Enhance CLAUDE.md with detailed features on real-time scanning, vulnerability management, and database schema improvements
This commit is contained in:
JSC
50
CLAUDE.md
50
CLAUDE.md
@@ -44,10 +44,11 @@ This tool addresses the challenge of managing Docker images across numerous GitL
|
|||||||
- Maintain historical data on image usage patterns
|
- Maintain historical data on image usage patterns
|
||||||
|
|
||||||
### Vulnerability Management
|
### Vulnerability Management
|
||||||
- Periodic vulnerability scanning (configurable schedule)
|
- Real-time vulnerability scanning with Trivy integration
|
||||||
- Severity classification and reporting
|
- Vulnerability-to-scan job traceability for complete audit trail
|
||||||
- Integration with vulnerability databases
|
- Severity classification and reporting (Critical, High, Medium, Low, Unspecified)
|
||||||
- Automated alerting for critical vulnerabilities
|
- Integration with vulnerability databases (NVD API fallback)
|
||||||
|
- WebSocket-based real-time scan status notifications
|
||||||
|
|
||||||
### Ignore System
|
### Ignore System
|
||||||
- **Image-level ignoring**: Exclude specific Docker images from scanning
|
- **Image-level ignoring**: Exclude specific Docker images from scanning
|
||||||
@@ -81,6 +82,8 @@ This is a full-stack application with separated backend and frontend:
|
|||||||
- **Backend**: Python 3.12+ with FastAPI, SQLite database, and python-gitlab
|
- **Backend**: Python 3.12+ with FastAPI, SQLite database, and python-gitlab
|
||||||
- **Frontend**: React 19 + TypeScript + Vite + React Router + Tailwind CSS + shadcn/ui
|
- **Frontend**: React 19 + TypeScript + Vite + React Router + Tailwind CSS + shadcn/ui
|
||||||
- **Database**: SQLite for local storage of image inventory, scan results, and configuration
|
- **Database**: SQLite for local storage of image inventory, scan results, and configuration
|
||||||
|
- **Real-time Communication**: WebSocket integration with Socket.IO for live scan updates
|
||||||
|
- **Vulnerability Scanning**: Trivy integration for comprehensive security analysis
|
||||||
- **Build Tools**: Vite for frontend, Python packaging for backend
|
- **Build Tools**: Vite for frontend, Python packaging for backend
|
||||||
- **Package Management**: uv/pip for Python, Bun for Node.js
|
- **Package Management**: uv/pip for Python, Bun for Node.js
|
||||||
|
|
||||||
@@ -118,10 +121,37 @@ bun preview
|
|||||||
|
|
||||||
## Architecture Considerations
|
## Architecture Considerations
|
||||||
|
|
||||||
- **Data Models**: Projects, Files, Images, Vulnerabilities, Ignore Rules (SQLite schema)
|
- **Data Models**: Projects, Files, Images, Vulnerabilities, ScanJobs, FileImageUsage, IgnoreRules (SQLite schema)
|
||||||
- **API Layer**: FastAPI REST endpoints for frontend communication
|
- **API Layer**: FastAPI REST endpoints with WebSocket support for real-time communication
|
||||||
- **Scanning Engine**: Background job system for repository scanning
|
- **Scanning Engine**: Asynchronous background job system with concurrent scan prevention
|
||||||
- **GitLab Integration**: python-gitlab library for repository and branch access
|
- **GitLab Integration**: python-gitlab library with group-based filtering for large instances
|
||||||
- **Database**: SQLite with proper indexing for performance
|
- **Database**: SQLite with proper indexing and many-to-many relationships for performance
|
||||||
- **Security**: Secure handling of GitLab tokens and vulnerability data
|
- **Security**: Secure handling of GitLab tokens and vulnerability data
|
||||||
- **Scalability**: Design for scanning hundreds of repositories efficiently
|
- **Real-time Updates**: WebSocket notifications with persistent connections across page navigation
|
||||||
|
- **Scalability**: Design for scanning hundreds of repositories efficiently with group filtering
|
||||||
|
|
||||||
|
## Key Features Implemented
|
||||||
|
|
||||||
|
### Real-time Scan Management
|
||||||
|
- **Asynchronous scanning**: Non-blocking scans that allow app usage during execution
|
||||||
|
- **Concurrent scan prevention**: Only one scan can run at a time to prevent resource conflicts
|
||||||
|
- **WebSocket notifications**: Real-time updates with toast notifications using Sonner
|
||||||
|
- **Persistent connection**: WebSocket connection maintained across all pages
|
||||||
|
- **Existing scan detection**: New users immediately see ongoing scan status
|
||||||
|
|
||||||
|
### Database Schema
|
||||||
|
- **Many-to-many relationships**: FileImageUsage table linking files and images
|
||||||
|
- **Scan job traceability**: Vulnerabilities linked to the scan job that detected them
|
||||||
|
- **Full project paths**: Projects include complete GitLab path (e.g., utils/services/checkmk)
|
||||||
|
- **Audit trail**: Complete tracking of when and how vulnerabilities were discovered
|
||||||
|
|
||||||
|
### Group-based Filtering
|
||||||
|
- **Environment variable**: `GITLAB_GROUPS` for limiting scans to specific groups
|
||||||
|
- **Large instance support**: Essential for GitLab instances with hundreds of projects
|
||||||
|
- **Development-friendly**: Allows focusing on relevant projects during development
|
||||||
|
|
||||||
|
### User Interface
|
||||||
|
- **Real-time status indicators**: Connection status and running scan indicators in sidebar
|
||||||
|
- **Toast notifications**: Bottom-right positioned for better UX
|
||||||
|
- **Responsive design**: Works across different screen sizes with proper layout
|
||||||
|
- **Event-driven updates**: Scan jobs page refreshes only when scan events occur
|
||||||
Reference in New Issue
Block a user