner V4 installed in the Central cluster. |
|
|
||
| .Procedure | ||
|
|
||
| * Run the following command to scan the specified image: |
There was a problem hiding this comment.
| * Run the following command to scan the specified image: | |
| * To scan the specified image, run the following command: |
There was a problem hiding this comment.
|
|
||
| * Run the following command to scan the specified image: | ||
| + | ||
| [source,terminal,subs="+quotes"] |
There was a problem hiding this comment.
| [source,terminal,subs="+quotes"] | |
| [source,terminal] |
| $ roxctl image scan \ | ||
| --image=_<image_registry>_/_<image_name>_[_<reference>_] \// <1> | ||
| [flags] <2> |
There was a problem hiding this comment.
| $ roxctl image scan \ | |
| --image=_<image_registry>_/_<image_name>_[_<reference>_] \// <1> | |
| [flags] <2> | |
| $ roxctl image scan \ | |
| --image=<image_registry>/<image_name>[reference] \// <1> | |
| [flags] <2> |
There was a problem hiding this comment.
| <1> For `<image_registry>`, specify the registry where the image is located, for example, `registry.redhat.io`. | ||
| For `<image_name>`, specify the name of the image you want to scan, for example, `default/image`. | ||
| <reference> may be: | ||
| * blank | ||
| * a tag preceded by a colon, for example, `:latest` | ||
| * a digest preceded by an at sign, for example, `@sha256:710ecc84318c54c9d1e08fe89d03e74cc09350909e5b12e5d07ac6941fd02b27` |
There was a problem hiding this comment.
| <1> For `<image_registry>`, specify the registry where the image is located, for example, `registry.redhat.io`. | |
| For `<image_name>`, specify the name of the image you want to scan, for example, `default/image`. | |
| <reference> may be: | |
| * blank | |
| * a tag preceded by a colon, for example, `:latest` | |
| * a digest preceded by an at sign, for example, `@sha256:710ecc84318c54c9d1e08fe89d03e74cc09350909e5b12e5d07ac6941fd02b27` | |
| <1> For `<image_registry>`, specify the registry where the image is located, for example, `registry.redhat.io`. | |
| + | |
| For `<image_name>`, specify the name of the image you want to scan, for example, `default/image`. | |
| + | |
| Optional: For `[reference]`, choose the appropriate method to specify the version or identifier of the image. | |
| + | |
| * To scan the default image, leave it blank. | |
| * To specify a tag, precede it with a colon (:). For example,`:latest`. | |
| * To specify a digest, precede it with an at sign (@). For example, `@sha256:710ecc84318xxxxxx`. |
| [source,text,subs=attributes+] | ||
| ---- | ||
| { | ||
| "Id": "sha256:3f439d7d71adb0a0c8e05257c091236ab00c6343bc44388d091450ff58664bf9", <1> |
There was a problem hiding this comment.
| "Id": "sha256:3f439d7d71adb0a0c8e05257c091236ab00c6343bc44388d091450ff58664bf9", <1> | |
| "Id": "sha256:3f439d7d71adb0axxxxxx", <1> |
| [source,text,subs=attributes+] | ||
| ---- | ||
| { | ||
| "Id": "sha256:3f439d7d71adb0a0c8e05257c091236ab00c6343bc44388d091450ff58664bf9", <1> |
There was a problem hiding this comment.
| "Id": "sha256:3f439d7d71adb0a0c8e05257c091236ab00c6343bc44388d091450ff58664bf9", <1> | |
| "Id": "sha256:3f439d7d71adb0axxxxxx", <1> |
| [source,text,subs=attributes+] | ||
| ---- | ||
| { | ||
| "Id": "sha256:3f439d7d71adb0a0c8e05257c091236ab00c6343bc44388d091450ff58664bf9", <1> |
| ---- | ||
| + | ||
| -- | ||
| <1> A unique identifier for the image that serves as a fingerprint for the image. It helps ensure the integrity and authenticity of the image. |
There was a problem hiding this comment.
| <1> A unique identifier for the image that serves as a fingerprint for the image. It helps ensure the integrity and authenticity of the image. | |
| <1> A unique identifier for the image that serves as a fingerprint for the image. |
agantony
added
peer-review-done
|
Hi, was wondering if there are any updates on this? |
|
Issues go stale after 90d of inactivity. Mark the issue as fresh by commenting If this issue is safe to close now please do so with /lifecycle stale |
openshift-ci
bot
added
the
lifecycle/stale
Version(s):
4.4+
Issue:
https://issues.redhat.com/browse/ROX-27689
Link to docs preview:
QE review:
Additional information: