From efcc951ecffc58243f3c6fd1419287e64a635615 Mon Sep 17 00:00:00 2001
From: Fabian Gonzalez <fabiangonz98@gmail.com>
Date: Sun, 3 Sep 2023 12:49:25 -0400
Subject: [PATCH 1/4] include pinned image information

Signed-off-by: Fabian Gonzalez <fabiangonz98@gmail.com>
---
 api/unversioned/imagejob_types.go         |  1 +
 pkg/collector/helpers.go                  |  2 ++
 pkg/remover/helpers.go                    |  1 +
 pkg/scanners/template/scanner_template.go |  9 +++++++++
 pkg/scanners/trivy/trivy.go               | 10 ++++++++++
 pkg/scanners/trivy/types.go               |  2 ++
 6 files changed, 25 insertions(+)

diff --git a/api/unversioned/imagejob_types.go b/api/unversioned/imagejob_types.go
index 5ef6ae5001..f2b9b1644b 100644
--- a/api/unversioned/imagejob_types.go
+++ b/api/unversioned/imagejob_types.go
@@ -25,6 +25,7 @@ type Image struct {
 	ImageID string   `json:"image_id"`
 	Names   []string `json:"names,omitempty"`
 	Digests []string `json:"digests,omitempty"`
+	Pinned  bool     `json:"pinned,omitempty"`
 }
 
 // EDIT THIS FILE!  THIS IS SCAFFOLDING FOR YOU TO OWN!
diff --git a/pkg/collector/helpers.go b/pkg/collector/helpers.go
index 4bb52456d9..1216c8e148 100644
--- a/pkg/collector/helpers.go
+++ b/pkg/collector/helpers.go
@@ -28,6 +28,7 @@ func getImages(c cri.Collector) ([]unversioned.Image, error) {
 		newImg := unversioned.Image{
 			ImageID: img.Id,
 			Names:   repoTags,
+			Pinned:  img.Pinned,
 		}
 
 		digests, errs := util.ProcessRepoDigests(img.RepoDigests)
@@ -71,6 +72,7 @@ func getImages(c cri.Collector) ([]unversioned.Image, error) {
 			ImageID: imageID,
 			Names:   img.Names,
 			Digests: img.Digests,
+			Pinned:  img.Pinned,
 		}
 
 		if !util.IsExcluded(excluded, currImage.ImageID, idToImageMap) {
diff --git a/pkg/remover/helpers.go b/pkg/remover/helpers.go
index 9d16e1d7d6..c2ea954de7 100644
--- a/pkg/remover/helpers.go
+++ b/pkg/remover/helpers.go
@@ -30,6 +30,7 @@ func removeImages(c cri.Remover, targetImages []string) (int, error) {
 		newImg := unversioned.Image{
 			ImageID: img.Id,
 			Names:   repoTags,
+			Pinned:  img.Pinned,
 		}
 
 		digests, errs := util.ProcessRepoDigests(img.RepoDigests)
diff --git a/pkg/scanners/template/scanner_template.go b/pkg/scanners/template/scanner_template.go
index bf005668c2..2c96b30a39 100644
--- a/pkg/scanners/template/scanner_template.go
+++ b/pkg/scanners/template/scanner_template.go
@@ -34,6 +34,7 @@ type config struct {
 	log                    logr.Logger
 	deleteScanFailedImages bool
 	deleteEOLImages        bool
+	deletePinnedImages     bool
 	reportMetrics          bool
 }
 
@@ -45,6 +46,7 @@ func NewImageProvider(funcs ...ConfigFunc) ImageProvider {
 		ctx:                    context.Background(),
 		log:                    logf.Log.WithName("scanner"),
 		deleteScanFailedImages: true,
+		deletePinnedImages:     false,
 		reportMetrics:          false,
 	}
 
@@ -151,6 +153,13 @@ func WithDeleteEOLImages(deleteEOLImages bool) ConfigFunc {
 	}
 }
 
+// sets deletePinnedImages flag.
+func WithDeletePinnedImages(deletePinnedImages bool) ConfigFunc {
+	return func(cfg *config) {
+		cfg.deletePinnedImages = deletePinnedImages
+	}
+}
+
 // provide custom logger.
 func WithLogger(log logr.Logger) ConfigFunc {
 	return func(cfg *config) {
diff --git a/pkg/scanners/trivy/trivy.go b/pkg/scanners/trivy/trivy.go
index 71bf330a73..d759947828 100644
--- a/pkg/scanners/trivy/trivy.go
+++ b/pkg/scanners/trivy/trivy.go
@@ -92,6 +92,7 @@ func main() {
 		template.WithMetrics(recordMetrics),
 		template.WithDeleteScanFailedImages(userConfig.DeleteFailedImages),
 		template.WithDeleteEOLImages(userConfig.DeleteEOLImages),
+		template.WithDeletePinnedImages(userConfig.DeletePinnedImages),
 	)
 
 	allImages, err := provider.ReceiveImages()
@@ -105,6 +106,15 @@ func main() {
 		log.Error(err, "error initializing scanner")
 	}
 
+	// TODO: 4 options to decide on how we'd want to {filter out/handle} `pinned` images.
+	//   1. Filter inside the `ReceiveImages` function, part of the scanner template, so `allImages` is all non-pinned.
+	//   2. Filter `allImages` AFTER `ReceiveImages`, so we don't affect the scanner template function.
+	//   3. During the `scan` (or `Scan`) function, check if the image is pinned and continue.
+	//		- This would be the most performant, where we don't add extra filtering, just `continue` during image scans.
+	//		- We'd also decide here if we still want to scan the pinned image, even when we don't want to delete it.
+	//   4. Filter inside the `SendImages` function, part of the scanner template, so the images sent to the eraser are non-pinned.
+	//		- Not sure how our template works, and if we'd want to filter there so other implementations don't have to.
+	//   Adding filtering (aside from step 3 where we `continue`) would add O(n)+ time complexity to go through all images and filter.
 	vulnerableImages, failedImages, err := scan(s, allImages)
 	if err != nil {
 		log.Error(err, "total image scan timed out")
diff --git a/pkg/scanners/trivy/types.go b/pkg/scanners/trivy/types.go
index 3d91a22514..82e02c2312 100644
--- a/pkg/scanners/trivy/types.go
+++ b/pkg/scanners/trivy/types.go
@@ -39,6 +39,7 @@ type (
 		DBRepo             string        `json:"dbRepo,omitempty"`
 		DeleteFailedImages bool          `json:"deleteFailedImages,omitempty"`
 		DeleteEOLImages    bool          `json:"deleteEOLImages,omitempty"`
+		DeletePinnedImages bool          `json:"deletePinnedImages,omitempty"`
 		Vulnerabilities    VulnConfig    `json:"vulnerabilities,omitempty"`
 		Timeout            TimeoutConfig `json:"timeout,omitempty"`
 	}
@@ -69,6 +70,7 @@ func DefaultConfig() *Config {
 		DBRepo:             "ghcr.io/aquasecurity/trivy-db",
 		DeleteFailedImages: true,
 		DeleteEOLImages:    true,
+		DeletePinnedImages: false,
 		Vulnerabilities: VulnConfig{
 			IgnoreUnfixed: true,
 			Types: []string{

From bdcd2e2f42ef5daddf508c60b93a13663c02fe41 Mon Sep 17 00:00:00 2001
From: Fabian Gonzalez <fabiangonz98@gmail.com>
Date: Wed, 29 Nov 2023 18:07:37 -0500
Subject: [PATCH 2/4] Add extra comments on areas we can manage Pinned images

Signed-off-by: Fabian Gonzalez <fabiangonz98@gmail.com>
---
 pkg/scanners/template/scanner_template.go | 2 ++
 pkg/scanners/trivy/trivy.go               | 8 +++++---
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/pkg/scanners/template/scanner_template.go b/pkg/scanners/template/scanner_template.go
index 2c96b30a39..d5fb4a38a0 100644
--- a/pkg/scanners/template/scanner_template.go
+++ b/pkg/scanners/template/scanner_template.go
@@ -58,6 +58,7 @@ func NewImageProvider(funcs ...ConfigFunc) ImageProvider {
 	return cfg
 }
 
+// TODO - 1. We could filter here, so the returned images are all images that are not pinned.
 func (cfg *config) ReceiveImages() ([]unversioned.Image, error) {
 	var err error
 
@@ -82,6 +83,7 @@ func (cfg *config) ReceiveImages() ([]unversioned.Image, error) {
 }
 
 func (cfg *config) SendImages(nonCompliantImages, failedImages []unversioned.Image) error {
+	// TODO - 4. we could filter out pinned images here, so they are not deleted.
 	if cfg.deleteScanFailedImages {
 		nonCompliantImages = append(nonCompliantImages, failedImages...)
 	}
diff --git a/pkg/scanners/trivy/trivy.go b/pkg/scanners/trivy/trivy.go
index d759947828..af8a330daa 100644
--- a/pkg/scanners/trivy/trivy.go
+++ b/pkg/scanners/trivy/trivy.go
@@ -100,6 +100,7 @@ func main() {
 		log.Error(err, "unable to read images from provider")
 		os.Exit(generalErr)
 	}
+	// TODO - 2. We could filter the pinned images out here, to not affect the template.
 
 	s, err := initScanner(&userConfig)
 	if err != nil {
@@ -110,11 +111,11 @@ func main() {
 	//   1. Filter inside the `ReceiveImages` function, part of the scanner template, so `allImages` is all non-pinned.
 	//   2. Filter `allImages` AFTER `ReceiveImages`, so we don't affect the scanner template function.
 	//   3. During the `scan` (or `Scan`) function, check if the image is pinned and continue.
-	//		- This would be the most performant, where we don't add extra filtering, just `continue` during image scans.
-	//		- We'd also decide here if we still want to scan the pinned image, even when we don't want to delete it.
+	//		- This could be the most performant, where we don't add extra filtering, and just `continue` during image scans.
+	//		- We could decide here if we still want to scan the pinned image, even when we don't want to delete it.
 	//   4. Filter inside the `SendImages` function, part of the scanner template, so the images sent to the eraser are non-pinned.
 	//		- Not sure how our template works, and if we'd want to filter there so other implementations don't have to.
-	//   Adding filtering (aside from step 3 where we `continue`) would add O(n)+ time complexity to go through all images and filter.
+	//   Adding filtering (aside from step 3 where we `continue`) would add an extra O(n) time complexity to go through all images and filter.
 	vulnerableImages, failedImages, err := scan(s, allImages)
 	if err != nil {
 		log.Error(err, "total image scan timed out")
@@ -184,6 +185,7 @@ func scan(s Scanner, allImages []unversioned.Image) ([]unversioned.Image, []unve
 	// track total scan job time
 
 	for idx, img := range allImages {
+		// TODO - 3. we could filter out Pinned images here by `continue`-ing. we'll need to be sure nothing wonky happens with pinned images on timeout.
 		select {
 		case <-s.Timer().C:
 			failedImages = append(failedImages, allImages[idx:]...)

From 7f95f58c1c3f8e173b3383f8d6975f86f5283b7a Mon Sep 17 00:00:00 2001
From: Fabian Gonzalez <fabiangonz98@gmail.com>
Date: Sat, 2 Dec 2023 08:39:17 -0500
Subject: [PATCH 3/4] Move Pinned check + removal to the collector and remover
 pods

Signed-off-by: Fabian Gonzalez <fabiangonz98@gmail.com>
---
 api/unversioned/config/config.go                   |  1 +
 api/v1/zz_generated.conversion.go                  |  5 -----
 api/v1alpha1/zz_generated.conversion.go            |  5 -----
 .../imagecollector/imagecollector_controller.go    |  6 ++++--
 go.mod                                             |  1 +
 pkg/collector/collector.go                         |  6 ++++++
 pkg/remover/helpers.go                             | 13 ++++++++++++-
 pkg/remover/remover.go                             |  4 +++-
 pkg/scanners/template/scanner_template.go          | 10 ----------
 pkg/scanners/trivy/trivy.go                        | 13 +------------
 pkg/scanners/trivy/types.go                        |  2 --
 pkg/utils/utils.go                                 | 14 ++++++++++++++
 12 files changed, 42 insertions(+), 38 deletions(-)

diff --git a/api/unversioned/config/config.go b/api/unversioned/config/config.go
index c469755bfe..8fbc09cc25 100644
--- a/api/unversioned/config/config.go
+++ b/api/unversioned/config/config.go
@@ -75,6 +75,7 @@ const (
 	oneDay  = unversioned.Duration(time.Hour * 24)
 )
 
+// TODO - add defaults for gathering/scanning/removing Pinned images
 func Default() *unversioned.EraserConfig {
 	return &unversioned.EraserConfig{
 		Manager: unversioned.ManagerConfig{
diff --git a/api/v1/zz_generated.conversion.go b/api/v1/zz_generated.conversion.go
index 816e166670..678844c967 100644
--- a/api/v1/zz_generated.conversion.go
+++ b/api/v1/zz_generated.conversion.go
@@ -138,11 +138,6 @@ func autoConvert_unversioned_Image_To_v1_Image(in *unversioned.Image, out *Image
 	return nil
 }
 
-// Convert_unversioned_Image_To_v1_Image is an autogenerated conversion function.
-func Convert_unversioned_Image_To_v1_Image(in *unversioned.Image, out *Image, s conversion.Scope) error {
-	return autoConvert_unversioned_Image_To_v1_Image(in, out, s)
-}
-
 func autoConvert_v1_ImageJob_To_unversioned_ImageJob(in *ImageJob, out *unversioned.ImageJob, s conversion.Scope) error {
 	out.ObjectMeta = in.ObjectMeta
 	if err := Convert_v1_ImageJobStatus_To_unversioned_ImageJobStatus(&in.Status, &out.Status, s); err != nil {
diff --git a/api/v1alpha1/zz_generated.conversion.go b/api/v1alpha1/zz_generated.conversion.go
index 70c4d3e92e..be84a6fbc8 100644
--- a/api/v1alpha1/zz_generated.conversion.go
+++ b/api/v1alpha1/zz_generated.conversion.go
@@ -348,11 +348,6 @@ func autoConvert_unversioned_Image_To_v1alpha1_Image(in *unversioned.Image, out
 	return nil
 }
 
-// Convert_unversioned_Image_To_v1alpha1_Image is an autogenerated conversion function.
-func Convert_unversioned_Image_To_v1alpha1_Image(in *unversioned.Image, out *Image, s conversion.Scope) error {
-	return autoConvert_unversioned_Image_To_v1alpha1_Image(in, out, s)
-}
-
 func autoConvert_v1alpha1_ImageJob_To_unversioned_ImageJob(in *ImageJob, out *unversioned.ImageJob, s conversion.Scope) error {
 	out.ObjectMeta = in.ObjectMeta
 	if err := Convert_v1alpha1_ImageJobStatus_To_unversioned_ImageJobStatus(&in.Status, &out.Status, s); err != nil {
diff --git a/controllers/imagecollector/imagecollector_controller.go b/controllers/imagecollector/imagecollector_controller.go
index dc918a1f82..d91018e8e2 100644
--- a/controllers/imagecollector/imagecollector_controller.go
+++ b/controllers/imagecollector/imagecollector_controller.go
@@ -308,10 +308,12 @@ func (r *Reconciler) createImageJob(ctx context.Context) (ctrl.Result, error) {
 		fmt.Sprintf("--pprof-port=%d", profileConfig.Port),
 	}
 
-	collArgs := []string{"--scan-disabled=" + strconv.FormatBool(scanDisabled)}
+	// todo implement the config for this
+	collArgs := []string{"--scan-disabled=" + strconv.FormatBool(scanDisabled), "--scan-pinned=" + strconv.FormatBool(scanCfg.ScanPinned)}
 	collArgs = append(collArgs, profileArgs...)
 
-	removerArgs := []string{"--log-level=" + logger.GetLevel()}
+	// todo implement the config for this
+	removerArgs := []string{"--log-level=" + logger.GetLevel(), "--remove-pinned=" + strconv.FormatBool(eraserCfg.RemovePinned)}
 	removerArgs = append(removerArgs, profileArgs...)
 
 	pullSecrets := []corev1.LocalObjectReference{}
diff --git a/go.mod b/go.mod
index 1e9f86c754..10beae7d9f 100644
--- a/go.mod
+++ b/go.mod
@@ -151,6 +151,7 @@ replace (
 	k8s.io/component-helpers => k8s.io/component-helpers v0.26.11
 	k8s.io/controller-manager => k8s.io/controller-manager v0.26.11
 	k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.26.11
+	k8s.io/dynamic-resource-allocation => k8s.io/dynamic-resource-allocation v0.26.11
 	k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.26.11
 	k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.26.11
 	k8s.io/kube-proxy => k8s.io/kube-proxy v0.26.11
diff --git a/pkg/collector/collector.go b/pkg/collector/collector.go
index 09c2c81641..80fdaf1f9c 100644
--- a/pkg/collector/collector.go
+++ b/pkg/collector/collector.go
@@ -23,6 +23,7 @@ var (
 	enableProfile = flag.Bool("enable-pprof", false, "enable pprof profiling")
 	profilePort   = flag.Int("pprof-port", 6060, "port for pprof profiling. defaulted to 6060 if unspecified")
 	scanDisabled  = flag.Bool("scan-disabled", false, "boolean for if scanner container is disabled")
+	scanPinned    = flag.Bool("scan-pinned", false, "boolean for if scanner container should scan pinned images")
 
 	// Timeout  of connecting to server (default: 5m).
 	timeout  = 5 * time.Minute
@@ -80,6 +81,11 @@ func main() {
 	}
 	log.Info("images collected", "finalImages:", finalImages)
 
+	if !(*scanPinned) {
+		log.Info("skipping scanning pinned images")
+		finalImages = util.RemovePinnedImages(finalImages)
+	}
+
 	data, err := json.Marshal(finalImages)
 	if err != nil {
 		log.Error(err, "failed to encode finalImages")
diff --git a/pkg/remover/helpers.go b/pkg/remover/helpers.go
index c2ea954de7..c819ef5140 100644
--- a/pkg/remover/helpers.go
+++ b/pkg/remover/helpers.go
@@ -8,7 +8,7 @@ import (
 	util "github.com/eraser-dev/eraser/pkg/utils"
 )
 
-func removeImages(c cri.Remover, targetImages []string) (int, error) {
+func removeImages(c cri.Remover, removePinned bool, targetImages []string) (int, error) {
 	removed := 0
 
 	backgroundContext, cancel := context.WithTimeout(context.Background(), timeout)
@@ -76,6 +76,12 @@ func removeImages(c cri.Remover, targetImages []string) (int, error) {
 				continue
 			}
 
+			// TODO - figure out why is imgDigestOrTag used instead of imageID when it's called "idToImageMap" (copied usage from isExcluded).
+			if !removePinned && util.IsPinned(imageID, idToImageMap) {
+				log.Info("image is kept due to being pinned", "given", imgDigestOrTag, "imageID", imageID, "name", idToImageMap[imageID])
+				continue
+			}
+
 			err = c.DeleteImage(backgroundContext, imageID)
 			if err != nil {
 				log.Error(err, "error removing image", "given", imgDigestOrTag, "imageID", imageID, "name", idToImageMap[imageID])
@@ -109,6 +115,11 @@ func removeImages(c cri.Remover, targetImages []string) (int, error) {
 				continue
 			}
 
+			if !removePinned && util.IsPinned(imageID, idToImageMap) {
+				log.Info("image is kept due to being pinned", "imageID", imageID, "name", idToImageMap[imageID])
+				continue
+			}
+
 			if err := c.DeleteImage(backgroundContext, imageID); err != nil {
 				success = false
 				log.Error(err, "error removing image", "imageID", imageID, "name", idToImageMap[imageID])
diff --git a/pkg/remover/remover.go b/pkg/remover/remover.go
index a4228c6b67..eee7b697d9 100644
--- a/pkg/remover/remover.go
+++ b/pkg/remover/remover.go
@@ -30,6 +30,7 @@ var (
 	imageListPtr  = flag.String("imagelist", "", "name of ImageList")
 	enableProfile = flag.Bool("enable-pprof", false, "enable pprof profiling")
 	profilePort   = flag.Int("pprof-port", 6060, "port for pprof profiling. defaulted to 6060 if unspecified")
+	removePinned  = flag.Bool("remove-pinned", false, "skip over pinned images when removing")
 
 	// Timeout  of connecting to server (default: 5m).
 	timeout  = 5 * time.Minute
@@ -130,7 +131,8 @@ func main() {
 		log.Info("no images to exclude")
 	}
 
-	removed, err := removeImages(client, imagelist)
+	// we pass in the removePinned flag to removeImages, because as of now we just have a list of imageIDs, and we don't know if they are pinned or not
+	removed, err := removeImages(client, *removePinned, imagelist)
 	if err != nil {
 		log.Error(err, "failed to remove images")
 		os.Exit(generalErr)
diff --git a/pkg/scanners/template/scanner_template.go b/pkg/scanners/template/scanner_template.go
index d5fb4a38a0..086a2709e2 100644
--- a/pkg/scanners/template/scanner_template.go
+++ b/pkg/scanners/template/scanner_template.go
@@ -46,7 +46,6 @@ func NewImageProvider(funcs ...ConfigFunc) ImageProvider {
 		ctx:                    context.Background(),
 		log:                    logf.Log.WithName("scanner"),
 		deleteScanFailedImages: true,
-		deletePinnedImages:     false,
 		reportMetrics:          false,
 	}
 
@@ -58,7 +57,6 @@ func NewImageProvider(funcs ...ConfigFunc) ImageProvider {
 	return cfg
 }
 
-// TODO - 1. We could filter here, so the returned images are all images that are not pinned.
 func (cfg *config) ReceiveImages() ([]unversioned.Image, error) {
 	var err error
 
@@ -83,7 +81,6 @@ func (cfg *config) ReceiveImages() ([]unversioned.Image, error) {
 }
 
 func (cfg *config) SendImages(nonCompliantImages, failedImages []unversioned.Image) error {
-	// TODO - 4. we could filter out pinned images here, so they are not deleted.
 	if cfg.deleteScanFailedImages {
 		nonCompliantImages = append(nonCompliantImages, failedImages...)
 	}
@@ -155,13 +152,6 @@ func WithDeleteEOLImages(deleteEOLImages bool) ConfigFunc {
 	}
 }
 
-// sets deletePinnedImages flag.
-func WithDeletePinnedImages(deletePinnedImages bool) ConfigFunc {
-	return func(cfg *config) {
-		cfg.deletePinnedImages = deletePinnedImages
-	}
-}
-
 // provide custom logger.
 func WithLogger(log logr.Logger) ConfigFunc {
 	return func(cfg *config) {
diff --git a/pkg/scanners/trivy/trivy.go b/pkg/scanners/trivy/trivy.go
index 4c7e4cb133..3862858dea 100644
--- a/pkg/scanners/trivy/trivy.go
+++ b/pkg/scanners/trivy/trivy.go
@@ -100,7 +100,6 @@ func main() {
 		template.WithMetrics(recordMetrics),
 		template.WithDeleteScanFailedImages(userConfig.DeleteFailedImages),
 		template.WithDeleteEOLImages(userConfig.DeleteEOLImages),
-		template.WithDeletePinnedImages(userConfig.DeletePinnedImages),
 	)
 
 	allImages, err := provider.ReceiveImages()
@@ -108,22 +107,12 @@ func main() {
 		log.Error(err, "unable to read images from provider")
 		os.Exit(generalErr)
 	}
-	// TODO - 2. We could filter the pinned images out here, to not affect the template.
 
 	s, err := initScanner(&userConfig)
 	if err != nil {
 		log.Error(err, "error initializing scanner")
 	}
 
-	// TODO: 4 options to decide on how we'd want to {filter out/handle} `pinned` images.
-	//   1. Filter inside the `ReceiveImages` function, part of the scanner template, so `allImages` is all non-pinned.
-	//   2. Filter `allImages` AFTER `ReceiveImages`, so we don't affect the scanner template function.
-	//   3. During the `scan` (or `Scan`) function, check if the image is pinned and continue.
-	//		- This could be the most performant, where we don't add extra filtering, and just `continue` during image scans.
-	//		- We could decide here if we still want to scan the pinned image, even when we don't want to delete it.
-	//   4. Filter inside the `SendImages` function, part of the scanner template, so the images sent to the eraser are non-pinned.
-	//		- Not sure how our template works, and if we'd want to filter there so other implementations don't have to.
-	//   Adding filtering (aside from step 3 where we `continue`) would add an extra O(n) time complexity to go through all images and filter.
 	vulnerableImages, failedImages, err := scan(s, allImages)
 	if err != nil {
 		log.Error(err, "total image scan timed out")
@@ -135,6 +124,7 @@ func main() {
 		log.Info("Failed", "Images", failedImages)
 	}
 
+	// send to eraser?
 	err = provider.SendImages(vulnerableImages, failedImages)
 	if err != nil {
 		log.Error(err, "unable to write images")
@@ -193,7 +183,6 @@ func scan(s Scanner, allImages []unversioned.Image) ([]unversioned.Image, []unve
 	// track total scan job time
 
 	for idx, img := range allImages {
-		// TODO - 3. we could filter out Pinned images here by `continue`-ing. we'll need to be sure nothing wonky happens with pinned images on timeout.
 		select {
 		case <-s.Timer().C:
 			failedImages = append(failedImages, allImages[idx:]...)
diff --git a/pkg/scanners/trivy/types.go b/pkg/scanners/trivy/types.go
index dad060b257..e6972a3ad3 100644
--- a/pkg/scanners/trivy/types.go
+++ b/pkg/scanners/trivy/types.go
@@ -40,7 +40,6 @@ type (
 		DBRepo             string        `json:"dbRepo,omitempty"`
 		DeleteFailedImages bool          `json:"deleteFailedImages,omitempty"`
 		DeleteEOLImages    bool          `json:"deleteEOLImages,omitempty"`
-		DeletePinnedImages bool          `json:"deletePinnedImages,omitempty"`
 		Vulnerabilities    VulnConfig    `json:"vulnerabilities,omitempty"`
 		Timeout            TimeoutConfig `json:"timeout,omitempty"`
 	}
@@ -72,7 +71,6 @@ func DefaultConfig() *Config {
 		DBRepo:             "ghcr.io/aquasecurity/trivy-db",
 		DeleteFailedImages: true,
 		DeleteEOLImages:    true,
-		DeletePinnedImages: false,
 		Vulnerabilities: VulnConfig{
 			IgnoreUnfixed: true,
 			Types: []string{
diff --git a/pkg/utils/utils.go b/pkg/utils/utils.go
index 01a9555ca8..9ee2964b26 100644
--- a/pkg/utils/utils.go
+++ b/pkg/utils/utils.go
@@ -178,6 +178,10 @@ func GetNonRunningImages(runningImages map[string]string, allImages []unversione
 	return nonRunningImages
 }
 
+func IsPinned(img string, idToImageMap map[string]unversioned.Image) bool {
+	return idToImageMap[img].Pinned
+}
+
 func IsExcluded(excluded map[string]struct{}, img string, idToImageMap map[string]unversioned.Image) bool {
 	if len(excluded) == 0 {
 		return false
@@ -417,3 +421,13 @@ func ProcessRepoDigests(repoDigests []string) ([]string, []error) {
 
 	return digests, errs
 }
+
+func RemovePinnedImages(images []unversioned.Image) []unversioned.Image {
+	filteredImages := []unversioned.Image{}
+	for _, image := range images {
+		if !image.Pinned {
+			filteredImages = append(filteredImages, image)
+		}
+	}
+	return filteredImages
+}

From d2d8b549e8468efd8ac377a969f40dcfde4873d0 Mon Sep 17 00:00:00 2001
From: Fabian Gonzalez <fabiangonz98@gmail.com>
Date: Sat, 2 Dec 2023 08:39:33 -0500
Subject: [PATCH 4/4] remove Pinned config from scanner

Signed-off-by: Fabian Gonzalez <fabiangonz98@gmail.com>
---
 pkg/scanners/template/scanner_template.go | 1 -
 1 file changed, 1 deletion(-)

diff --git a/pkg/scanners/template/scanner_template.go b/pkg/scanners/template/scanner_template.go
index 086a2709e2..bf005668c2 100644
--- a/pkg/scanners/template/scanner_template.go
+++ b/pkg/scanners/template/scanner_template.go
@@ -34,7 +34,6 @@ type config struct {
 	log                    logr.Logger
 	deleteScanFailedImages bool
 	deleteEOLImages        bool
-	deletePinnedImages     bool
 	reportMetrics          bool
 }