Software container registry inspection
First Claim
1. A system, comprising:
- one or more processors; and
memory including executable instructions that, as a result of execution by the one or more processors, cause the system to;
receive a request to perform a scan of a set of container images stored in at least one repository, a container image of the set of container images comprising encrypted image layers assigned to an account, the request including criteria for identifying insecure image layers associated with a security vulnerability; and
in response to receiving the request;
search a set of manifests stored in a database of a structured data store to obtain content-addressable identifiers for the encrypted image layers, the set of manifests comprising metadata about the set of container images;
determine, based at least in part on the content-addressable identifiers, an insecure image layer at least in part by causing the system to;
decrypt the encrypted image layers using a decryption key to form decrypted image layers, the decryption key being obtained via an entity associated with the account; and
determine the insecure image layer from one of the decrypted image layer that is associated with a match to the criteria; and
flag the insecure image layer as un-referenceable; and
as a result of an occurrence of a current time corresponding to a time scheduled for performing a deletion operation;
determine, by analyzing the set of manifests, a superset of image layers that includes one or more image layers that are flagged as un-referenceable; and
delete the superset of image layers.
1 Assignment
0 Petitions
Accused Products
Abstract
A request to a scan a software image for specified criteria is received, the software image comprising layers stored in a first data store. Metadata in a second data store, different from the first data store, is searched through to obtain information corresponding to the software image. A first set of the layers that matches the specified criteria is determined, based at least in part on the information. The first set of layers is marked as un-referenceable. Asynchronous to fulfillment of the request, a second set of layers of the layers to be deleted is determined, based at least in part on the metadata, the second set of layers including layers marked as un-referenceable, and the second set of layers is deleted.
-
Citations
20 Claims
-
1. A system, comprising:
-
one or more processors; and memory including executable instructions that, as a result of execution by the one or more processors, cause the system to; receive a request to perform a scan of a set of container images stored in at least one repository, a container image of the set of container images comprising encrypted image layers assigned to an account, the request including criteria for identifying insecure image layers associated with a security vulnerability; and in response to receiving the request; search a set of manifests stored in a database of a structured data store to obtain content-addressable identifiers for the encrypted image layers, the set of manifests comprising metadata about the set of container images; determine, based at least in part on the content-addressable identifiers, an insecure image layer at least in part by causing the system to; decrypt the encrypted image layers using a decryption key to form decrypted image layers, the decryption key being obtained via an entity associated with the account; and determine the insecure image layer from one of the decrypted image layer that is associated with a match to the criteria; and flag the insecure image layer as un-referenceable; and as a result of an occurrence of a current time corresponding to a time scheduled for performing a deletion operation; determine, by analyzing the set of manifests, a superset of image layers that includes one or more image layers that are flagged as un-referenceable; and delete the superset of image layers. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A computer-implemented method, comprising:
-
receiving a request to scan a software image for a match to specified criteria, the software image comprising image layers stored as encrypted image layers in a data object store assigned to an account; searching metadata in a structured data store, different from the data object store, to obtain a set of identifiers for the image layers; determining, based at least in part on the set of identifiers, that a first set of the image layers is associated with a match to the specified criteria at least in part by; obtaining a decryption key from an entity associated with the account; decrypting the encrypted image layers using the decryption key to form decrypted image layers; and determining the first set of the image layers from one or more layers of the decrypted image layers that are associated with the match to the specified criteria; marking the first set of the image layers as un-referenceable; detecting an occurrence of an event that triggers deletion of un-referenceable image layers; determining, by analyzing the metadata, a set of un-referenceable layers of the image layers, the set of un-referenceable layers including the first set of the image layers and a second set of image layers comprising image layers stored in the data object store that are associated with an untagged software image; and deleting the set of un-referenceable layers. - View Dependent Claims (8, 9, 10, 11, 12, 13)
-
-
14. A one or more non-transitory computer-readable storage media having collectively stored thereon executable instructions that, as a result of execution by one or more processors of a distributed computer system, cause the distributed computer system to at least:
-
receive a request to scan a software image for specified criteria, the software image comprising image layers stored in a first data store as an encrypted software image; search through metadata in a second data store, different from the first data store, to obtain information corresponding to the software image; determine, based at least in part on the information, a first set of the image layers that matches the specified criteria at least in part by causing the distributed computer system to; decrypt the encrypted software image using a cryptographic key shared between an entity and the distributed computer system to form decrypted layers, the entity being associated with the encrypted software image through an account that is hosted by a computing resource service provider that hosts the distributed computer system; and determine the first set of the image layers at least in part from layers of the decrypted layers that contain one or more files that match reference criteria; mark the first set of the image layers as un-referenceable; and asynchronous to fulfilment of the request; determine, based at least in part on the metadata, a second set of the image layers to be deleted, the second set of the image layers including the first set of the image layers; and delete the second set of the image layers. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
Specification