Support for CRI-O · aquasecurity/trivy#3004

(3 comments) (0 reactions) (0 assignees)Go (35,000 stars) (371 forks)batch import

help wantedkind/featurepriority/backlog

Description

We are building an image-scanner K8s-operator, and all our clusters runs Openshift. Inspired by trivy-operator, which we cannot use for various reasons, we schedule scan jobs to scan container images currently in use by workloads in the cluster.

While the operator works, it could be optimized if trivy supported CRI-O, which is the CRI implementation that Openshift uses. This would allow us to scan the image pulled from the nodes image registry, by scheduling the scan job on the node that runs the pod in question.

Contributor guide

Tech stack: godockerkubernetes
Domain: backendinfrastructuresecurity
Issue type: feature
Difficulty: 4
Estimated time: 1-2 days
Activity status: fresh
Clarity: mostly clear
Prerequisites: Go programmingknowledge of container runtimesfamiliarity with Kubernetes
Newbie friendliness: 30
Research direction: Investigate how trivy currently interacts with container runtimes (e.g., Docker) and extend support to CRI O. Review related issues #1282 and #851 for previous discussions. Key files to modify may include image pulling and scanning logic in the Go codebase. The maintainer has not provided specific implementation guidance, so the contributor should explore the existing architecture and propose a design.