Context

Coder recently published aguide on how to integrate withJFrog Xray to scan workspace images. That guide usescoder-xray utility which can be deployed to scan all workspaces in a given K8snamespace. This works great but has limitations.

• Only works for K8s-based workspaces
• Requires deployingcoder-xray as a service

Suggested solution

Coder makes use ofterraform as the provisioner to create workspaces. This gives Coder flexibility to provide a range of computing, storage, and network resources for any platform with a terraform provider. While researching, I came acrossxray-terraform-provider which can be used to fetch the xray-scan results of an artifact. (Thanks to@alexhung for adding this feature.)

This has the added benefit of enabling the integration of all types of workspaces where the image is being sourced from JFrog Artifactory. (See thisguide on enabling Artifactory integration.)

The result then can be displayed ascoder_metadata resource on the workspace page.

provider"xray" {url="https://jfrt.cdr.dev/xray"access_token="TOKEN"check_license=false}data"xray_artifacts_scan""image_scan" {repo="docker-local"repo_path="/codercom/enterprise-base:local"}locals {vulnerabilities=data.xray_artifacts_scan.image_scan.results[0].sec_issues}resource"coder_metadata""workspace_info" {count=data.coder_workspace.me.start_countresource_id="WORKSPACE_RESOURCE_ID"item {key="Critical"value=local.vulnerabilities.critical  }item {key="High"value=local.vulnerabilities.high  }item {key="Medium"value=local.vulnerabilities.medium  }item {key="Low"value=local.vulnerabilities.low  }}

Which renders as

TODO

• xray-integration(docs): update theguide to recommend this terraform method instead of usingcoder-xray
• JFrog xray scanning module to list workspace image vulnerabilities registry#65
• xray-integration(frontend): update frontend to parse the terraform output and display the vulnerabilities natively. #12839