Do not scan versions with more than 15 images (#4092)

Signed-off-by: Sergio Castaño Arteaga <[email protected]>
artifacthub · Oct 11, 2024 · bfc113c · bfc113c
1 parent 0f60865
commit bfc113c
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 2 deletions.
diff --git a/database/migrations/functions/packages/get_snapshots_to_scan.sql b/database/migrations/functions/packages/get_snapshots_to_scan.sql
@@ -22,7 +22,8 @@ returns setof json as $$
         from snapshot s
         join package p using (package_id)
         join repository r using (repository_id)
-        where containers_images is not null
+        where s.containers_images is not null
+        and jsonb_array_length(s.containers_images) <= 15
         and r.scanner_disabled = false
         and s.ts > (current_timestamp - '1 year'::interval)
         and (

diff --git a/docs/security_report.md b/docs/security_report.md
@@ -2,7 +2,7 @@
 
 Artifact Hub scans containers' images used by packages for security vulnerabilities. The scanner uses [Trivy](https://github.com/aquasecurity/trivy) to generate security reports for each of the package's versions. These reports are accessible from the package's detail view.
 
-Security reports are generated *periodically*. The scanner runs *twice an hour* and scans packages' versions **that haven't been scanned yet**. Packages' versions already scanned are revisited and **scanned again**, just in case new vulnerabilities have been discovered since the previous scan. The latest package version available is scanned **daily**, whereas previous versions are scanned **weekly**. This happens even if nothing has changed in the package version. Versions released more than **one year** ago won't be scanned anymore.
+Security reports are generated *periodically*. The scanner runs *twice an hour* and scans packages' versions **that haven't been scanned yet**. Packages' versions already scanned are revisited and **scanned again**, just in case new vulnerabilities have been discovered since the previous scan. The latest package version available is scanned **daily**, whereas previous versions are scanned **weekly**. This happens even if nothing has changed in the package version. Versions released more than **one year** ago or with more than **15 container images** won't be scanned.
 
 The security report may contain multiple images sections, one for each of the images your package is listing. Within each image section, multiple targets can be listed as well. A common one is the OS used by the image, including the packages installed. But more targets can be scanned and displayed if files describing your [application dependencies](#application-dependencies) are found in the image.