This repository has been archived by the owner on Jan 27, 2023. It is now read-only.
Remote registry images are checked instead of local ones #1374
Comments
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
BUG REPORT
Version of Anchore Engine and Anchore CLI if applicable:
anchore/grype:latest(Docker image)What happened:
On our build sever we have multiple tags of each image, not all of which are pushed to the Docker Hub (which for some time have been admitting only new tags for unique, i.e. somehow altered images - and their tags admission logic is pretty much inscrutable, or simply buggy). For instance, the latest locally tag, 20220402, of an image is only present in my local server's docker cache, because the image has not changed (according to Docker Hub's logic) since 20220330 (and this tag is the latest remotely), and to my surprise
anchore/grypedoes not let me scan that latest locally image (only latest remotely is allowed for scanning).I can imagine what happens when people check generic
latesttags... which may refer to two different images - and the latest one available remotely can easily be much older and thus less secure (which can explain some of the false positives which people have reported here, with vulnerabilities patched only locally, but not remotely, because the push to the remote registry is not permitted due to this very scan failing (for... a remote image - a truly "catch 22" situation).What did you expect to happen:
To check a local image for vulnerabilities. This is the main reason of using CVE scanners - to avoid pushing to production (i.e. to a docker registry) an image that fails a security scan.
How to reproduce
You need to have some local image tag not yet available in the remote repo and scan it with
grype.In my case:
Other issues
Updating the DB before checking for the image existence seems to me also rather inefficient.
The text was updated successfully, but these errors were encountered: