Currently, CSO checks the pod spec for any pull secrets and uses those credentials when connecting to the secscan API endpoint:

https://github.com/quay/container-security-operator/blob/44a4493ddf0fe9adea82906adf6be073f02e61fb/labeller/labeller.go#L371

However, OpenShift allows global pull secrets to be defined as well:

https://docs.openshift.com/container-platform/4.9/openshift_images/managing_images/using-image-pull-secrets.html#images-update-global-pull-secret_using-image-pull-secrets

It would be great if we could implement a feature that would allow CSO to use a global pull secret in addition to checking individual pod specs for one. This will allow pods that do not have a pull secret explicitly defined and are in fact relying on the global, cluster pull secret to be scanned by CSO.