From 7e5609b6525624f6b73489a19e03dc7f2df40d40 Mon Sep 17 00:00:00 2001
From: David Dashti <david.dashti@hermesmedical.com>
Date: Sat, 25 Apr 2026 18:40:00 +0200
Subject: [PATCH] feat: log when registry transport is configured insecurely

Emit debug-level logs at the points where the insecure registry
options are actually applied:

- TLSConfig logs once per registry when InsecureSkipTLSVerify is set
- prepareReferenceOptions (in both oci and containerd providers) logs
  when InsecureUseHTTP causes name.Insecure to be applied to the
  reference

These logs are observability only - no behavior change. They
complement a higher-level warning emitted by downstream callers
(see anchore/grype#3101) by surfacing the actual per-registry
application of the insecure flags during low-level tracing.

Signed-off-by: David Dashti <david.dashti@hermesmedical.com>
---
 pkg/image/containerd/daemon_provider.go | 1 +
 pkg/image/oci/registry_provider.go      | 1 +
 pkg/image/registry_options.go           | 4 ++++
 3 files changed, 6 insertions(+)

diff --git a/pkg/image/containerd/daemon_provider.go b/pkg/image/containerd/daemon_provider.go
index 2caa9d1e..6334f801 100644
--- a/pkg/image/containerd/daemon_provider.go
+++ b/pkg/image/containerd/daemon_provider.go
@@ -497,6 +497,7 @@ func (p *daemonImageProvider) trackSaveProgress(size int64) *daemonProvideProgre
 func prepareReferenceOptions(registryOptions image.RegistryOptions) []name.Option {
 	var options []name.Option
 	if registryOptions.InsecureUseHTTP {
+		log.Debug("HTTP transport is enabled for registry communication")
 		options = append(options, name.Insecure)
 	}
 	return options
diff --git a/pkg/image/oci/registry_provider.go b/pkg/image/oci/registry_provider.go
index d575af49..f7ad2164 100644
--- a/pkg/image/oci/registry_provider.go
+++ b/pkg/image/oci/registry_provider.go
@@ -166,6 +166,7 @@ func newErrPlatformMismatch(platform *image.Platform, err error) *image.ErrPlatf
 func prepareReferenceOptions(registryOptions image.RegistryOptions) []name.Option {
 	var options []name.Option
 	if registryOptions.InsecureUseHTTP {
+		log.Debug("HTTP transport is enabled for registry communication")
 		options = append(options, name.Insecure)
 	}
 	return options
diff --git a/pkg/image/registry_options.go b/pkg/image/registry_options.go
index c91a61d0..be81bb40 100644
--- a/pkg/image/registry_options.go
+++ b/pkg/image/registry_options.go
@@ -82,6 +82,10 @@ func (r RegistryOptions) Authenticator(registry string) authn.Authenticator {
 
 // TLSConfig selects the tls.Config object for handling TLS authentication with a registry.
 func (r RegistryOptions) TLSConfig(registry string) (*tls.Config, error) {
+	if r.InsecureSkipTLSVerify {
+		log.Debugf("TLS verification is disabled for registry %q", registry)
+	}
+
 	tlsOptions := r.tlsOptions(registry)
 
 	if tlsOptions == nil {