security-scan: conditionally allow scanning pre-release versions

[shashankram]

Conditionally allows running image scans against Github releases marked as pre-release.

Testing done:

• Unit test

• Manual test
  without --enable-pre-release

$ go run /src/code/go-utils/securityscanutils/cli scan-repo -v     -i /src/code/gloo-operator/docs/cmd/imageVersionConstraints.csv    -c ">=v0.1.0-0"         -r us-docker.pkg.dev/solo-public/gloo-operator  -g gloo-operator        -a output-locally          -d /src/code/gloo-operator/docs/cmd/securityScanDebugInstructions.md

{"level":"debug","ts":"2024-11-21T13:12:11.845-0800","caller":"securityscanutils/securityscan.go:176","msg":"Number of github releases to scan: 0"}

with --enable-pre-release

go run /src/code/go-utils/securityscanutils/cli scan-repo -v     -i /src/code/gloo-operator/docs/cmd/imageVersionConstraints.csv    -c ">=v0.1.0-0"         -r us-docker.pkg.dev/solo-public/gloo-operator  -g gloo-operator        -a output-locally          -d /src/code/gloo-operator/docs/cmd/securityScanDebugInstructions.md --enable-pre-release

{"level":"debug","ts":"2024-11-21T13:12:14.772-0800","caller":"securityscanutils/securityscan.go:176","msg":"Number of github releases to scan: 1"}
{"level":"debug","ts":"2024-11-21T13:12:14.772-0800","caller":"securityscanutils/securityscan.go:203","msg":"LocalIssueWriter configured with Predicate: &{}"}
{"level":"debug","ts":"2024-11-21T13:12:14.772-0800","caller":"securityscanutils/securityscan.go:211","msg":"Completed processing user defined configuration."}
{"level":"debug","ts":"2024-11-21T13:12:14.862-0800","caller":"securityscanutils/trivy_scanner.go:89","msg":"Trivy returned 0 after 90.231655ms on us-docker.pkg.dev/solo-public/gloo-operator/gloo-operator:0.1.0-alpha.0"}
{"level":"info","ts":"2024-11-21T13:12:14.863-0800","caller":"securityscanutils/securityscan.go:276","msg":"no vulnerabilities found for version 0.1.0-alpha.0 of gloo-operator repo, skipping issue write"}

[nfuden]

Can we add the context here?
I assume its that we want to scan something before we elevate it to a non-prerelease right?

[shashankram]

Can we add the context here? I assume its that we want to scan something before we elevate it to a non-prerelease right?

The context is noted in the PR description. It allows optionally scanning versions marked as pre-release.

[nfuden]

But why would you want to scan a prerelease. For example users will take formerly released things and mark them as prerelease to take them down from being checked.
Not saying you are trying to change that but more guidance around how this security scanning could or should be configured / called would make sense

[shashankram]

But why would you want to scan a prerelease. For example users will take formerly released things and mark them as prerelease to take them down from being checked. Not saying you are trying to change that but more guidance around how this security scanning could or should be configured / called would make sense

Why would you not want to scan a pre-release? It is project specific, and the tool should provide the ability for projects to scan releases the way they prefer. There is no general rule here. In some projects, we may mark a release as pre-release but still run scans against it to catch issues before they make it into an actual release.

[yuval-k]

lgtm