fix(LINK-2046: stop using integrations for get registries #1705
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
kendall-choy-lw
commented
Apr 25, 2025
| @@ -109,7 +109,7 @@ func userFriendlyErrorForOnDemandCtrVulnScan(err error, registry, repo, tag stri | |||
| "Could not find vulnerability integrations", | |||
| ) { | |||
|
|
|||
| registries, errReg := getContainerRegistries() | |||
| registries, errReg := getPlatformScannerIntegrationContainerRegistries() | |||
There was a problem hiding this comment.
Since this cli command is to trigger a platform on-demand scan, we do only want registry domains from integrations
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
The vulnerability container list-registries command is currently missing data. It relies on container registry integration data to get a list of scanned registries. However, proxy scanner and inline scanner integrations don't contain the registry domain, and we are only able to get this data by looking at the container assessment. We can use the container assessment API here to get a full list of scanned registries in the last 7 days
The vulnerability container list-assessments command is also missing data. It calls the container assessment API while filtering for registry domains coming from the integration information. This only include platform scans, and would also consistently hit the API 500,000 total row limitation. We can improve this by breaking up the API requests further by scanner type. Breaking it up into four separate requests by scanner type prevents us from missing non-platform scan assessments. However, we are still hitting the API row limitation.
How did you test this change?
Tested list-registries, list-assessments, and container scan commands with local built CLI
Issue
https://lacework.atlassian.net/browse/LINK-2046