diff --git a/database/migrations/functions/packages/get_snapshots_to_scan.sql b/database/migrations/functions/packages/get_snapshots_to_scan.sql index 3215d0ef6..bd262bc10 100644 --- a/database/migrations/functions/packages/get_snapshots_to_scan.sql +++ b/database/migrations/functions/packages/get_snapshots_to_scan.sql @@ -22,7 +22,8 @@ returns setof json as $$ from snapshot s join package p using (package_id) join repository r using (repository_id) - where containers_images is not null + where s.containers_images is not null + and jsonb_array_length(s.containers_images) <= 15 and r.scanner_disabled = false and s.ts > (current_timestamp - '1 year'::interval) and ( diff --git a/docs/security_report.md b/docs/security_report.md index 17345a4a2..8304e1d0b 100644 --- a/docs/security_report.md +++ b/docs/security_report.md @@ -2,7 +2,7 @@ Artifact Hub scans containers' images used by packages for security vulnerabilities. The scanner uses [Trivy](https://github.com/aquasecurity/trivy) to generate security reports for each of the package's versions. These reports are accessible from the package's detail view. -Security reports are generated *periodically*. The scanner runs *twice an hour* and scans packages' versions **that haven't been scanned yet**. Packages' versions already scanned are revisited and **scanned again**, just in case new vulnerabilities have been discovered since the previous scan. The latest package version available is scanned **daily**, whereas previous versions are scanned **weekly**. This happens even if nothing has changed in the package version. Versions released more than **one year** ago won't be scanned anymore. +Security reports are generated *periodically*. The scanner runs *twice an hour* and scans packages' versions **that haven't been scanned yet**. Packages' versions already scanned are revisited and **scanned again**, just in case new vulnerabilities have been discovered since the previous scan. The latest package version available is scanned **daily**, whereas previous versions are scanned **weekly**. This happens even if nothing has changed in the package version. Versions released more than **one year** ago or with more than **15 container images** won't be scanned. The security report may contain multiple images sections, one for each of the images your package is listing. Within each image section, multiple targets can be listed as well. A common one is the OS used by the image, including the packages installed. But more targets can be scanned and displayed if files describing your [application dependencies](#application-dependencies) are found in the image.