Container Test Target Baseline Shared at account level
in progress
M
Mango Swallow
We have common base images that are used across all development teams. We want to be able to reference the container image pipeline that scanned and produced the base image in STO baselines across projects and orgs. As it stands now, we would need to scan the common base image an excessive amount since each project needs to scan the common image
Log In
Pritesh Chandaliya
in progress
Pritesh Chandaliya
Thanks Mike and Krishna for the clarification.
The requirements are as follows:
- Customer expects to see vulnerabilities coming from base image vs the app layer.
- Be able to write OPA policy to block the deployment only based on the app layer vulnerabilities and ignore the base image vulnerabilities
- Be able to share the base image and its vulnerabilities at Account and org scope, that way all the apps can be compared to the same base image, which will not required to rescan the same base image in each project.
Pritesh Chandaliya
I would like to understand more on this use case.
- Why are you scanning the base image in all the projects, what do you achieve with it?
- The baseline concept in STO can be found here - https://developer.harness.io/docs/security-testing-orchestration/use-sto/set-up-sto-pipelines/set-up-baselines/
But in short: Every target (any code repo, container image, or app) you scan, you can see a baseline for it as one of the variant (repo branch, image tag, time stamp). You cannot set 1 target (base image) as the baseline for another target.
Let me know if you want to get on a call and I can gather requirements. Thanks!
Pritesh Chandaliya
under review