feat: log when registry transport is configured insecurely#587
Open
Dashtid wants to merge 1 commit intoanchore:mainfrom
Open
feat: log when registry transport is configured insecurely#587Dashtid wants to merge 1 commit intoanchore:mainfrom
Dashtid wants to merge 1 commit intoanchore:mainfrom
Conversation
Emit debug-level logs at the points where the insecure registry options are actually applied: - TLSConfig logs once per registry when InsecureSkipTLSVerify is set - prepareReferenceOptions (in both oci and containerd providers) logs when InsecureUseHTTP causes name.Insecure to be applied to the reference These logs are observability only - no behavior change. They complement a higher-level warning emitted by downstream callers (see anchore/grype#3101) by surfacing the actual per-registry application of the insecure flags during low-level tracing. Signed-off-by: David Dashti <david.dashti@hermesmedical.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
TLSConfiglogs per-registry whenInsecureSkipTLSVerifyis setprepareReferenceOptions(in both oci and containerd providers) logs whenInsecureUseHTTPcausesname.Insecureto be applied to the referenceThis is the second half of anchore/grype#3101. The first half (a one-time CLI warning at config-load time) is in anchore/grype#3396; these debug logs complement it by surfacing the actual per-registry application of the flags during low-level tracing.
Details
Three small additions, 6 lines total:
pkg/image/registry_options.go:log.Debugfat the top ofTLSConfigwhenInsecureSkipTLSVerifyis true. Includes the registry name via%qsinceTLSConfig(registry string)already has it.pkg/image/oci/registry_provider.go:log.Debuginside the existingif registryOptions.InsecureUseHTTPbranch inprepareReferenceOptions.pkg/image/containerd/daemon_provider.go: identicallog.Debugfor the same function (it exists as a duplicate in this provider).Log style and level match existing patterns in the same files (e.g.
log.Tracef("using registry credentials from config index %d", ...)andlog.Debugf("pulling %s image=%q", ...)).Test plan
go build ./...passesgo test ./pkg/image/...— all related tests pass (Test_prepareReferenceOptions, registry/TLS tests)TestRegistryOptions_TLSConfig_rootCAs/add_root_certs_from_dir) — confirmed identical failure on clean upstream main, unrelated to this change. Likely a Windows path/glob test issue.No new tests added: debug logs are observability-only and not typically unit-tested in this codebase (consistent with how the existing
log.Tracef/log.Debugfcalls at the same sites have no dedicated tests).