Operational Container Scanning: provide option to only scan active images

Proposal

Operational Container Scanning uses Trivvy's k8s scanner to find vulnerabilities in the images referenced by Pods, ReplicaSets, ReplicationControllers, StatefulSets, CronJobs and Jobs in a Kubernetes cluster.

However it does not differentiate between images associated with active/running pods and those associated with older versions of Deployments and Replicasets that have no running pods.

By default when a Deployment configuration is modified and applied Kubernetes retains previous versions with replica counts of zero to facilitate rollbacks. The images referenced by these old versions are not necessarily assigned to any running pods and as such do not present a security risk. Yet OCS will scan all of the referenced images and potentially record vulnerabilities against the inactive images, and fill up the vulnerability reports with unwanted and distracting items that can't necessarily be dismissed in case the older image is reverted to at some point.

The Trivvy Operator has a OPERATOR_VULNERABILITY_SCANNER_SCAN_ONLY_CURRENT_REVISIONS variable which can be enabled to only scan the latest revision of a deployment. A similar option for OCS is being requested here.

This feature request arose from discussions in ZD internal link.

Possible Solution

At present the GitLab Agent invokes 'trivy k8s' with a list of workloads to scan which is a preset list of resource types consisting of  Pods, ReplicaSets, ReplicationControllers, StatefulSets, CronJobs and Jobs.

If the list of resource types was made configurable via the agent a scan could be run just against Pods, which would pick up images that are actively in use but exclude those related to older versions of Deployments and Replicasets.