send skipTLSVerify and Insecure in image scanning command

[amirmalka]

Overview

This PR fixes kubescape/kubevuln#209

When scanning individual images the operator did not send the skipTLSVerify and http attributes (for insecure registries). These attributes are supported in the registry scan secret
(see https://kubescape.io/docs/operator/vulnerabilities/#granting-credentials-directly )

As part of the fix, when parsing the secret, we match the registry name of the scanned image with the registry name in the secret. If such match found, we pass the values to the scan command args.

When scanning image registry, the scan command did include these fields so no change is needed.

[gitguardian]

⚠️ GitGuardian has uncovered 1 secret following the scan of your pull request.

Please consider investigating the findings and remediating the incidents. Failure to do so may lead to compromising the associated services or software components.

🔎 Detected hardcoded secret in your pull request

GitGuardian id	GitGuardian status	Secret	Commit	Filename
9724889	Triggered	Generic High Entropy Secret	2b446e6	mainhandler/testdata/vulnscan/registry-secret.json	View secret

🛠 Guidelines to remediate hardcoded secrets

1. Understand the implications of revoking this secret by investigating where it is used in your code.
2. Replace and store your secret safely. Learn here the best practices.
3. Revoke and rotate this secret.
4. If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.

To avoid such incidents in the future consider

• following these best practices for managing and storing secrets including API keys and other credentials
• install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.

---

<sup>🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.

Our GitHub checks need improvements? Share your feedbacks!</sup>

[codiumai-pr-agent-free]

PR Description updated to latest commit (2b446e6)

[codiumai-pr-agent-free]

PR Review

⏱️ Estimated effort to review [1-5]	3, because the PR introduces significant changes to the image scanning process, including the addition of new interfaces and methods for handling registry secrets and configuring image scans. The complexity is moderate, involving changes across multiple files and the introduction of new logic for handling insecure registries and TLS verification. The PR also includes unit tests, which is positive, but the reviewer needs to carefully evaluate the changes to ensure they meet the requirements and do not introduce regressions.
🧪 Relevant tests	Yes
🔍 Possible issues	The use of pointers for skipTLSVerify and insecure in ImageScanConfig could lead to potential nil pointer dereferences if not properly checked before use.
	The method containsIgnoreCase compares registry names in a case-insensitive manner, which is generally good. However, it's important to ensure that all registry systems being interacted with do not have case-sensitive names or paths that could lead to incorrect behavior.
	The normalization of image tags using normalizeReference and subsequent extraction of the registry name could potentially alter the original image tag in a way that might not be expected by other parts of the system or by end-users. It's crucial to ensure that this normalization process does not have unintended side effects.
🔒 Security concerns	No

---

✨ Review tool usage guide:

---

Overview:
The review tool scans the PR code changes, and generates a PR review. The tool can be triggered automatically every time a new PR is opened, or can be invoked manually by commenting on any PR.
When commenting, to edit configurations related to the review tool (pr_reviewer section), use the following template:

/review --pr_reviewer.some_config1=... --pr_reviewer.some_config2=...

With a configuration file, use the following template:

[pr_reviewer]
some_config1=...
some_config2=...

Utilizing extra instructions The review tool can be configured with extra instructions, which can be used to guide the model to a feedback tailored to the needs of your project. Be specific, clear, and concise in the instructions. With extra instructions, you are the prompter. Specify the relevant sub-tool, and the relevant aspects of the PR that you want to emphasize. Examples for extra instructions: [pr_reviewer] # /review # extra_instructions=""" In the 'possible issues' section, emphasize the following: - Does the code logic cover relevant edge cases? - Is the code logic clear and easy to understand? - Is the code logic efficient? ... """ Use triple quotes to write multi-line instructions. Use bullet points to make the instructions more readable.

How to enable\disable automation When you first install PR-Agent app, the default mode for the review tool is: pr_commands = ["/review", ...] meaning the review tool will run automatically on every PR, with the default configuration. Edit this field to enable/disable the tool, or to change the used configurations

Auto-labels The review tool can auto-generate two specific types of labels for a PR: a possible security issue label, that detects possible security issues (enable_review_labels_security flag) a Review effort [1-5]: x label, where x is the estimated effort to review the PR (enable_review_labels_effort flag)

Extra sub-tools The review tool provides a collection of possible feedbacks about a PR. It is recommended to review the possible options, and choose the ones relevant for your use case. Some of the feature that are disabled by default are quite useful, and should be considered for enabling. For example: require_score_review, require_soc2_ticket, and more.

Auto-approve PRs By invoking: /review auto_approve The tool will automatically approve the PR, and add a comment with the approval. To ensure safety, the auto-approval feature is disabled by default. To enable auto-approval, you need to actively set in a pre-defined configuration file the following: [pr_reviewer] enable_auto_approval = true (this specific flag cannot be set with a command line argument, only in the configuration file, committed to the repository) You can also enable auto-approval only if the PR meets certain requirements, such as that the estimated_review_effort is equal or below a certain threshold, by adjusting the flag: [pr_reviewer] maximal_review_effort = 5

More PR-Agent commands To invoke the PR-Agent, add a comment using one of the following commands: /review: Request a review of your Pull Request. /describe: Update the PR title and description based on the contents of the PR. /improve [--extended]: Suggest code improvements. Extended mode provides a higher quality feedback. /ask <QUESTION>: Ask a question about the PR. /update_changelog: Update the changelog based on the PR's contents. /add_docs 💎: Generate docstring for new components introduced in the PR. /generate_labels 💎: Generate labels for the PR based on the PR's contents. /analyze 💎: Automatically analyzes the PR, and presents changes walkthrough for each component. See the tools guide for more details. To list the possible configuration parameters, add a /config comment.

See the review usage page for a comprehensive guide on using this tool.

[codiumai-pr-agent-free]

PR Code Suggestions

Category	Suggestions
Maintainability	Rename ListWorkloads2 to a more descriptive and conventional name. Consider renaming ListWorkloads2 to a more descriptive name that follows Go naming conventions and provides clarity on how it differs from any existing ListWorkloads function. mainhandler/imageregistryhandler.go [806] -ListWorkloads2(namespace, kind string) ([]k8sinterface.IWorkload, error) +ListAllWorkloads(namespace, kind string) ([]k8sinterface.IWorkload, error)
	Move ImageScanConfig and related functions to a separate package or file. For better maintainability and readability, consider moving ImageScanConfig and related functions (getImageScanConfig, getRegistryNameFromImageTag, etc.) to a separate package or file if they are used in multiple places. mainhandler/imageregistryhandler.go [398-402] -type ImageScanConfig struct { +// This suggestion involves structural changes rather than a direct code snippet.
Best practice	Add error handling for getRegistryScanSecrets failure. Ensure error handling is consistent and informative by checking and logging the error when getRegistryScanSecrets fails, instead of silently ignoring it. mainhandler/imageregistryhandler.go [410] -if secrets, err := getRegistryScanSecrets(k8sAPI, namespace, ""); err == nil && len(secrets) > 0 { +secrets, err := getRegistryScanSecrets(k8sAPI, namespace, "") +if err != nil { + logger.L().Error("Failed to get registry scan secrets", helpers.String("error", err.Error())) + return nil, err +} +if len(secrets) > 0 {
	Use pointer receivers for ImageScanConfig methods. Use pointer receivers for methods of ImageScanConfig to ensure modifications affect the original instance, especially if methods are added in the future that modify the struct. mainhandler/imageregistryhandler.go [398-402] -type ImageScanConfig struct { +func (isc *ImageScanConfig) SomeMethod() { + // Example method that modifies ImageScanConfig +}
	Add error handling and logging to normalizeReference and related functions. Ensure that normalizeReference and getRegistryNameFromImageTag handle errors gracefully and log them for debugging purposes, instead of silently failing. mainhandler/imageregistryhandler.go [537-557] -func normalizeReference(ref string) string { +func normalizeReference(ref string) (string, error) { + n, err := reference.ParseNormalizedNamed(ref) + if err != nil { + logger.L().Error("Failed to parse image reference", helpers.String("ref", ref), helpers.String("error", err.Error())) + return ref, err + } + return n.String(), nil +}

---

✨ Improve tool usage guide:

---

Overview:
The improve tool scans the PR code changes, and automatically generates suggestions for improving the PR code. The tool can be triggered automatically every time a new PR is opened, or can be invoked manually by commenting on a PR.
When commenting, to edit configurations related to the improve tool (pr_code_suggestions section), use the following template:

/improve --pr_code_suggestions.some_config1=... --pr_code_suggestions.some_config2=...

With a configuration file, use the following template:

[pr_code_suggestions]
some_config1=...
some_config2=...

Enabling\disabling automation When you first install the app, the default mode for the improve tool is: pr_commands = ["/improve --pr_code_suggestions.summarize=true", ...] meaning the improve tool will run automatically on every PR, with summarization enabled. Delete this line to disable the tool from running automatically.

Utilizing extra instructions Extra instructions are very important for the improve tool, since they enable to guide the model to suggestions that are more relevant to the specific needs of the project. Be specific, clear, and concise in the instructions. With extra instructions, you are the prompter. Specify relevant aspects that you want the model to focus on. Examples for extra instructions: [pr_code_suggestions] # /improve # extra_instructions=""" Emphasize the following aspects: - Does the code logic cover relevant edge cases? - Is the code logic clear and easy to understand? - Is the code logic efficient? ... """ Use triple quotes to write multi-line instructions. Use bullet points to make the instructions more readable.

A note on code suggestions quality While the current AI for code is getting better and better (GPT-4), it's not flawless. Not all the suggestions will be perfect, and a user should not accept all of them automatically. Suggestions are not meant to be simplistic. Instead, they aim to give deep feedback and raise questions, ideas and thoughts to the user, who can then use his judgment, experience, and understanding of the code base. Recommended to use the 'extra_instructions' field to guide the model to suggestions that are more relevant to the specific needs of the project, or use the custom suggestions 💎 tool With large PRs, best quality will be obtained by using 'improve --extended' mode.

More PR-Agent commands To invoke the PR-Agent, add a comment using one of the following commands: /review: Request a review of your Pull Request. /describe: Update the PR title and description based on the contents of the PR. /improve [--extended]: Suggest code improvements. Extended mode provides a higher quality feedback. /ask <QUESTION>: Ask a question about the PR. /update_changelog: Update the changelog based on the PR's contents. /add_docs 💎: Generate docstring for new components introduced in the PR. /generate_labels 💎: Generate labels for the PR based on the PR's contents. /analyze 💎: Automatically analyzes the PR, and presents changes walkthrough for each component. See the tools guide for more details. To list the possible configuration parameters, add a /config comment.

See the improve usage page for a more comprehensive guide on using this tool.

[amirmalka]

this check is needed to make the code testable (since GetImageRegistryCredentials calls NewKubernetesApi

[github-actions]

Summary:

• License scan: failure
• Credentials scan: failure
• Vulnerabilities scan: failure
• Unit test: success
• Go linting: success