feat: add renovate logic to create a new package when a new scanner image is published from IB#40
Draft
TheFutonEng wants to merge 1 commit intomainfrom
Draft
feat: add renovate logic to create a new package when a new scanner image is published from IB#40TheFutonEng wants to merge 1 commit intomainfrom
TheFutonEng wants to merge 1 commit intomainfrom
Conversation
…mage is published from IB
mjnagel
reviewed
Apr 13, 2026
| "matchPackageNames": [ | ||
| "registry1.dso.mil/ironbank/neuvector/neuvector/scanner" | ||
| ], | ||
| "followTag": "6", |
Contributor
There was a problem hiding this comment.
Is there a good example of this working in docs/otherwise? From the Renovate docs it looks like the purpose is slightly different - https://docs.renovatebot.com/configuration-options/#followtag.
Perhaps allowedVersions is a better fit here? https://docs.renovatebot.com/configuration-options/#packagerulesallowedversions
Comment on lines
+45
to
+47
| "matchPackageNames": [ | ||
| "registry1.dso.mil/ironbank/neuvector/neuvector/scanner" | ||
| ], |
Contributor
There was a problem hiding this comment.
I think we'd probably want to do this across all 3 flavors.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
TL;DR: We need to consume CVE DB updates more frequently than the Neuvector package is being updated.
The upstream Neuvector
scannerimage that SUSE publishes is using a "floating tag." No idea if that is the proper description, but in short, the tag of6stays the same even if the CVE DB within the image gets bumped.The repo for the scanner image has a Renovate configuration that watches the
hardening_manifest.yamlfile in the same repo. Based on this MR to that repo, there is some higher-level Renovate configuration that I don't have access to that bumps theSHAin thehardening_manifest.yamlfile to trigger a new container build to the same6tag in Iron Bank.The updated Renovate configuration, along with a yet-to-be-committed update to the various
scannerimage references to aSHA, should result in a PR to Neuvector UDS package repo when a newscannerimage is available in Iron Bank. I think it makes sense that these updates toggle the minor release portion of the version (the#in*.uds.#).Type of change
Checklist before merging