diff --git a/config.py b/config.py index db9ae3577..67734bf82 100644 --- a/config.py +++ b/config.py @@ -313,6 +313,9 @@ class DefaultConfig(object): # The number of seconds between indexing intervals in the security scanner SECURITY_SCANNER_INDEXING_INTERVAL = 30 + # If specified, the security scanner will only index images newer than the provided ID. + SECURITY_SCANNER_INDEXING_MIN_ID = None + # If specified, the endpoint to be used for all POST calls to the security scanner. SECURITY_SCANNER_ENDPOINT_BATCH = None diff --git a/data/model/image.py b/data/model/image.py index cd207c468..1d3b9fe56 100644 --- a/data/model/image.py +++ b/data/model/image.py @@ -495,10 +495,13 @@ def get_image_id(): return Image.id -def get_images_eligible_for_scan(clair_version): +def get_images_eligible_for_scan(clair_version, min_id=None): """ Returns a query that gives all images eligible for a clair scan """ - return (get_image_with_storage_and_parent_base() - .where(Image.security_indexed_engine < clair_version)) + query = (get_image_with_storage_and_parent_base() + .where(Image.security_indexed_engine < clair_version)) + if min_id is not None: + query = query.where(Image.id >= min_id) + return query def get_image_with_storage_and_parent_base(): diff --git a/test/test_secscan.py b/test/test_secscan.py index cc29e5d74..38739e386 100644 --- a/test/test_secscan.py +++ b/test/test_secscan.py @@ -589,11 +589,11 @@ class TestSecurityScanner(unittest.TestCase): # Ensure no images are available for scanning. self.assertIsNone(model.image.get_min_id_for_sec_scan(expected_version)) - self.assertTrue(len(model.image.get_images_eligible_for_scan(expected_version)) == 0) + self.assertTrue(len(model.image.get_images_eligible_for_scan(expected_version, None)) == 0) # Check for a higher version. self.assertIsNotNone(model.image.get_min_id_for_sec_scan(expected_version + 1)) - self.assertTrue(len(model.image.get_images_eligible_for_scan(expected_version + 1)) > 0) + self.assertTrue(len(model.image.get_images_eligible_for_scan(expected_version + 1, None)) > 0) def test_notification_worker(self): layer1 = model.tag.get_tag_image(ADMIN_ACCESS_USER, SIMPLE_REPO, 'latest', include_storage=True) diff --git a/workers/securityworker.py b/workers/securityworker.py index 314bbe436..93ec28081 100644 --- a/workers/securityworker.py +++ b/workers/securityworker.py @@ -42,7 +42,7 @@ class SecurityWorker(Worker): def _index_images(self): def batch_query(): - return get_images_eligible_for_scan(self._target_version) + return get_images_eligible_for_scan(self._target_version, app.config.get('SECURITY_SCANNER_INDEXING_MIN_ID', None)) # Get the ID of the last image we can analyze. Will be None if there are no images in the # database.