SOFTWARE CONTAINER REGISTRY INSPECTION
First Claim
1. A system, comprising:
- one or more processors; and
memory including instructions that, as a result of execution by the one or more processors, cause the system to;
receive a request to perform a scan of a set of container images stored in at least one repository, container images of the set of container images comprising image layers stored in the at least one repository, the request including criteria for identifying image layers associated with a security vulnerability; and
in response to receiving the request;
search a set of manifests stored in a database of a structured data store to obtain content-addressable identifiers for the image layers, the set of manifests comprising metadata about the set of container images;
determine, based at least in part on the content-addressable identifiers, image layers that match the criteria; and
flag the image layers that match the criteria as un-referenceable; and
as a result of an occurrence of a current time corresponding to a time scheduled for performing a deletion operation;
determine, by analyzing the set of manifests, one or more unreferenced image layers, the one or more unreferenced image layers being;
flagged as un-referenceable, orunreferenced by a manifest of a tagged container image; and
delete the one or more unreferenced image layers.
1 Assignment
0 Petitions
Accused Products
Abstract
A request to a scan a software image for specified criteria is received, the software image comprising layers stored in a first data store. Metadata in a second data store, different from the first data store, is searched through to obtain information corresponding to the software image. A first set of the layers that matches the specified criteria is determined, based at least in part on the information. The first set of layers is marked as un-referenceable. Asynchronous to fulfillment of the request, a second set of layers of the layers to be deleted is determined, based at least in part on the metadata, the second set of layers including layers marked as un-referenceable, and the second set of layers is deleted.
-
Citations
20 Claims
-
1. A system, comprising:
-
one or more processors; and memory including instructions that, as a result of execution by the one or more processors, cause the system to; receive a request to perform a scan of a set of container images stored in at least one repository, container images of the set of container images comprising image layers stored in the at least one repository, the request including criteria for identifying image layers associated with a security vulnerability; and in response to receiving the request; search a set of manifests stored in a database of a structured data store to obtain content-addressable identifiers for the image layers, the set of manifests comprising metadata about the set of container images; determine, based at least in part on the content-addressable identifiers, image layers that match the criteria; and flag the image layers that match the criteria as un-referenceable; and as a result of an occurrence of a current time corresponding to a time scheduled for performing a deletion operation; determine, by analyzing the set of manifests, one or more unreferenced image layers, the one or more unreferenced image layers being; flagged as un-referenceable, or unreferenced by a manifest of a tagged container image; and delete the one or more unreferenced image layers. - View Dependent Claims (2, 3, 4)
-
-
5. A computer-implemented method, comprising:
under the control of one or more computer systems configured with executable instructions, receiving a request to scan a software image for a match to specified criteria, the software image comprising image layers stored in a data object store assigned to an account; searching metadata in a structured data store, different from the data object store, to obtain a set of identifiers for the image layers; determining, based at least in part on the set of identifiers, that a first set of the image layers is associated with a match to the specified criteria; marking the first set of the image layers as un-referenceable; detecting an occurrence of an event that triggers deletion of un-referenceable software image layers; determining, by analyzing the metadata, a set of un-referenceable layers of the image layers, the set of un-referenceable layers including the first set of the image layers and a second set of image layers comprising image layers stored in the data object store that are associated with an untagged software image; and deleting the set of un-referenceable layers. - View Dependent Claims (6, 7, 8, 9, 10, 11, 12)
-
13. A one or more non-transitory computer-readable storage media having collectively stored thereon executable instructions that, as a result of execution by one or more processors of a distributed computer system, cause the distributed computer system to at least:
-
receive a request to scan a software image for specified criteria, the software image comprising layers stored in a first data store; search through metadata in a second data store, different from the first data store, to obtain information corresponding to the software image; determine, based at least in part on the information, a first set of the layers that matches the specified criteria; mark the first set of the layers as un-referenceable; and asynchronous to fulfillment of the request; determine, based at least in part on the metadata, a second set of the layers to be deleted, the second set of the layers including layers marked as un-referenceable; and delete the second set of the layers. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
-
Specification