Weekly scanning of container images with CentOS Container Pipeline

Tuesday, 31, January 2017 Dharmit Shah announcement, builds No Comments

As a part of CentOS Container Pipeline project, we've been continually discussing, debating and working towards features that developers and sysadmins out there would like to have from a build pipeline. In the sense, besides just building the container images upon a push to some git repository, what else would add value for the devs and admins?

If you read the previous blog that talked about CentOS Container Image scanners, you already know that we have scanners based on atomic scan. These scanners scan the container image post build and report the results as an email to the user. If you're already using it, you might find the JSON content of the email to be a bit untidy. But, rest assured, we're working towards making it more eye candy. 🙂

As is the case with build pipelines similar to CentOS Container Pipeline, most container images are scanned only at the time of build. However, with CentOS Container Pipeline, we cannot afford to have such an architecture. Enterprises, academics, research institutes and various other large & small scale projects that use CentOS as their base platform for servers and developing containerized applications, often have stringent security rules which require them to update to the latest version of enterprise Linux packages. Besides security updates, new version of packages are often bundled with new features!

So, we figured it would be helpful for the devs and admins to have a weekly update about the status of their container images. In simplest terms, weekly image scans present exactly same output to the users as a post-build scan does, albeit on a weekly basis instead of forgetting about the images after building them. Weekly scans are a part of our Scheduled Scans story wherein we want to be able to provide the users with various time intervals, at the end of which, they want to get their container image scanned.

Based on the results of such scheduled scan, a dev or an admin can decide if their image needs to be upgraded or are they OK with its current state. So far, the only way you can do this is by running a container and checking the result of yum check-update.

To use this feature now, all you need to do is checkout the first blog about how to get started with CentOS Container Pipeline. Once you build images with CentOS Container Pipeline, those images are automatically scanned on a weekly basis and an email is sent out to the user for each of his/her image(s).

If you would like to have a feature included in CentOS Container Pipeline, come talk to us on the IRC channel #centos-devel on Freenode server. Alternatively, you can also checkout our GitHub repo and open an issue for discussion there. We are excited to hear and understand about features that developers and sysadmins would find helpful!

Leave a Reply

Your email address will not be published. Required fields are marked *