A common use case is that a pipeline (on OCP or an external one) pulls an image from Quay and then builds and tests images which are pushed back to RH Quay. A typical security requirement is to not deploy images to production which already container (critical|important) vulnerabilities at the time of the deployment. Even further, images which just have been built which already contain vuln's shouldn't be even pushed to the registry assuming that they will never be allowed to be used. This requires that the pipeline knows that the images already has been completely scanned (or scan failed or scan still pending, etc.).

The entire logic needs to be handled within the pipeline (pull, push, query the Quay API and stop the pipeline if it contains vulns). The prerequisite would be that the corresponding Quay API endpoint supports a more fine granular status of the current scan status which could be used by the pipeline.

Long-term goal should be an active notification / trigger once the scan has been successfully completed.

The security scan status should be updated to have a enum value that represents the fine grained status of the security scan result such as the following ones:

• CVE database not populated yet
• scan still Pending
• scan successfully completed
• Clair Database deadlock -> Aborted, retrying... ( shown to the user )
• Image failed to be scanned -> Unsupported image type or unknown OS type*
• Clair is not ready -> Not ready*
• Clair is DOWN! -> Unavailable