feat: registry proxy/mirror rewriting support

[matthyx]

Summary

• Adds proxyRegistryMap map[string]string field to Config (mapstructure key: proxyRegistryMap) so operators can declare registry mirror mappings in clusterData.json.
• Adds proxyRegistryMap field to SyftAdapter and a rewriteImageRef helper that rewrites image pull references using simple string-prefix replacement, treating docker.io and index.docker.io as equivalent.
• All three syft.GetSource call sites (initial pull, MANIFEST_UNKNOWN retry, 401 retry) use the rewritten pullRef; imageID/imageTag variables are untouched so SBOM annotations always record the original image reference.
• When proxyRegistryMap is nil or empty, behaviour is identical to before.

Test plan

• go build ./... — passes with no errors
• go vet ./config/... ./cmd/... — clean
• go test ./adapters/v1/ -run TestNormalizeImageID — 6/6 pass
• Manual: set proxyRegistryMap: {"docker.io": "my-mirror.example.com"} in config and verify pulls are redirected

🤖 Generated with Claude Code

Summary by CodeRabbit

• New Features
  • Added proxy registry mapping configuration for SBOM scanning. Container image references are now automatically rewritten to route image pulls through configured proxy registries, enabling seamless integration with enterprise proxy infrastructure. Features include longest-prefix matching for flexible routing, support for multiple image reference formats, and compatibility with standard retry mechanisms.

[coderabbitai]

Warning

Rate limit exceeded

@matthyx has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 41 minutes and 38 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 41 minutes and 38 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 20a3f41b-02c6-400a-90a7-1f3b94c3a231

📥 Commits

Reviewing files that changed from the base of the PR and between 495098a and 9d6b1ba.

📒 Files selected for processing (6)

• adapters/v1/sidecar.go
• adapters/v1/sidecar_test.go
• adapters/v1/syft.go
• adapters/v1/syft_test.go
• cmd/http/main.go
• config/config.go

📝 Walkthrough

Walkthrough

This pull request introduces a proxy registry mapping feature to the SBOM adapter. The implementation adds a proxyRegistryMap configuration field that enables image references to be rewritten before SBOM generation. A new rewriteImageRef function handles the rewriting logic with support for longest-prefix matching, and the feature is propagated through adapter initialization and configuration structures.

Changes

Cohort / File(s)	Summary
Core Adapter Implementation adapters/v1/syft.go	Added proxyRegistryMap field to SyftAdapter, introduced rewriteImageRef function for deterministic prefix-based image reference rewriting, and updated CreateSBOM to apply rewriting across multiple retry paths. Supports docker.io/index.docker.io equivalence.
Adapter Tests adapters/v1/syft_test.go	Updated existing test calls to pass nil proxy map to NewSyftAdapter. Added new TestRewriteImageRef with comprehensive coverage for nil/empty maps, trailing slash handling, tag/digest forms, registry equivalence, prefix preservation, and longest-prefix matching behavior.
Configuration and Initialization config/config.go, cmd/http/main.go	Added ProxyRegistryMap field to Config struct. Updated SBOM adapter initialization in both in-process and sidecar fallback modes to accept the proxy map; added warning when proxy map is non-empty but sidecar mode is active (indicating feature won't apply).

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• feat: SBOM scanner sidecar for memory-isolated SBOM generation #335: Modifies SBOM adapter initialization and runtime adapter selection in cmd/http/main.go, which overlaps with the adapter configuration changes in this PR.

Poem

🐰 A map of proxies, neat and true,
Rewriting refs through and through,
Docker, index, all the same,
Longest prefixes win the game,
Image registries now align,
With clever sorting—oh, how fine! ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 11.11% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'feat: registry proxy/mirror rewriting support' accurately summarizes the main change: adding registry proxy/mirror rewriting functionality across config, adapter, and main components.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/registry-proxy-mirror

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Summary:

• License scan: failure
• Credentials scan: failure
• Vulnerabilities scan: failure
• Unit test: success
• Go linting: failure

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@adapters/v1/syft.go`:
- Around line 59-85: rewriteImageRef currently special-cases only exact keys
"docker.io" and "index.docker.io", so compound keys like "docker.io/library"
won't match "index.docker.io/library/..." and the rewrite is skipped; update
rewriteImageRef to normalize both the configured key and the incoming imageRef
when performing prefix checks (e.g., map "index.docker.io" to "docker.io" or
vice‑versa) before comparing prefixes: compute normalizedOriginal
(strings.ReplaceAll(original, "index.docker.io", "docker.io")) and normalizedRef
(strings.ReplaceAll(imageRef, "index.docker.io", "docker.io")) and use those for
the strings.HasPrefix checks while still returning the properly reconstructed
proxy URL using the original proxy value (proxy :=
strings.TrimRight(proxyMap[original], "/")) so compound keys like
"docker.io/library" correctly match "index.docker.io/library/...".

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ff94c64a-3768-4ed8-805f-45a830e3c901

📥 Commits

Reviewing files that changed from the base of the PR and between 6e0373b and 495098a.

📒 Files selected for processing (4)

• adapters/v1/syft.go
• adapters/v1/syft_test.go
• cmd/http/main.go
• config/config.go

[github-actions]

Summary:

• License scan: failure
• Credentials scan: failure
• Vulnerabilities scan: failure
• Unit test: success
• Go linting: failure

[github-actions]

Summary:

• License scan: failure
• Credentials scan: failure
• Vulnerabilities scan: failure
• Unit test: success
• Go linting: failure

[github-actions]

Summary:

• License scan: failure
• Credentials scan: failure
• Vulnerabilities scan: failure
• Unit test: success
• Go linting: failure

[github-actions]

Summary:

• License scan: failure
• Credentials scan: failure
• Vulnerabilities scan: failure
• Unit test: success
• Go linting: failure