Adding an "allowList" feature

[pzi]

Hi Alex,

As we are continuing to work with ECR vulnerability scanning, we came across some vulnerabilities (incl. false positives) we cannot fix but also won't impact the security of our image as we wouldn't be using that certain feature (e.g. docker-library/wordpress#472).

Given this, we are thinking of implementing an allow-list feature, where we can maintain an array of references to vulnerabilities we want to ignore in the counts.

Is that something you have considered yourself in the past maybe? Would you be interested in accepting a PR for it in the near future?

Cheers
Patrik

[alexjurkiewicz]

We haven't had any issues like this with our own images. Well, we have given up using medium as a threshold for some images 🙊

I think this feature makes sense. And +1 for the modern inclusive name. Were you thinking of using CVE as the identifier?

To prevent the user's allow list growing forever, this action should warn (or error??) if a CVE is allowed that is not in the vulnerability list at a failing threshold.

[pzi]

Haven't thought that far ahead, but yeah "CVE name" as the identifier seems to make sense. Will have to have a closer look to what the response is that comes back from ECR.