I have a question about the Registry Sync Application. The documentation states
During the first run, the application will fingerprint all tagged images from a connected registry, no matter if it is associated with a running container or not.
Recurring scans run every hour by default, unless you set a different time. Only new fingerprints are sent to InsightVM.
Can someone clarify what that means?
My original impression was that this meant that the registry sync application would only pull and process an image if the image has not already been pulled and processed. However, the behavior I’m seeing is that the registry sync app will pull and process every single tag for a given repository, regardless of whether or not it’s already been scanned and assessed in InsightVM. Can someone please clarify what the actual behavior is supposed to be?
For us, it’s very inefficient for the scanner to “re-scan” every single tag in a repository. Ideally, it should check the InsightVM API first and only pull images when we don’t already have valid assessments for them