scanning all images in a registry at frequent intervals

[gopurx]

With trivy docker installation option, do we have efficient way of scanning all images in a registry at frequent intervals. Any suggestions on how to achieve this will be much appreciated.

[christian-weiss]

Would be cool to have that "long-term monitoring of existing images".

But instead of re-running the full trivy-process it would be cool, if it do not pull the image on and on. Just scan it for packages (all package managers) once, then store the list of installed packages in a "central trivy server" (lets call it "trivy report service") and have a cron every day that simply pulls latest vulnerability data and re-evaluates that "package list", without pulling all images every day.

An --export-package-list to export the package list to disk would be cool. And a --import-package-list to import that package list and to create a report based on that package list (and most up-to-date vulnerability db) at a later point in time (e.g. next day, week, month).

An --export-package-list-format with values trivy (default) and vuls. vuls is to export it in a format that vuls (https://vuls.io/) can understand.

Only images tagged with "latest" should be pulled every time. Optional a user should be able to provide a "force-image-pull.list" to force pulling images where you expect that they are not immutable (are re-builded).

[christian-weiss]

Also endpoints for "Docker Hub Webhook", "Github Webhooks", "Travis-CI Webhooks", etc. would be cool, to allow those service to trigger a vulnerability scan / to force a re-scan/re-pull of a changed image.

[christian-weiss]

other formats to export: #140