Environment


Aqua CSP 4.5/4.6/5.0


Problem

 

After using Aqua CSP for certain time it is possible to find that you might have multiple, 

- Empty repositories

- Scan failed images


That can only be deleted one at the time using the GUI.



Solution


This is being addressed internally on the 2 below RFE(Request For Enhancement):

- SLK-17684 -- Cleanup Option - Image was not found in regsitry

- SLK-26487 -- Cleanup Option - empty repositories


Below we will provide the logic to be able to automatise this process, 


The below steps are meant to provide an alternative solution meanwhile the RFEs are considered by our Product Management and we will be providing just the basic logic in regards to Aqua CSP, any further assistance on scripting the procedure will fall out the Customer Success Support boundaries and you could always contact us to involve Professional Services. 


We will get this covered by checking and getting the needed values from the scalock database (DB), and then applying the deletion using our API,


1) Get a list of the actual images that you have as scan failed

Run on your postgres query manager of choice (DBeaver, pgAdim4, command line,...) the below statement towards our scalock DB, 

select rr.registry_id as "registry name", 

    rr."name" as "repository name", 

    ri."name" as "image name", 

    ri.scan_error as "scan error" 

from registry_repositories rr 

    join registry_images ri on rr.id=ri.repository_id 

where ri.id not in (select i_id from scans) 

    and ri.scan_error != '' or ri.scan_error::text <> ''::text;


2) We will use the below Aqua REST API call for the image deletion,


 DELETE -- {{Server_URL}}/api/v2/images/{{Registry}}/{{Repository}}/{{Tag}}


To generate the string "{{Registry}}/{{Repository}}/{{Tag}}", of your multiple images you will get them by running the below statement towards our scalock DB, 


select 

    concat ('/', rr.registry_id,'/',rr.name,'/',split_part(ri.name,':',2)) as "string to use for deleting with API"  

from registry_repositories rr 

    join registry_images ri on rr.id=ri.repository_id 

where ri.id not in (select image_id from scans) 

    and ri.scan_error != '' or ri.scan_error::text <> ''::text;


From here you could use your preferred scripting option to automatise the operation (You could choose all of them or just the ones that you requiere).

3) We will use the below Aqua REST API call for the repository deletion,

DELETE {{Server_URL}}/api/v2/repositories/{{Registry}}/{{Repository}}


To generate the string "{{Registry}}/{{Repository}}", of your multiple repositories you will get them by running the below statement towards our scalock DB, 


select 

    concat ('/', rr.registry_id,'/',rr.name) as "string to use for deleting with API" 

from registry_repositories rr 

where rr.id not in (select distinct(ri.repository_id) from registry_images ri);

 

From here you could use your preferred scripting option to automatise the operation (You could choose all of them or just the ones that you requiere)..


Related information

https://docs.aquasec.com/reference
https://dbeaver.io/
https://www.pgadmin.org/