why does it show everything green even it is not able to get any scanresults at all?

[toastbrotch]

Hi

Situation:
yesterday i discovered i have an image inside my on-prem quay with a high vulnerability (what a pain to get an overview over all organizations and all repos with quay) and my cluster showed me all green! on investigating, i found out the container-security-operator was never able to talk with my quay:

"x509: certificate signed by unknown authority"

on fixing this i'm stuck with "Request returned non-200 response: 401 UNAUTHORIZED"
and still everything green.

this is misleading, as green means everything ok. which is a completely different answer than "i don't know"... which is what i have with a broken setup.

The expected behavior if the container-security-operator is not able to get informations should NOT be "all green"!

[toastbrotch]

btw: i fixed the problem with my own CA by
oc create secret generic container-security-operator-extra-certs -n openshift-operators --from-file=ca1.crt=ca1.crt

[toastbrotch]

Seems the upstream ticket got closed as "wont fix" (https://issues.redhat.com/browse/PROJQUAY-2990)
Nevertheless: Security related Products are not allowed to fall back to the answer "all secure" ! This is exceptionally bad design and not tolerated as any security safeguard at all.

So my conclusion: Do not use CSO at all, as its misleading you in believing you have a good condition in the cluster even if its not. and its broken by design. So its unreliable. Don't rely on such products.